This message describes any event for which a node needs to report a security alert, e.g., a node authentication failure when establishing a secure communications channel.
The Node Authentication event can be used to report both successes and failures. If reporting of success is done, this could generate a very large number of audit messages, since every authenticated DICOM association, HL7 transaction, and HTML connection should result in a successful node authentication. It is expected that in most situations only the failures will be reported.
Table A.5.3.11-1. Audit Message for Security Alert
|
Real World Entities |
Field Name |
Opt. |
Value Constraints |
|---|---|---|---|
|
Event |
EventID |
M |
EV (110113, DCM, "Security Alert") |
|
EventActionCode |
M |
Shall be: E = Execute |
|
|
EventDateTime |
M |
not specialized |
|
|
EventOutcomeIndicator |
M |
Success implies an informative alert. The other failure values imply warning codes that indicate the severity of the alert. A Minor or Serious failure indicates that mitigation efforts were effective in maintaining system security. A Major failure indicates that mitigation efforts may not have been effective, and that the security system may have been compromised. |
|
|
EventTypeCode |
M |
Values selected from DCID( 403) |
|
|
Active Participant: Reporting Person and/or Process (1..2) |
UserID |
M |
not specialized |
|
AlternativeUserID |
U |
not specialized |
|
|
UserName |
U |
not specialized |
|
|
UserIsRequestor |
M |
not specialized |
|
|
RoleIDCode |
U |
not specialized |
|
|
NetworkAccessPointTypeCode |
U |
not specialized |
|
|
NetworkAccessPointID |
U |
not specialized |
|
|
Active Participant: Performing Persons or Processes (0..N) |
UserID |
M |
not specialized |
|
AlternativeUserID |
U |
not specialized |
|
|
UserName |
U |
not specialized |
|
|
UserIsRequestor |
M |
Shall be FALSE |
|
|
RoleIDCode |
U |
not specialized |
|
|
NetworkAccessPointTypeCode |
U |
not specialized |
|
|
NetworkAccessPointID |
U |
not specialized |
|
|
Participating Object: Alert Subject (0..N) |
ParticipantObjectTypeCode |
M |
Shall be: 2 = system |
|
ParticipantObjectTypeCodeRole |
U |
Defined Terms: 5 = master file 13 = security resource |
|
|
ParticipantObjectDataLifeCycle |
U |
not specialized |
|
|
ParticipantObjectIDTypeCode |
M |
Defined Terms: 12 = URI(110182, DCM, "Node ID") = Node Identifier |
|
|
ParticipantObjectSensitivity |
U |
not specialized |
|
|
ParticipantObjectID |
M |
For a ParticipantObjectIDTypeCode of 12 (URI), then this value shall be the URI of the file or other resource that is the subject of the alert. For a ParticipantObjectIDTypeCode of (110182, DCM, "Node ID") then the value shall include the identity of the node that is the subject of the alert either in the form ofnode_name@domain_nameor as an IP address. Otherwise, the value shall be an identifier of the type specified by ParticipantObjectIDTypeCode of the subject of the alert. |
|
|
ParticipantObjectName |
U |
not specialized |
|
|
ParticipantObjectQuery |
U |
not specialized |
|
|
ParticipantObjectDetail |
M |
An element with the Attribute "type" equal to "Alert Description" shall be present with a free text description of the nature of the alert as the value |
|
|
ParticipantObjectDescription |
U |
not specialized |
|
|
SOPClass |
U |
See Table A.5.2-1 |
|
|
Accession |
U |
not specialized |
|
|
NumberOfInstances |
U |
not specialized |
|
|
Instances |
U |
not specialized |
|
|
Encrypted |
U |
not specialized |
|
|
Anonymized |
U |
not specialized |