DICOM PS3.15 2017d - Security and System Management Profiles

A.5.3 DICOM Specific Audit Messages

The following subsections define message specializations for use by implementations that claim conformance to the DICOM Audit Trail Profile. Any field (i.e., XML element and associated attributes) not specifically mentioned in the following tables shall follow the conventions specified in A.5.1 and A.5.2.

An implementation claiming conformance to this Profile that reports an activity covered by one of the audit messages defined by this Profile shall use the message format defined in this Profile. However, a system claiming conformance to this Profile is not required to send a message each time the activity reported by that audit message occurs. It is expected that the triggering of audit messages would be configurable on an individual basis, to be able to balance network load versus the severity of threats, in accordance with local security policies.

Note

  1. It is a system design issue outside the scope of DICOM as to what entity actually sends an audit event and when. For example, a Query message could be generated by the entity where the query originated, by the entity that eventually would respond to the query, or by a monitoring entity not directly involved with the query, but that generates audit messages based on monitored network traffic.

  2. To report events that are similar to the events described here, these definitions can be used as the basis for extending the schema.

In the subsequent tables, the information entity column indicates the relationship between real world entities and the information elements encoded into the message.

A.5.3.1 Application Activity

This audit message describes the event of an Application Entity starting or stopping. This is closely related to the more general case of any kind of application startup or shutdown, and may be suitable for those purposes also.

Table A.5.3.1-1. Application Activity Message

Real World Entities

Field Name

Opt.

Value Constraints

Event

EventID

M

EV (110100, DCM, "Application Activity")

EventActionCode

M

Enumerated Value

E = Execute

EventDateTime

M

not specialized

EventOutcomeIndicator

M

not specialized

EventTypeCode

M

DT (110120, DCM, "Application Start")

DT (110121, DCM, "Application Stop")

Active Participant:

Application started (1)

UserID

M

The identity of the process started or stopped formatted as specified in A.5.2.1.

AlternativeUserID

MC

If the process supports DICOM, then the AE Titles as specified in A.5.2.2.

UserName

U

not specialized

UserIsRequestor

M

not specialized

RoleIDCode

M

EV (110150, DCM, "Application")

NetworkAccessPointTypeCode

U

not specialized

NetworkAccessPointID

U

not specialized

Active Participant:

Persons and or processes that started the Application (0..N)

UserID

M

The person or process starting or stopping the Application

AlternativeUserID

U

not specialized

UserName

U

not specialized

UserIsRequestor

M

not specialized

RoleIDCode

M

EV (110151, DCM, "Application Launcher")

NetworkAccessPointTypeCode

U

not specialized

NetworkAccessPointID

U

not specialized


No Participant Objects are needed for this message.

DICOM PS3.15 2017d - Security and System Management Profiles