7.1.5.1.1.12. Security Alert

7.1.5.1.1.12.1. Trigger Events

This message is emitted by the archive in following cases :

  • Connection Events Failure : Node authentication failure when establishing a secure communications channel.
  • Connection Events Failure : TCP Connection to remote hosts failure.
  • Association Events Failure : Associations rejected by Archive.
  • Association Events Failure : Association initiation to remote AEs failed.
  • Software Configuration changes done over the UI.
  • One or more task(s) or queue message(s) were canceled, rescheduled or deleted using Monitoring page of Archive UI.
  • One or more queue message(s) were purged/deleted using scheduler.
  • If a super user logs in or logs out of secured Archive UI.
  • If any user updates his/her password using secured Archive UI.
  • If any user with administration rights performs actions within Keycloak admin console

7.1.5.1.1.12.2. Message Structure

Table 7.66 Entities in Security Alert Audit Message
Event Identification  
Active Participant: Source  
Active Participant: Archive application  
Audit Source  
Participant Object Identification Present only in Software Configuration changes case
Participant Object Identification Present only in Cancel/Reschedule/Delete task case
Participant Object Identification Present only in Cancel/Reschedule/Delete tasks case
Participant Object Identification Present only if Keycloak admin user performs actions within admin console
Participant Object Identification : Study Present only impax mismatch case
Participant Object Identification : Patient Present only impax mismatch case
Table 7.67 Event Identification
Field Name Opt Description
EventID M
EV (110113, DCM, ‘Security Alert’)
EventActionCode M
Execute ⇒ ‘E’
EventDateTime M
The time at which the event occurred
EventOutcomeIndicator M
Success ⇒ ‘0’
Minor failure ⇒ ‘4’
EventOutcomeDescription M
Error/Exception message when EventOutcomeIndicator ⇒ ‘4’
EventTypeCode M
Connection Events Failure case ⇒ DT (110126, DCM, ‘Node Authentication’)
Association Events Failure case ⇒ DT (ASSOCIATION-FAILURE, 99DCM4CHEE, ‘Association Failure’)
Software Configuration Changes case ⇒ DT (110131, DCM, ‘Software Configuration’)
Super User Login case ⇒ DT (110127, DCM, ‘Emergency Override Started’)
Super User Logout case ⇒ DT (110138, DCM, ‘Emergency Override Stopped’)
User Password update case ⇒ DT (110137, DCM, ‘User security Attributes Changed’)
Cancel Task(s) case ⇒ DT (CANCEL, 99DCM4CHEE, ‘Cancel Task’)
Reschedule Task(s) case ⇒ DT (RESCHEDULE, 99DCM4CHEE, ‘Reschedule Task’)
Delete Task(s) case ⇒ DT (DELETE, 99DCM4CHEE, ‘Delete Task’)
Keycloak admin event Operation Type as CREATE, UPDATE or DELETE ⇒ DT (110129, DCM, ‘Security Configuration’)
Keycloak admin event Operation Type as CREATE and Resource Type as REALM_ROLE_MAPPING or CLIENT_ROLE_MAPPING ⇒ DT (110136, DCM, ‘Security Roles Changed’)
Keycloak admin event Operation Type as UPDATE and Resource Type as USER ⇒ DT (110137, DCM, ‘Security Attributes Changed’)
Table 7.68 Active Participant: Source
Field Name Opt Description
UserID M
Connection Events Failure case ⇒ Remote socket address of calling host
Association Events Failure case ⇒ ‘AE title of remote side used in association’
Super user login or logout using Secured archive ⇒ ‘User name of logged in user’
Password Update of User using Secured archive ⇒ ‘User name of logged in user’
Keycloak admin user performs any action in admin console ⇒ ‘User name of logged in user’
Cancel, Reschedule or Delete Task(s) : Secured archive ⇒ ‘User name of logged in user’
Cancel, Reschedule or Delete Task(s) : Unsecured archive ⇒ ‘Remote IP address’
Software configuration changes done over UI : Secured archive ⇒ ‘User name of logged in user’
Software configuration changes done over UI : Unsecured archive ⇒ ‘Remote IP address’
UserIDTypeCode U
Connection Events Failure case ⇒ EV (110182, DCM, ‘Node ID’)
Association Events Failure ⇒ EV (110119, DCM, ‘Station AE Title’)
Super user login or logout using Secured archive ⇒ EV (113871, DCM, ‘Person ID’)
Password Update of User using Secured archive ⇒ EV (113871, DCM, ‘Person ID’)
Cancel, Reschedule or Delete Task(s) : Secured archive ⇒ EV (113871, DCM, ‘Person ID’)
Cancel, Reschedule or Delete Task(s) : Unsecured archive ⇒ EV (110182, DCM, ‘Node ID’)
Software configuration changes done over UI : Secured archive ⇒ EV (113871, DCM, ‘Person ID’)
Software configuration changes done over UI : Unsecured archive ⇒ EV (110182, DCM, ‘Node ID’)
UserTypeCode U
Person ⇒ ‘1’
UserIsRequestor M
true
NetworkAccessPointID U
Hostname/IP Address of calling host
NetworkAccessPointTypeCode U
NetworkAccessPointID is host name ⇒ ‘1’
NetworkAccessPointID is an IP address ⇒ ‘2’
Table 7.69 Active Participant: Archive application
Field Name Opt Description
UserID M
Association Events Failure case ⇒ AE title of Archive used in Association
Cancel, Reschedule or Delete Task(s) and Software Configuration Changes case ⇒ RESTful service invoked of Archive
Keycloak admin user performs any action in admin console ⇒ Keycloak device name
For all other cases ⇒ Archive device name
UserIDTypeCode U
Association Events Failure case ⇒ EV (110119, DCM, ‘Station AE Title’)
Cancel, Reschedule or Delete Task(s) and Software Configuration Changes case ⇒ EV (12, RFC-3881, ‘URI’)
For all other cases ⇒ EV (113877, DCM, ‘Device Name’)
UserTypeCode U
Application ⇒ ‘2’
AlternativeUserID MC
Process ID of Audit logger
UserIsRequestor M
false
NetworkAccessPointID U
Hostname/IP Address of the connection referenced by Audit logger
NetworkAccessPointTypeCode U
NetworkAccessPointID is host name ⇒ ‘1’
NetworkAccessPointID is an IP address ⇒ ‘2’
Table 7.70 Participant Object Identification
Field Name Opt Description
ParticipantObjectID M Name of device being created/updated/deleted
ParticipantObjectTypeCode M SystemObject ⇒ ‘2’
ParticipantObjectIDTypeCode M EV (113877, DCM, ‘Device Name’)
ParticipantObjectDetail M ‘type=Alert Description value=<Base-64 encoded software configuration changes>’
Table 7.71 Participant Object Identification
Field Name Opt Description
ParticipantObjectID M JMS Message ID of the canceled/rescheduled/deleted task
ParticipantObjectTypeCode M SystemObject ⇒ ‘2’
ParticipantObjectIDTypeCode M EV (TASK, 99DCM4CHEE, ‘Archive Task’)
ParticipantObjectDetail M ‘type=Task value=<Base-64 encoded complete queue message>’
Table 7.72 Participant Object Identification
Field Name Opt Description
ParticipantObjectID M CancelTasks or RescheduleTasks or DeleteTasks
ParticipantObjectTypeCode M SystemObject ⇒ ‘2’
ParticipantObjectIDTypeCode M EV (TASKS, 99DCM4CHEE, ‘Archive Tasks’)
ParticipantObjectDetail M
‘type=Count value=<Base-64 encoded count of total Canceled/Rescheduled/Deleted tasks>’
If filter(s) set on service invoke ⇒ ‘type=Filters value=<Base-64 encoded query params used for Cancel/Reschedule/Delete tasks service>’
Table 7.73 Participant Object Identification
Field Name Opt Description
ParticipantObjectID M Name of Keycloak device
ParticipantObjectTypeCode M SystemObject ⇒ ‘2’
ParticipantObjectIDTypeCode M EV (113877, DCM, ‘Device Name’)
ParticipantObjectDetail M ‘type=Alert Description value=<Base-64 encoded Representation and Resource Path changes returned by Keycloak>’
Table 7.74 Participant Object Identification : Study
Field Name Opt Description
ParticipantObjectID M Study Instance UID or 1.2.40.0.13.1.15.110.3.165.1 if unknown
ParticipantObjectTypeCode M System ⇒ ‘2’
ParticipantObjectTypeCodeRole M Report ⇒ ‘3’
ParticipantObjectIDTypeCode M EV (110180, DCM, ‘Study Instance UID’)
ParticipantObjectDetail U Base-64 encoded study date if Study has StudyDate(0008,0020) attribute
ParticipantObjectDataLifeCycle U OriginationCreation ⇒ ‘1’
ParticipantObjectDescription U  
SOPClass MC Sop Class UID and Number of instances with this sop class. eg. <SOPClass UID=‘1.2.840.10008.5.1.4.1.1.88.22’ NumberOfInstances=‘4’/>
Accession U Accession Number
Table 7.75 Participant Object Identification : Patient
Field Name Opt Description
ParticipantObjectID M Patient ID or <none> if unknown
ParticipantObjectTypeCode M Person ⇒ ‘1’
ParticipantObjectTypeCodeRole M Patient ⇒ ‘1’
ParticipantObjectIDTypeCode M EV (2, RFC-3881, ‘Patient Number’)
ParticipantObjectName U Patient Name

7.1.5.1.1.12.3. Sample Message

Connection Events Failure

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2016-06-17T10:35:49.560+02:00" EventOutcomeIndicator="4">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Node Authentication"/>
        <EventOutcomeDescription>null cert chain</EventOutcomeDescription>
    </EventIdentification>

    <ActiveParticipant UserID="/127.0.0.1:54404" UserTypeCode="1" UserIsRequestor="true" NetworkAccessPointID="/127.0.0.1:54404" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="110182" codeSystemName="DCM" originalText="Node ID"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="dcm4chee-arc" UserTypeCode="2" AlternativeUserID="3390" UserIsRequestor="false" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="113877" codeSystemName="DCM" originalText="Device Name"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

</AuditMessage>

Associations Events Failure

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-10-23T15:33:19.804+02:00" EventOutcomeIndicator="4">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="ASSOCIATION-FAILURE" codeSystemName="99DCM4CHEE" originalText="Association Failure"/>
        <EventOutcomeDescription>A-ASSOCIATE-RJ[result: 1 - rejected-permanent, source: 1 - service-user, reason: 3 - calling-AE-title-not-recognized]</EventOutcomeDescription>
    </EventIdentification>

    <ActiveParticipant UserID="STGCMTSCU1" UserIsRequestor="true" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="110119" codeSystemName="DCM" originalText="Station AE Title"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="DCM4CHEE" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="110119" codeSystemName="DCM" originalText="Station AE Title"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

</AuditMessage>

Software Configuration Changes

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2017-09-22T10:35:49+02:00" EventOutcomeIndicator="0">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="110131" codeSystemName="DCM" originalText="Software Configuration"/>
    </EventIdentification>

    <ActiveParticipant UserID="/dcm4chee-arc/devices/dcm4chee-arc" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText="URI"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="127.0.0.1" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="110182" codeSystemName="DCM" originalText="Node ID"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

    <ParticipantObjectIdentification ParticipantObjectID="dcm4chee-arc" ParticipantObjectTypeCode="2">
        <ParticipantObjectIDTypeCode csd-code="113877" originalText="Device Name" codeSystemName="DCM"/>
        <ParticipantObjectDetail type="Alert Description" value="VSBkaWNvbURldmljZU5hbWU9ZGNtNGNoZWUtYXJjLGNuPURldmljZXMsY249RElDT00gQ29uZmlndXJhdGlvbixkYz1kY200Y2hlLGRjPW9yZwogIGRjbVNlcmllc01ldGFkYXRhUG9sbGluZ0ludGVydmFsOiBbXT0+W1BUMU1dCiAgZGNtQUVDYWNoZVN0YWxlVGltZW91dDogW1BUNU1dPT5bXQogIGRjbUFjY2VwdE1pc3NpbmdQYXRpZW50SUQ6IFtDUkVBVEVdPT5bWUVTXQ=="/>
    </ParticipantObjectIdentification>

</AuditMessage>

User Password Update

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-09-18T17:42:55.226+02:00" EventOutcomeIndicator="0">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="110137" codeSystemName="DCM" originalText="User security Attributes Changed"/>
    </EventIdentification>

    <ActiveParticipant UserID="admin" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="113871" codeSystemName="DCM" originalText="Person ID"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="dcm4chee-arc" AlternativeUserID="31064" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="113877" codeSystemName="DCM" originalText="Device Name"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

</AuditMessage>

Super User Login

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-09-18T17:42:55.226+02:00" EventOutcomeIndicator="0">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="110127" codeSystemName="DCM" originalText="Emergency Override Started"/>
    </EventIdentification>

    <ActiveParticipant UserID="admin" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="113871" codeSystemName="DCM" originalText="Person ID"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="dcm4chee-arc" AlternativeUserID="31064" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="113877" codeSystemName="DCM" originalText="Device Name"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

</AuditMessage>

Cancel Export Task

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-01-29T13:54:56.838+01:00" EventOutcomeIndicator="0">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="CANCEL" codeSystemName="99DCM4CHEE" originalText="Cancel Message"/>
    </EventIdentification>

    <ActiveParticipant UserID="127.0.0.1" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="110182" codeSystemName="DCM" originalText="Node ID"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="/dcm4chee-arc/monitor/export/51/cancel" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText="URI"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

    <ParticipantObjectIdentification ParticipantObjectID="ID:fb45eabd-04f2-11e8-8a74-7c5cf82aac4c" ParticipantObjectTypeCode="2">
        <ParticipantObjectIDTypeCode csd-code="TASK" originalText="Archive Task" codeSystemName="99DCM4CHEE"/>
        <ParticipantObjectDetail type="Task" value="eyJpZCI6IklEOmZiNDVlYWJkLTA0ZjItMTFlOC04YTc0LTdjNWNmODJhYWM0YyIsInF1ZXVlIjoiRXhwb3J0MSIsInByaW9yaXR5Ijo0LCJjcmVhdGVkVGltZSI6IjIwMTgtMDEtMjlUMTM6NDg6MDQuNjQ3KzAxMDAiLCJ1cGRhdGVkVGltZSI6IjIwMTgtMDEtMjlUMTM6NTQ6NTYuODM0KzAxMDAiLCJkaWNvbURldmljZU5hbWUiOiJkY200Y2hlZS1hcmMiLCJzdGF0dXMiOiJDQU5DRUxFRCIsImZhaWx1cmVzIjoxLCJzY2hlZHVsZWRUaW1lIjoiMjAxOC0wMS0yOVQxMzo1MDo1Ny45MDYrMDEwMCIsInByb2Nlc3NpbmdTdGFydFRpbWUiOiIyMDE4LTAxLTI5VDEzOjUwOjU3LjkxNSswMTAwIiwicHJvY2Vzc2luZ0VuZFRpbWUiOiIyMDE4LTAxLTI5VDEzOjUwOjU4LjA4NiswMTAwIiwiZXJyb3JNZXNzYWdlIjoiamF2YS5uZXQuQ29ubmVjdEV4Y2VwdGlvbjogQ29ubmVjdGlvbiByZWZ1c2VkIChDb25uZWN0aW9uIHJlZnVzZWQpIiwib3V0Y29tZU1lc3NhZ2UiOiJFeHBvcnQgU3R1ZHlbdWlkPTEuMi44NDAuMTEzNjc0LjExMTguNTQuMjAwXSB0byBBRTogU1RPUkVTQ1AxIC0gY29tcGxldGVkOjE4IiwiQUVUaXRsZSI6IkRDTTRDSEVFIiwiUmVxdWVzdGVySG9zdE5hbWUiOiIxMjcuMC4wLjEiLCJSZXF1ZXN0ZXJVc2VySUQiOiIxMjcuMC4wLjEiLCJSZXF1ZXN0VVJJIjoiL2RjbTRjaGVlLWFyYy9hZXRzL0RDTTRDSEVFL3JzL3N0dWRpZXMvMS4yLjg0MC4xMTM2NzQuMTExOC41NC4yMDAvZXhwb3J0L1NUT1JFU0NQIiwiU3R1ZHlJbnN0YW5jZVVJRCI6IjEuMi44NDAuMTEzNjc0LjExMTguNTQuMjAwIiwiRXhwb3J0ZXJJRCI6IlNUT1JFU0NQMSJ9"/>
    </ParticipantObjectIdentification>

</AuditMessage>

Delete Export Tasks

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-10-24T17:06:24.727+02:00" EventOutcomeIndicator="0">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="DELETE" codeSystemName="99DCM4CHEE" originalText="Delete Task"/>
    </EventIdentification>

    <ActiveParticipant UserID="127.0.0.1" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="110182" codeSystemName="DCM" originalText="Node ID"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="/dcm4chee-arc/monitor/export" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText="URI"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="dcm4chee-arc">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

    <ParticipantObjectIdentification ParticipantObjectID="DeleteTasks" ParticipantObjectTypeCode="2">
        <ParticipantObjectIDTypeCode csd-code="TASKS" originalText="Archive Tasks" codeSystemName="99DCM4CHEE"/>
        <ParticipantObjectDetail type="Filters" value="c3RhdHVzPUNPTVBMRVRFRA=="/>
        <ParticipantObjectDetail type="Count" value="Mg=="/>
    </ParticipantObjectIdentification>

</AuditMessage>

Keycloak Admin Event

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-10-29T14:39:19.406+01:00" EventOutcomeIndicator="0">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="110129" codeSystemName="DCM" originalText="Security Configuration"/>
        <EventOutcomeDescription>CREATE CLIENT</EventOutcomeDescription>
    </EventIdentification>

    <ActiveParticipant UserID="admin" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="113871" codeSystemName="DCM" originalText="Person ID"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="keycloak" AlternativeUserID="17431" UserIsRequestor="false" UserTypeCode="2" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="113877" codeSystemName="DCM" originalText="Device Name"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="keycloak">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

    <ParticipantObjectIdentification ParticipantObjectID="keycloak" ParticipantObjectTypeCode="2">
        <ParticipantObjectIDTypeCode csd-code="113877" originalText="Device Name" codeSystemName="DCM"/>
        <ParticipantObjectDetail type="Alert Description" value="UmVwcmVzZW50YXRpb246IHsiY2xpZW50SWQiOiJ0ZXN0IiwiZW5hYmxlZCI6dHJ1ZSwicmVkaXJlY3RVcmlzIjpbXSwicHJvdG9jb2wiOiJvcGVuaWQtY29ubmVjdCIsImF0dHJpYnV0ZXMiOnt9fQpSZXNvdXJjZVBhdGg6IGNsaWVudHMvYzIwZWFiMjEtY2FhNC00NjhjLThjNWMtNWU4YmY3N2RkNTIy"/>
    </ParticipantObjectIdentification>

</AuditMessage>

IMPAX Reports Import Service

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuditMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dcm4che.org/DICOM/audit-message.rnc">

    <EventIdentification EventActionCode="E" EventDateTime="2018-10-23T10:14:46.381+02:00" EventOutcomeIndicator="4">
        <EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert"/>
        <EventTypeCode csd-code="IMPAXREP_PATDIFF" codeSystemName="99DCM4CHEE" originalText="Patient in IMPAX Report does not match Patient of Study in VNA"/>
        <EventOutcomeDescription>Patient in IMPAX Report does not match Patient of Study in VNA</EventOutcomeDescription>
    </EventIdentification>

    <ActiveParticipant UserID="testuser" UserIsRequestor="true" UserTypeCode="1" NetworkAccessPointID="127.0.0.1" NetworkAccessPointTypeCode="2">
        <UserIDTypeCode csd-code="113871" codeSystemName="DCM" originalText="Person"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="https://aps1tln.pacs.ee/AgfaHC.Connectivity.Web.Services/ReportServiceCM.asmx" UserTypeCode="1" UserIsRequestor="true" NetworkAccessPointID="agfa-host" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText="URI"/>
    </ActiveParticipant>

    <ActiveParticipant UserID="/dcm4chee-arc/aets/DCM4CHEE/rs/studies/1.113654.1.2001.30/impax/reports" UserTypeCode="2" AlternativeUserID="5373" UserIsRequestor="false" NetworkAccessPointID="localhost" NetworkAccessPointTypeCode="1">
        <UserIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText="URI"/>
    </ActiveParticipant>

    <AuditSourceIdentification AuditSourceID="keycloak">
        <AuditSourceTypeCode csd-code="4"/>
    </AuditSourceIdentification>

    <ParticipantObjectIdentification ParticipantObjectID="1.113654.1.2001.30" ParticipantObjectTypeCode="2" ParticipantObjectTypeCodeRole="3" ParticipantObjectDataLifeCycle="1">
        <ParticipantObjectIDTypeCode csd-code="110180" originalText="Study Instance UID" codeSystemName="DCM"/>
        <ParticipantObjectDetail type="StudyDate" value="MjAwMTA0MzA="/>
        <ParticipantObjectDescription>
            <Accession Number="2001C30"/>
            <SOPClass UID="1.2.840.10008.5.1.4.1.1.88.11" NumberOfInstances="1"/>
        </ParticipantObjectDescription>
    </ParticipantObjectIdentification>

    <ParticipantObjectIdentification ParticipantObjectID="CR3^^^SiteA" ParticipantObjectTypeCode="1" ParticipantObjectTypeCodeRole="1">
        <ParticipantObjectIDTypeCode csd-code="2" originalText="Patient Number" codeSystemName="RFC-3881"/>
        <ParticipantObjectName>CRTHREE^PAUL</ParticipantObjectName>
    </ParticipantObjectIdentification>

</AuditMessage>