SIEM event details (legacy customers only)
The content on this page deals with a legacy feature of the Akamai Identity Cloud. If you are currently an Identity Cloud customer and are using SIEM event delivery, that feature is still supported. However, if youโre new to the Identity Cloud, SIEM event delivery is no longer available.
Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:
{
"id":
"message": {
"app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
"client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
"endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp",
"event_type": "legacy_traditional_signin",
"forward_headers": [
{
"name": "HTTP_X_FORWARDED_FOR",
"value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
},
{
"name": "HTTP_X_FORWARDED_PROTO",
"value": "http" },
{
"name": "HTTP_X_FORWARDED_PORT",
"value": "80"
}
],
"ip_address": "192.168.1.1",
"origin": "https://login.documentation.akamai.com/",
"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
},
"msts": 1566206726081,
"type:" "siem#legacy_traditional_signin"
}
Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:
"eventType": "legacy_traditional_signin",
As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, itโs highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.
Other SIEM event keys are described in the following table. To see sample event notifications for the various SIEM event types, see Sample SIEM event notifications.
| Key | Definition and Sample Value |
|---|---|
| app_id | Unique identifier of the Identity Cloud API client associated with the event. For example:"app_id": "htb8fuhxnf8e38jrzub3c7pfrr"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| attributes | Array of user profile attribute names associated with the event. For example:"attributes": ["email", "emailVerified"]This key appears on the following event notifications: * entityUpdated |
| captureApplicationId | Unique identifier of the Akamai Identity Cloud application associated with the event. For example:captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser credentialAuthenticationAttemptsExceededKnownUser credentialAuthenticationAttemptsExceededUnknownUser entityCreated entityDeleted * entityUpdated |
| captureClientId | Unique identifier of the API client associated with the event. For example:"captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser credentialAuthenticationAttemptsExceededKnownUser credentialAuthenticationAttemptsExceededUnknownUser entityCreated entityDeleted * entityUpdated |
| client_id | Unique identifier of the Identity Cloud API client associated with the event. For example:"client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| endpoint_uri | Identity Cloud endpoint associated with the event. For example:"endpoint_uri": "https://documentation.akamai.com/widget/traditionalsignin.jsonp"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| entityType | Name of the entity type database associated with the event. For example:"eventType": "user"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser credentialAuthenticationAttemptsExceededKnownUser credentialAuthenticationAttemptsExceededUnknownUser entityCreated entityDeleted * entityUpdated |
| event_type | Type of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example:"type": "legacy_traditional_signin"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| forward_headers | Header information for the event message. Common message headers include: *HTTP_X_FORWARDED_FOR (client IP address) * HTTP_X_FORWARDED_PROTO (protocol used in making the request) *HTTP_X_FORWARDED_PROTO (server port number) This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| globalSub | Internal URI that points to a user record within the Identity Cloud user profile store. For example:"sub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d"This key appears on the following event notifications: authenticationFailedKnownUser credentialAuthenticationAttemptsExceededKnownUser entityCreated entityDeleted * entityUpdated |
| Id | Universally unique identifier assigned to the event. For example:"id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser credentialAuthenticationAttemptsExceededKnownUser credentialAuthenticationAttemptsExceededUnknownUser entityCreated entityDeleted entityUpdated siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| ip_address | IP address of the device used when the event occurred. Note that ip_address isn't guaranteed to be meaningful in every scenario. In cases where the event is triggered from Akamai systems, an Akamai IP address will be emitted. For example: "ip_address": "192.168.1.1"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| msts | Date and time when the event occurred. The msts value is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example:"msts": "1553405263"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser credentialAuthenticationAttemptsExceededKnownUser credentialAuthenticationAttemptsExceededUnknownUser entityCreated entityDeleted entityUpdated siem#legacy_social_registration * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| origin | Specifies the address of the โorigin server,โ the server that contains the original web page. For example:"origin": "https://login.documentation.akamai.com"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| reason | Reason why authentication failed. For example:"reason": "invalidCredentials"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser |
| sub | Unique Identity Cloud identifier of the user associated with the event. For example:"sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications: authenticationFailedKnownUser credentialAuthenticationAttemptsExceededKnownUser entityCreated entityDeleted * entityUpdated |
| type | Indicates the event source; this will always be set to siem# followed by the event type. For example:"type": "siem#legacy_traditional_signin"This key appears on the following event notifications: authenticationFailedKnownUser authenticationFailedUnknownUser credentialAuthenticationAttemptsExceededKnownUser credentialAuthenticationAttemptsExceededUnknownUser entityCreated entityDeleted entityUpdated siem#legacy_social_registration * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| user_agent | User agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example:"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0)Gecko/68.0 Firefox/68.0"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| user_uuid | Unique Identity Cloud identifier of the user associated with the event. For example:"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications: siem#legacy_social_registration siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
Updated almost 3 years ago