SIEM event details (legacy customers only)

📘

The content on this page deals with a legacy feature of the Akamai Identity Cloud. If you are currently an Identity Cloud customer and are using SIEM event delivery, that feature is still supported. However, if you’re new to the Identity Cloud, SIEM event delivery is no longer available.


Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:

{
    "id":
    "message": {
        "app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
        "client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
        "endpoint_uri": "http://documentation.akamai.com/widget/traditiona\_signin.jsonp",
        "event_type": "legacy_traditional\_signin",
        "forward_headers": [
            {
                "name": "HTTP_X_FORWARDED_FOR",
                "value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
            },
            {
                "name": "HTTP_X_FORWARDED_PROTO",
                "value": "http"            },
            {
                "name": "HTTP_X_FORWARDED_PORT",
                "value": "80"
            }
        ],
        "ip_address": "192.168.1.1",
        "origin": "https://login.documentation.akamai.com/",
        "user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
        "user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
    },
    "msts": 1566206726081,
    "type:" "siem#legacy_traditional_signin"
}

Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:

"eventType": "legacy_traditional_signin",

📘

As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, it’s highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.

Other SIEM event keys are described in the following table. To see sample event notifications for the various SIEM event types, see Sample SIEM event notifications.

KeyDefinition and Sample Value
app_idUnique identifier of the Identity Cloud API client associated with the event. For example:

"app_id": "htb8fuhxnf8e38jrzub3c7pfrr"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
attributesArray of user profile attribute names associated with the event. For example:

"attributes": ["email", "emailVerified"]

This key appears on the following event notifications:

* entityUpdated
captureApplicationIdUnique identifier of the Akamai Identity Cloud application associated with the event. For example:

captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
* credentialAuthenticationAttemptsExceededKnownUser
* credentialAuthenticationAttemptsExceededUnknownUser
* entityCreated
* entityDeleted
* entityUpdated
captureClientIdUnique identifier of the API client associated with the event. For example:

"captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
* credentialAuthenticationAttemptsExceededKnownUser
* credentialAuthenticationAttemptsExceededUnknownUser
* entityCreated
* entityDeleted
* entityUpdated
client_idUnique identifier of the Identity Cloud API client associated with the event. For example:

"client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
endpoint_uriIdentity Cloud endpoint associated with the event. For example:

"endpoint_uri": "https://documentation.akamai.com/widget/traditionalsignin.jsonp"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
entityTypeName of the entity type database associated with the event. For example:

"eventType": "user"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
* credentialAuthenticationAttemptsExceededKnownUser
* credentialAuthenticationAttemptsExceededUnknownUser
* entityCreated
* entityDeleted
* entityUpdated
event_typeType of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example:

"type": "legacy_traditional_signin"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
forward_headersHeader information for the event message. Common message headers include:

* HTTP_X_FORWARDED_FOR (client IP address)
* HTTP_X_FORWARDED_PROTO (protocol used in making the request)
* HTTP_X_FORWARDED_PROTO (server port number)

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
globalSubInternal URI that points to a user record within the Identity Cloud user profile store. For example:

"sub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* credentialAuthenticationAttemptsExceededKnownUser
* entityCreated
* entityDeleted
* entityUpdated
IdUniversally unique identifier assigned to the event. For example:

"id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
* credentialAuthenticationAttemptsExceededKnownUser
* credentialAuthenticationAttemptsExceededUnknownUser
* entityCreated
* entityDeleted
* entityUpdated
* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
ip_addressIP address of the device used when the event occurred. For example:

"ip_address": "192.168.1.1"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
mstsDate and time when the event occurred. The mstsvalue is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example:

"msts": "1553405263"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
* credentialAuthenticationAttemptsExceededKnownUser
* credentialAuthenticationAttemptsExceededUnknownUser
* entityCreated
* entityDeleted
* entityUpdated
* siem#legacy_social_registration
* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
originSpecifies the address of the “origin server,” the server that contains the original web page. For example:

"origin": "https://login.documentation.akamai.com"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
reasonReason why authentication failed. For example:

"reason": "invalidCredentials"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
subUnique Identity Cloud identifier of the user associated with the event. For example:

"sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* credentialAuthenticationAttemptsExceededKnownUser
* entityCreated
* entityDeleted
* entityUpdated
typeIndicates the event source; this will always be set to siem#followed by the event type. For example:

"type": "siem#legacy_traditional_signin"

This key appears on the following event notifications:

* authenticationFailedKnownUser
* authenticationFailedUnknownUser
* credentialAuthenticationAttemptsExceededKnownUser
* credentialAuthenticationAttemptsExceededUnknownUser
* entityCreated
* entityDeleted
* entityUpdated
* siem#legacy_social_registration
* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
user_agentUser agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example:

"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0)Gecko/68.0 Firefox/68.0"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update
user_uuidUnique Identity Cloud identifier of the user associated with the event. For example:

"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"

This key appears on the following event notifications:

* siem#legacy_social_registration
* siem#legacy_social_signin
* siem#legacy_traditional_registration
* siem#legacy_traditional_signin
* siem#new_email_verification
* siem#password_recover
* siem#profile_create
* siem#profile_delete
* siem#profile_update