SIEM event details (legacy customers only)
The content on this page deals with a legacy feature of the Akamai Identity Cloud. If you are currently an Identity Cloud customer and are using SIEM event delivery, that feature is still supported. However, if youโre new to the Identity Cloud, SIEM event delivery is no longer available.
Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:
{
"id":
"message": {
"app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
"client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
"endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp",
"event_type": "legacy_traditional_signin",
"forward_headers": [
{
"name": "HTTP_X_FORWARDED_FOR",
"value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
},
{
"name": "HTTP_X_FORWARDED_PROTO",
"value": "http" },
{
"name": "HTTP_X_FORWARDED_PORT",
"value": "80"
}
],
"ip_address": "192.168.1.1",
"origin": "https://login.documentation.akamai.com/",
"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
},
"msts": 1566206726081,
"type:" "siem#legacy_traditional_signin"
}
Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:
"eventType": "legacy_traditional_signin",
As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, itโs highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.
Other SIEM event keys are described in the following table. To see sample event notifications for the various SIEM event types, see Sample SIEM event notifications.
| Key | Definition and Sample Value |
|---|---|
| app_id | Unique identifier of the Identity Cloud API client associated with the event. For example:"app_id": "htb8fuhxnf8e38jrzub3c7pfrr"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| attributes | Array of user profile attribute names associated with the event. For example:"attributes": ["email", "emailVerified"]This key appears on the following event notifications: * entityUpdated |
| captureApplicationId | Unique identifier of the Akamai Identity Cloud application associated with the event. For example:captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated |
| captureClientId | Unique identifier of the API client associated with the event. For example:"captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated |
| client_id | Unique identifier of the Identity Cloud API client associated with the event. For example:"client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| endpoint_uri | Identity Cloud endpoint associated with the event. For example:"endpoint_uri": "https://documentation.akamai.com/widget/traditionalsignin.jsonp"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| entityType | Name of the entity type database associated with the event. For example:"eventType": "user"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated |
| event_type | Type of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example:"type": "legacy_traditional_signin"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| forward_headers | Header information for the event message. Common message headers include: * HTTP_X_FORWARDED_FOR (client IP address) * HTTP_X_FORWARDED_PROTO (protocol used in making the request) * HTTP_X_FORWARDED_PROTO (server port number) This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| globalSub | Internal URI that points to a user record within the Identity Cloud user profile store. For example:"sub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d"This key appears on the following event notifications: * authenticationFailedKnownUser * credentialAuthenticationAttemptsExceededKnownUser * entityCreated * entityDeleted * entityUpdated |
| Id | Universally unique identifier assigned to the event. For example:"id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| ip_address | IP address of the device used when the event occurred. Note that ip_address isn't guaranteed to be meaningful in every scenario. In cases where the event is triggered from Akamai systems, an Akamai IP address will be emitted. For example: "ip_address": "192.168.1.1"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| msts | Date and time when the event occurred. The msts value is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example:"msts": "1553405263"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated * siem#legacy_social_registration * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| origin | Specifies the address of the โorigin server,โ the server that contains the original web page. For example:"origin": "https://login.documentation.akamai.com"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| reason | Reason why authentication failed. For example:"reason": "invalidCredentials"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser |
| sub | Unique Identity Cloud identifier of the user associated with the event. For example:"sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications: * authenticationFailedKnownUser * credentialAuthenticationAttemptsExceededKnownUser * entityCreated * entityDeleted * entityUpdated |
| type | Indicates the event source; this will always be set to siem# followed by the event type. For example:"type": "siem#legacy_traditional_signin"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated * siem#legacy_social_registration * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| user_agent | User agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example:"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0)Gecko/68.0 Firefox/68.0"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| user_uuid | Unique Identity Cloud identifier of the user associated with the event. For example:"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
Updated over 1 year ago