SIEM event details (legacy customers only)
__MAGIC_BLOCK_0__
Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:
{
"id":
"message": {
"app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
"client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
"endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp",
"event_type": "legacy_traditional_signin",
"forward_headers": [
{
"name": "HTTP_X_FORWARDED_FOR",
"value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
},
{
"name": "HTTP_X_FORWARDED_PROTO",
"value": "http" },
{
"name": "HTTP_X_FORWARDED_PORT",
"value": "80"
}
],
"ip_address": "192.168.1.1",
"origin": "https://login.documentation.akamai.com/",
"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
},
"msts": 1566206726081,
"type:" "siem#legacy_traditional_signin"
}
Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:
"eventType": "legacy_traditional_signin",
As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, it’s highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.
Other SIEM event keys are described in the following table. To see sample event notifications for the various SIEM event types, see Sample SIEM event notifications.
| Key | Definition and Sample Value |
|---|---|
| app_id | Unique identifier of the Identity Cloud API client associated with the event. For example:"app_id": "htb8fuhxnf8e38jrzub3c7pfrr"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| attributes | Array of user profile attribute names associated with the event. For example:"attributes": ["email", "emailVerified"]This key appears on the following event notifications: * entityUpdated |
| captureApplicationId | Unique identifier of the Akamai Identity Cloud application associated with the event. For example:captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated |
| captureClientId | Unique identifier of the API client associated with the event. For example:"captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated |
| client_id | Unique identifier of the Identity Cloud API client associated with the event. For example:"client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| endpoint_uri | Identity Cloud endpoint associated with the event. For example:"endpoint_uri": "https://documentation.akamai.com/widget/traditionalsignin.jsonp"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| entityType | Name of the entity type database associated with the event. For example:"eventType": "user"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated |
| event_type | Type of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example:"type": "legacy_traditional_signin"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| forward_headers | Header information for the event message. Common message headers include: * HTTP_X_FORWARDED_FOR (client IP address) * HTTP_X_FORWARDED_PROTO (protocol used in making the request) * HTTP_X_FORWARDED_PROTO (server port number) This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| globalSub | Internal URI that points to a user record within the Identity Cloud user profile store. For example:"sub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d"This key appears on the following event notifications: * authenticationFailedKnownUser * credentialAuthenticationAttemptsExceededKnownUser * entityCreated * entityDeleted * entityUpdated |
| Id | Universally unique identifier assigned to the event. For example:"id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| ip_address | IP address of the device used when the event occurred. Note that ip_address isn't guaranteed to be meaningful in every scenario. In cases where the event is triggered from Akamai systems, an Akamai IP address will be emitted. For example: "ip_address": "192.168.1.1"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| msts | Date and time when the event occurred. The msts value is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example:"msts": "1553405263"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated * siem#legacy_social_registration * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| origin | Specifies the address of the “origin server,” the server that contains the original web page. For example:"origin": "https://login.documentation.akamai.com"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| reason | Reason why authentication failed. For example:"reason": "invalidCredentials"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser |
| sub | Unique Identity Cloud identifier of the user associated with the event. For example:"sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications: * authenticationFailedKnownUser * credentialAuthenticationAttemptsExceededKnownUser * entityCreated * entityDeleted * entityUpdated |
| type | Indicates the event source; this will always be set to siem# followed by the event type. For example:"type": "siem#legacy_traditional_signin"This key appears on the following event notifications: * authenticationFailedKnownUser * authenticationFailedUnknownUser * credentialAuthenticationAttemptsExceededKnownUser * credentialAuthenticationAttemptsExceededUnknownUser * entityCreated * entityDeleted * entityUpdated * siem#legacy_social_registration * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| user_agent | User agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example:"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0)Gecko/68.0 Firefox/68.0"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
| user_uuid | Unique Identity Cloud identifier of the user associated with the event. For example:"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications: * siem#legacy_social_registration * siem#legacy_social_signin * siem#legacy_traditional_registration * siem#legacy_traditional_signin * siem#new_email_verification * siem#password_recover * siem#profile_create * siem#profile_delete * siem#profile_update |
Updated over 2 years ago