Appendix B: Sample SIEM Event Notifications

Identity Cloud events can -- and do -- differ from one another: entityUpdate events (in which authenticated users make changes to their use profiles) are very different from authenticationFailedUnknownUser events, events where we don't even know who the user is (and, as the name implies, where authentication never even took place). Because events differ, that also means that event notifications differ: the information included in an entityUpdate event won't be the same as the information included in an authenticationFailedUnknownUser event.

To give you a heads-up on what your event notifications will look like, this page includes sample notifications for the following SIEM event types:

Keep in mind that these are sample notifications: the actual notifications that your organization receives could vary slightly. If you'd like more information about the values that appear on an event notification (values such as msts and origin), see Appendix A in this documentation set.




Back to top

authenticationFailedKnownUser

Indicates that authentication has failed for a known user (for example, a user recognized by his or her email address).

{
    "id": "793d27fa-1391-46d1-a335-61d6c1055d4a",
    "message": {
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "u74hp2xa4u75dq9s6wv8yyb28wkkux7m",
        "entityType": "GREG_DEMO",
        "globalSub": "capture-v1://us.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu/GREG_DEMO/e909e648-efb5-45f2-8399-9081423c0c87",
        "reason": "invalidCredentials",
        "sub": "e909e648-efb5-45f2-8399-9081423c0c87"
    },
    "msts": 1618431683866,
    "type": "authenticationFailedKnownUser"
}




Back to top

authenticationFailedUnknownUser

Indicates that authentication has failed for an unknown user (typically a user who submitted an unregistered email address).

{
    "id": "f6eb05aa-4d62-494c-bbed-15f1468cc007",
    "message": {
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "u74hp2xa4u75dq9s6wv8yyb28wkkux7m",
        "entityType": "GREG_DEMO",
        "reason": "unknownUser"
    },
    "msts": 1618593552264,
    "type": "authenticationFailedUnknownUser"
}




Back to top

credentialAuthenticationAttemptsExceededKnownUser

Indicates that a known user (as determined by a unique identifier such as the user’s email address) has exceeded the login attempts threshold.

{
    "id": "f87f6280-a21e-4a87-a618-ed3b32bd1156",
    "message": {
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "u74hp2xa4u75dq9s6wv8yyb28wkkux7m",
        "entityType": "GREG_DEMO",
        "globalSub": "capture-v1://us.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu/GREG_DEMO/3c388dd9-5bcc-4883-9a91-d51129110a4a",
        "sub": "3c388dd9-5bcc-4883-9a91-d51129110a4a"
    },
    "msts": 1619024978253,
    "type": "credentialAuthenticationAttemptsExceededKnownUser"
}




Back to top

credentialAuthenticationAttemptsExceededUnknownUser

Indicates that an unknown user (e.g., a user without a registered email address) has exceeded the login attempts threshold.

{
    "id": "6bdfa031-714a-47bd-b55f-7bac409c4280",
    "message": {
        "blindedIdentifiers": ["58f091cd1ac933aa180cb715e8eedb02da79fbfe49e04d0a9d4651174a888180573e76ad6d014af912ea115d63581f84b09d7dbba7959b8da19b783c294dda83"],
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "u74hp2xa4u75dq9s6wv8yyb28wkkux7m",
        "entityType": "GREG_DEMO"
    },
    "msts": 1619025611980,
    "type": "credentialAuthenticationAttemptsExceededUnknownUser"
}




Back to top

entityCreated

Indicates that a new entity type record (typically a new user profile) has been created.

{
    "id": "8173c672-69f3-439d-960f-bcb4a4bff07b",
    "message": {
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "u74hp2xa4u75dq9s6wv8yyb28wkkux7m",
        "entityType": "GREG_DEMO",
        "globalSub": "capture-v1://us.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu/GREG_DEMO/6751ec28-2163-438a-b4db-836c24f9fbfc",
        "sub": "6751ec28-2163-438a-b4db-836c24f9fbfc"
    },
    "msts": 1618593627780,
    "type": "entityCreated"
}




Back to top

entityDeleted

Indicates that a record (typically a user profile) has been deleted from an entity type database.

{
    "id": "5d60e634-d0a5-4e2d-b811-5250368b6c4c",
    "message": {
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "8ysdc2t92dywuazmqc7u6wgkrhuc7b6q",
        "entityType": "GREG_DEMO",
        "globalSub": "capture-v1://us.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu/GREG_DEMO/1d0f6181-3243-408c-aa72-95e0d5c618c9",
        "sub": "1d0f6181-3243-408c-aa72-95e0d5c618c9"
    },
    "msts": 1618593596159,
    "type": "entityDeleted"
}




entityUpdated

Back to top

Indicates that an entity type record (typically a user profile) has been updated.

{
    "id": "998607f8-254b-444b-9b93-93b3de66ca76",
"message": {
        "attributes": ["clients.firstLogin", "clients.lastLogin", "lastLogin"],
        "captureApplicationId": "79y4mqf2rt3bxs378kw5479xdu",
        "captureClientId": "5663cb83xve8fr97356s66eqrnq3g52p",
        "entityType": "GREG_DEMO",
        "globalSub": "capture-v1://us.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu/GREG_DEMO/3c388dd9-5bcc-4883-9a91-d51129110a4a",
        "sub": "3c388dd9-5bcc-4883-9a91-d51129110a4a"
    },
    "msts": 1618508842131,
    "type": "entityUpdated"
}




Back to top

siem#legacy_social_registration

A user successfully registered by using a third-party identity provider.

{
    "id": "45d28869-804b-43d6-8fea-47ca4d1cfd98",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "y4xfg6f44msac3vepjjvxggzvt3e3sk9",
        "endpoint_uri": "http://se-demos-gstemp.us-dev.janraincapture.com/widget/social_register.jsonp",
        "event_type": "legacy_social_registration",
        "forward_headers": [{
            "name": "HTTP_X_FORWARDED_FOR",
            "value": "67.189.49.100, 172.22.37.137"
        }, {
            "name": "HTTP_X_FORWARDED_PROTO",
            "value": "http"
        }, {
            "name": "HTTP_X_FORWARDED_PORT",
            "value": "80"
        }],
        "ip_address": "67.189.49.100",
        "origin": "https://v1.api.us.janrain.com/",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36",
        "user_uuid": "f990ff62-dcb7-478a-b9e5-85cdaad6cd61"
    },
    "msts": 1618593736105,
    "type": "siem#legacy_social_registration"
}




Back to top

siem#legacy_social_signin

A user successfully authenticated by using a third-party identity provider (IDP).

{
    "id": "fcb1510f-4b4a-4949-bf63-c481f232c5f0",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "y4xfg6f44msac3vepjjvxggzvt3e3sk9",
        "endpoint_uri": "http://se-demos-gstemp.us-dev.janraincapture.com/widget/token_url",
        "event_type": "legacy_social_signin",
        "forward_headers": [{
            "name": "HTTP_X_FORWARDED_FOR",
            "value": "67.189.49.100, 172.22.37.137"
        }, {
            "name": "HTTP_X_FORWARDED_PROTO",
            "value": "http"
        }, {
            "name": "HTTP_X_FORWARDED_PORT",
            "value": "80"
        }],
        "ip_address": "67.189.49.100",
        "origin": "https://greg-stemp.rpxnow.com/",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0",
        "user_uuid": "1d0f6181-3243-408c-aa72-95e0d5c618c9"
    },
    "msts": 1618579965675,
    "type": "siem#legacy_social_signin"
}




Back to top

siem#legacy_traditional_registration

A user successfully registered by using an email address and password.

{
    "id": "6c20b4a9-c8b1-4c8c-adfe-52ff3897a3a4",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "y4xfg6f44msac3vepjjvxggzvt3e3sk9",
        "endpoint_uri": "http://se-demos-gstemp.us-dev.janraincapture.com/widget/traditional_register.jsonp",
        "event_type": "legacy_traditional_registration",
        "forward_headers": [{
            "name": "HTTP_X_FORWARDED_FOR",
            "value": "67.189.49.100, 172.22.37.137"
        }, {
            "name": "HTTP_X_FORWARDED_PROTO",
            "value": "http"
        }, {
            "name": "HTTP_X_FORWARDED_PORT",
            "value": "80"
        }],
        "ip_address": "67.189.49.100",
        "origin": "https://v1.api.us.janrain.com/",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36",
        "user_uuid": "2c0c0b44-593f-46e1-b076-92d95c195240"
    },
    "msts": 1618438473154,
    "type": "siem#legacy_traditional_registration"
}




Back to top

siem#legacy_traditional_signin

A user successfully authenticated by using an email address and password.

{
    "id": "9260ea6f-2d1e-446c-a3aa-a81983aa7979",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "y4xfg6f44msac3vepjjvxggzvt3e3sk9",
        "endpoint_uri": "http://se-demos-gstemp.us-dev.janraincapture.com/widget/traditional_signin.jsonp",
        "event_type": "legacy_traditional_signin",
        "forward_headers": [{
            "name": "HTTP_X_FORWARDED_FOR",
            "value": "67.189.49.100, 172.22.37.137"
        }, {
            "name": "HTTP_X_FORWARDED_PROTO",
            "value": "http"
        }, {
            "name": "HTTP_X_FORWARDED_PORT",
            "value": "80"
        }],
        "ip_address": "67.189.49.100",
        "origin": "https://v1.api.us.janrain.com/",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0",
        "user_uuid": "3c388dd9-5bcc-4883-9a91-d51129110a4a"
    },
    "msts": 1618435586571,
    "type": "siem#legacy_traditional_signin"
}




Back to top

siem#new_email_verification

A user successfully verified their email address.

{
    "id": "f08e2c5c-219e-4519-bdd6-8d8d61b0c6f4",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "y4xfg6f44msac3vepjjvxggzvt3e3sk9",
        "endpoint_uri": "http://se-demos-gstemp.us-dev.janraincapture.com/widget/profile.jsonp",
        "event_type": "new_email_verification",
        "forward_headers": [{
            "name": "HTTP_X_FORWARDED_FOR",
            "value": "67.189.49.100, 172.22.49.35"
        }, {
            "name": "HTTP_X_FORWARDED_PROTO",
            "value": "http"
        }, {
            "name": "HTTP_X_FORWARDED_PORT",
            "value": "80"
        }],
        "ip_address": "67.189.49.100",
        "origin": "https://v1.api.us.janrain.com/",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36",
        "user_uuid": "3c388dd9-5bcc-4883-9a91-d51129110a4a"
    },
    "msts": 1618508527547,
    "type": "siem#new_email_verification"
}




Back to top

siem#password_recover

A user has reset their password after clicking the Forgot Password link.

{
    "id": "2ec2d271-4687-457e-ad76-36f6473568cb",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "y4xfg6f44msac3vepjjvxggzvt3e3sk9",
        "endpoint_uri": "http://se-demos-gstemp.us-dev.janraincapture.com/widget/recover_password.jsonp",
        "event_type": "password_recover",
        "forward_headers": [{
            "name": "HTTP_X_FORWARDED_FOR",
            "value": "67.189.49.100, 172.22.37.137"
        }, {
            "name": "HTTP_X_FORWARDED_PROTO",
            "value": "http"
        }, {
            "name": "HTTP_X_FORWARDED_PORT",
            "value": "80"
        }],
        "ip_address": "67.189.49.100",
        "origin": "https://v1.api.us.janrain.com/",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36",
        "user_uuid": "3c388dd9-5bcc-4883-9a91-d51129110a4a"
    },
    "msts": 1618498382450,
    "type": "siem#password_recover"
}




Back to top

siem#profile_create

A new user profile database record was created.

{
    "id": "16e73126-f5da-4479-9665-c6517b161982",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "u74hp2xa4u75dq9s6wv8yyb28wkkux7m",
        "endpoint_uri": "https://apid-alb-app.multieval.prod.va.janrain.com/entity.create",
        "event_type": "profile_create",
        "forward_headers": [{
            "name": "x-forwarded-for",
            "value": "172.22.54.171"
        }, {
            "name": "x-forwarded-proto",
            "value": "http"
        }, {
            "name": "x-forwarded-port",
            "value": "80"
        }],
        "ip_address": "172.22.54.171",
        "origin": null,
        "user_agent": "Ruby",
        "user_uuid": "6751ec28-2163-438a-b4db-836c24f9fbfc"
    },
    "msts": 1618593627781,
    "type": "siem#profile_create"
}




Back to top

siem#profile_delete

A user profile database record was deleted.

{
    "id": "adef4707-1aa9-4e9a-b191-22abd50741c8",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "8ysdc2t92dywuazmqc7u6wgkrhuc7b6q",
        "endpoint_uri": "https://us.janraincapture.com/entity.delete",
        "event_type": "profile_delete",
        "forward_headers": [{
            "name": "x-forwarded-for",
            "value": "52.202.111.163, 172.22.37.222"
        }, {
            "name": "x-forwarded-proto",
            "value": "http"
        }, {
            "name": "x-forwarded-port",
            "value": "80"
        }],
        "ip_address": "52.202.111.163",
        "origin": null,
        "user_agent": "Janrain Console",
        "user_uuid": "1d0f6181-3243-408c-aa72-95e0d5c618c9"
    },
    "msts": 1618593596161,
    "type": "siem#profile_delete"
}




Back to top

siem#profile_update

A user profile database record was updated.

{
    "id": "aaf52f5c-e378-4e1e-b132-57e8ada3865a",
    "message": {
        "app_id": "79y4mqf2rt3bxs378kw5479xdu",
        "client_id": "8ysdc2t92dywuazmqc7u6wgkrhuc7b6q",
        "endpoint_uri": "https://us.janraincapture.com/entity.update",
        "event_type": "profile_update",
        "forward_headers": [{
            "name": "x-forwarded-for",
            "value": "34.231.17.45, 172.22.61.32"
        }, {
            "name": "x-forwarded-proto",
            "value": "http"
        }, {
            "name": "x-forwarded-port",
            "value": "80"
        }],
        "ip_address": "34.231.17.45",
        "origin": null,
        "user_agent": "Janrain Console",
        "user_uuid": "e2632751-d680-4c31-befb-8350b71749c0"
    },
    "msts": 1618595026230,
    "type": "siem#profile_update"
}