Appendix: SIEM Event Delivery Event Details

Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:

{
    "id":
    "message": {
        "app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
        "client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
        "endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp",
        "event_type": "legacy_traditional_signin",
        "forward_headers": [
            {
                "name": "HTTP_X_FORWARDED_FOR",
                "value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
            },
            {
                "name": "HTTP_X_FORWARDED_PROTO",
                "value": "http"            },
            {
                "name": "HTTP_X_FORWARDED_PORT",
                "value": "80"
            }
        ],
        "ip_address": "192.168.1.1",
        "origin": "https://login.documentation.akamai.com/",
        "user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
        "user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
    },
    "msts": 1566206726081,
    "type:" "siem#legacy_traditional_signin"
}  


Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:

"eventType": "legacy_traditional_signin",

Other SIEM event keys are described in the following table.

Important. As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, it’s highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.


Key

Definition and Sample Value

app_id

Unique identifier of the Identity Cloud API client associated with the event. For example:

"app_id": "htb8fuhxnf8e38jrzub3c7pfrr"

attributes

Array of user profile attribute names associated with the event. For example:

"attributes": ["email", "emailVerified"]

captureApplicationId

Unique identifier of the Akamai Identity Cloud application associated with the event. For example:

"captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6"

captureClientId

Unique identifier of the API client associated with the event. For example:

"captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12"

client_id

Unique identifier of the Identity Cloud API client associated with the event. For example:

"client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m"

customerid

Unique identifier of the organization associated with the event. This will typically be the organization’s Akamai account ID. For example:

"customerId": "elrrniux51a3nrhfwzklvz3t46lb5n2m"

endpoint_uri

Identity Cloud endpoint associated with the event. For example:

"endpoint_uri": "http://documentation.akamai.com/widget/
traditionalsignin.jsonp"

entityType

Name of the entity type database associated with the event. For example:

"eventType": "user"

event_type

Type of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example:

"type": "legacy_traditional_signin"

forward_headers

Header information for the event message. Common message headers include:

  • HTTP_X_FORWARDED_FOR (client IP address)
  • HTTP_X_FORWARDED_PROTO (protocol used in making the request)
  • HTTP_X_FORWARDED_PROTO (server port number)

globalSub

Internal URI that points to a user record within the Identity Cloud user profile store. For example:

"sub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/
user/6b004bc5-179c-45c2-815d-31b06169371d"

In the preceding URL, zzyn9gy9r8xdy5zkru4y54syk6 represents the unique identifier of the Identity Cloud application and 6b004bc5-179c-45c2-815d-31b06169371d represents the user’s UUID (Universally Unique Identifier).

id

Universally unique identifier assigned to the event. For example:

"id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219"

ip_address

IP address of the device used when the event occurred. For example:

"Ip_address": "192.168.1.1"

msts

Date and time when the event occurred. The msts value is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example:

"msts": "1553405263"

In the preceding example, the value 1553405263 represents Saturday, March 23, 2019 at 22:27:43 Pacific Daylight Time.

origin

Specifies the address of the “origin server,” the server that contains the original web page. For example:

"origin": "https://login.documentation.akamai.com"

sub

Unique Identity Cloud identifier of the user associated with the event. For example:

"sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"

type

Indicates the event source; this will always be set to siem# followed by the event type. For example:

"type": "siem#legacy_traditional_signin"

user_agent

User agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example:

"user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"

user_uuid

Unique Identity Cloud identifier of the user associated with the event. For example:

"user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"