Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:
{"id":"message": {"app_id": "htb8fuhxnf8e38jrzub3c7pfrr","client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658","endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp","event_type": "legacy_traditional_signin","forward_headers": [{"name": "HTTP_X_FORWARDED_FOR","value": "192.168.1.1, 192.168.1.2, 192.168.1.3"},{"name": "HTTP_X_FORWARDED_PROTO","value": "http" },{"name": "HTTP_X_FORWARDED_PORT","value": "80"}],"ip_address": "192.168.1.1","origin": "https://login.documentation.akamai.com/","user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0","user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"},"msts": 1566206726081,"type:" "siem#legacy_traditional_signin"}
Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:
"eventType": "legacy_traditional_signin",
Other SIEM event keys are described in the following table.
Important. As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, it’s highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.
Key | Definition and Sample Value |
app_id | Unique identifier of the Identity Cloud API client associated with the event. For example: "app_id": "htb8fuhxnf8e38jrzub3c7pfrr" |
attributes | Array of user profile attribute names associated with the event. For example: "attributes": ["email", "emailVerified"] |
captureApplicationId | Unique identifier of the Akamai Identity Cloud application associated with the event. For example: "captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6" |
captureClientId | Unique identifier of the API client associated with the event. For example: "captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12" |
client_id | Unique identifier of the Identity Cloud API client associated with the event. For example: "client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m" |
customerid | Unique identifier of the organization associated with the event. This will typically be the organization’s Akamai account ID. For example: "customerId": "elrrniux51a3nrhfwzklvz3t46lb5n2m" |
endpoint_uri | Identity Cloud endpoint associated with the event. For example: "endpoint_uri": "http://documentation.akamai.com/widget/ traditionalsignin.jsonp" |
entityType | Name of the entity type database associated with the event. For example: "eventType": "user" |
event_type | Type of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example: "type": "legacy_traditional_signin" |
forward_headers | Header information for the event message. Common message headers include:
|
globalSub | Internal URI that points to a user record within the Identity Cloud user profile store. For example: "sub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/ user/6b004bc5-179c-45c2-815d-31b06169371d" In the preceding URL, zzyn9gy9r8xdy5zkru4y54syk6 represents the unique identifier of the Identity Cloud application and 6b004bc5-179c-45c2-815d-31b06169371d represents the user’s UUID (Universally Unique Identifier). |
id | Universally unique identifier assigned to the event. For example: "id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219" |
ip_address | IP address of the device used when the event occurred. For example: "Ip_address": "192.168.1.1" |
msts | Date and time when the event occurred. The msts value is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example: "msts": "1553405263" In the preceding example, the value 1553405263 represents Saturday, March 23, 2019 at 22:27:43 Pacific Daylight Time. |
origin | Specifies the address of the “origin server,” the server that contains the original web page. For example: "origin": "https://login.documentation.akamai.com" |
sub | Unique Identity Cloud identifier of the user associated with the event. For example: "sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c" |
type | Indicates the event source; this will always be set to siem# followed by the event type. For example: "type": "siem#legacy_traditional_signin" |
user_agent | User agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example: "user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0" |
user_uuid | Unique Identity Cloud identifier of the user associated with the event. For example: "user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c" |