Important. As a general rule, key/value pairs vary among events: based on the type of event that occurred, Event A could have a different set of key/value pairs than Event B, which, in turn, could have a different set of key/value pairs than Event C. The following table lists keys that might present in an event notification. However, it’s highly-unlikely that all on these keys will be present in an event notification. The SIEM Event Delivery Service reports the event data (and the key/value pairs) relevant for a given event type.
Each event reported by the SIEM Event Delivery service is packaged using JSON (JavaScript Object Notation) formatting before being zipped up and sent to your Amazon S3 bucket. A typical event object looks something like this:
{"id":"message": {"app_id": "htb8fuhxnf8e38jrzub3c7pfrr","client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658","endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp","event_type": "legacy_traditional_signin","forward_headers": [{"name": "HTTP_X_FORWARDED_FOR","value": "192.168.1.1, 192.168.1.2, 192.168.1.3"},{"name": "HTTP_X_FORWARDED_PROTO","value": "http" },{"name": "HTTP_X_FORWARDED_PORT","value": "80"}],"ip_address": "192.168.1.1","origin": "https://login.documentation.akamai.com/","user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0","user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"},"msts": 1566206726081,"type:" "siem#legacy_traditional_signin"}
Like other JSON objects, SIEM events consist of a collection of key/value pairs; for example, this key/value pair specifies the type of event (legacy_traditional_signin) that took place:
"eventType": "legacy_traditional_signin",
Other SIEM event keys are described in the following table. To see sample event notifications for the various SIEM event types, see Appendix B.
Key | Definition and Sample Value |
app_id | Unique identifier of the Identity Cloud API client associated with the event. For example: "app_id": "htb8fuhxnf8e38jrzub3c7pfrr"This key appears on the following event notifications:
|
attributes | Array of user profile attribute names associated with the event. For example: "attributes": ["email", "emailVerified"]This key appears on the following event notifications:
|
captureApplicationId | Unique identifier of the Akamai Identity Cloud application associated with the event. For example: "captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6"This key appears on the following event notifications:
|
captureClientId | Unique identifier of the API client associated with the event. For example: "captureClient Id": "7c18051a-524b-44fb-9762-65cf284f0e12"This key appears on the following event notifications:
|
client_id | Unique identifier of the Identity Cloud API client associated with the event. For example: "client_id": "elrrniux51a3nrhfwzklvz3t46lb5n2m"This key appears on the following event notifications:
|
endpoint_uri | Identity Cloud endpoint associated with the event. For example: "endpoint_uri": "http://documentation.akamai.com/widget/ traditionalsignin.jsonp"This key appears on the following event notifications:
|
entityType | Name of the entity type database associated with the event. For example: "eventType": "user"This key appears on the following event notifications:
|
event_type | Type of event that occurred (a user logged on, a user registered, an entity type was created, etc.). For example: "type": "legacy_traditional_signin"This key appears on the following event notifications:
|
forward_headers | Header information for the event message. Common message headers include:
|
globalSub | Internal URI that points to a user record within the Identity Cloud user profile store. For example: "sub": "capture-v1://us.janraincapture.com/ zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d" In the preceding URL, zzyn9gy9r8xdy5zkru4y54syk6 represents the unique identifier of the Identity Cloud application and 6b004bc5-179c-45c2-815d-31b06169371d represents the user’s UUID (Universally Unique Identifier). This key appears on the following event notifications:
|
id | Universally unique identifier assigned to the event. For example: "id": "39874dfa-21g6-4rP2-ao74-5bHT63b81219"This key appears on the following event notifications:
|
ip_address | IP address of the device used when the event occurred. For example: "Ip_address": "192.168.1.1"This key appears on the following event notifications:
|
msts | Date and time when the event occurred. The msts value is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example: "msts": "1553405263" In the preceding example, the value 1553405263 represents Saturday, March 23, 2019 at 22:27:43 Pacific Daylight Time. This key appears on the following event notifications:
|
origin | Specifies the address of the “origin server,” the server that contains the original web page. For example: "origin": "https://login.documentation.akamai.com"This key appears on the following event notifications:
|
reason | Reason why authentication failed. For example: "reason": "invalidCredentials" This key appears in the following event notifications:
|
sub | Unique Identity Cloud identifier of the user associated with the event. For example: "sub": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications:
|
type | Indicates the event source; this will always be set to siem# followed by the event type. For example: "type": "siem#legacy_traditional_signin"This key appears on the following event notifications:
|
user_agent | User agent for the client application employed when the event occurred. The user agent typically identifies the web browser in use when the event took place. For example: "user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0"This key appears on the following event notifications:
|
user_uuid | Unique Identity Cloud identifier of the user associated with the event. For example: "user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"This key appears on the following event notifications:
|