Not all events are created equal, which means that some events simply might not be of interest to you: for example, although you can receive event notifications any time an entity type is created, deleted, or updated, maybe you don’t really need to (or want to) receive notices for those events. If there are events that you would rather not see in your SIEM event deliveries, then you can use the SIEM Event Delivery APIs to “blacklist” those events. Blacklisted events still take place: if you can create, update, or delete entity types, events for each of those activities will still be generated. It’s just that those events won’t show up in your SIEM event deliveries.
Note. However, they could show up elsewhere; for example, you could still have a webhooks subscription that notifies you when an entity type is created, updated, purged or deleted. Blacklisting only affects SIEM Event Delivery. And, in this case at least, what’s done isn’t irretrievably and irrevocably done: any event added to the blacklist can just as easily be removed from the blacklist. If you take entity type purges off the blacklist then, the next time an entity type is purged, notification of that event will appear in your SIEM event feed.
To blacklist an event, begin by identifying the official name of the event you want to block. In a SIEM event message, the event name will be the value assigned to the event_type key:
After you've determined the names of the events you want to blacklist, you can then add those event types by using the /eventdelivery/addBlacklist API endpoint. For example, this call adds the events config_change and email_verification to the blacklist:
curl -X POST \ https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/addBlacklist \ -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \ -H 'Content-Type: application/json' \ -d ' [ "config_change", "email_verification", ]'
If you want to remove an event type from the blacklist, use the same basic approach but call the /eventdelivery/deleteBlacklist endpoint. For example, this command removes config_change and email_verification from the blacklist:
curl -X POST \ https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/deleteBlacklist \ -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \ -H 'Content-Type: application/json' \ -d ' [ "config_change", "email_verification" ]'
Incidentally, you can use the /eventdelivery/readBlacklist endpoint to see which events are currently on your SIEM delivery blacklist. For example:
curl -X GET \ https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/readBlacklist \ -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \ -H 'Content-Type: application/json'
The preceding command returns data similar to this: