Blocking SIEM Events

Not all events are created equal, which means that some events simply might not be of interest to you: for example, although you can receive event notifications any time an entity type is created, deleted, or updated, maybe you don’t really need to (or want to) receive notices for those events. If there are events that you would rather not see in your SIEM event deliveries, then you can use the SIEM Event Delivery APIs to “block list” those events. Blocked events still take place: if you can create, update, or delete entity types, events for each of those activities will still be generated. It’s just that those events won’t show up in your SIEM event deliveries.

Note. However, they could show up elsewhere; for example, you might have a webhooks subscription that notifies you when an entity type is created, updated, or deleted. Blocking only affects SIEM Event Delivery. And, in this case at least, what’s done isn’t irretrievably and irrevocably done: any event added to the block list can just as easily be removed from the list. If you take entity type purges off the block list then, the next time an entity type is purged, notification of that event will appear in your SIEM event feed.

To block an event, begin by identifying the official name of the event you want to block. In a SIEM event message, the event name will be the value assigned to the event_type key: 

{
 "id":
   "message": {
       "app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
       "client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
       "endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp",
       "event_type": "legacy_traditional_signin",
        "forward_headers": [
           {
               "name": "HTTP_X_FORWARDED_FOR",
               "value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
           },
           {
               "name": "HTTP_X_FORWARDED_PROTO",
               "value": "http"
           },
           {
               "name": "HTTP_X_FORWARDED_PORT",
               "value": "80"
           }
       ],
       "ip_address": "192.168.1.1",
       "origin": "https://login.documentation.akamai.com/",
       "user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
       "user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
   },
   "msts": 1566206726081,
   "type:" "siem#legacy_traditional_signin"
}  
 

After you've determined the names of the events you want to block, you can then add those event types by using the /eventdelivery/addBlacklist API endpoint. For example, this call adds the events config_change and email_verification to the block list:


curl -X POST \
  https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/addBlacklist \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \
  -H 'Content-Type: application/json' \
  -d '
     [
       "config_change",
       "email_verification",
     ]'  
 

If you want to remove an event type from the block list, use the same basic approach but call the /eventdelivery/deleteBlacklist endpoint. For example, this command removes config_change and email_verification from the list:  


curl -X POST \
 https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/deleteBlacklist \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \
  -H 'Content-Type: application/json' \
  -d '
    [
      "config_change",
      "email_verification"
    ]' 
 

Incidentally, you can use the /eventdelivery/readBlacklist endpoint to see which events are currently on your SIEM delivery block list. For example:


curl -X GET \
  https://v1.api.us.janrain.com/config/applications/htb8fuhxnf8e38jrzub3c7pfrr/eventdelivery/readBlacklist \
  -H 'Authorization: Basic M2dmYmdycmE3dzI4MmhndHJ5cGZxeDlwemhxaGpnZDU6Y2dkY3A3bWhjeWszYmZocnl2d2NmY2c3NTdqdzRhb3E=' \
  -H 'Content-Type: application/json' 

The preceding command returns data similar to this:

[
   {
       "eventType": "config_change",
       "created": "2019-08-05T23:55:04.622346Z"
   },
  {
       "eventType": "email_verification",
       "created": "2019-08-05T23:55:04.622346Z"
  }
]