JSON SNS configuration

For instructions on how to enable the forwarding of events to Amazon SNS topics, see Access events with Amazon SNS. If you opt to directly edit the JSON SNS configuration, this page provides details on how to do it.

The configuration language used to define which events are sent to which topics is modeled after Amazon's Policy language for SNS, described in the Amazon documentation.

The configuration is a special JSON-encoded document that says which conditions an event must meet in order to be published to a topic. A basic configuration looks like:

{
  "Version": "2014-09-24",
  "Statement": [statement1, statement2, ...]
}
      

Version

The Version element specifies the version of the configuration language. The only currently valid value is the string "2014-09-24"

"Version": "2014-09-24",
      

Statement

The Statement element is an array of individual statements. Each individual statement is a distinct JSON object giving the SNS topic to send to if an event meets given conditions.

"Statement": [{...}, {...}, ...]
      

An individual statement has the form

{
  "Topic": "destination topic",
  "Condition": {conditions event must meet to be published to the destination topic}
}
      

Topic

The Topic element must be the Amazon Resource Name of the SNS Topic to publish to.

"Topic": "arn:aws:sns:us-east-1:012345678901:myTopic"
      

Condition

The Condition element is the most complex part of the configuration. It contains one or more conditions an event must match in order to be published to the topic. Each condition may itself contain multiple key-value pairs, and some conditions support multiple values for each key. The keys in conditions are the names of properties from events.

"Condition": {
  "ConditionName": {
    "key1": [value1, value2],
    "key2": value3
  },
  "ConditionName2": {
    "key3": [value4]
  },
  ...
}
      

Possible condition names and their syntax are described below.

Bool

The Bool condition performs Boolean matching. To match, an event must have a property with the desired Boolean value. If the property in the event exists but is not itself a Boolean value, the property is tested as follows:

  • Numbers equal to 0 evaluate to false. Numbers not equal to 0 evaluate to true.
  • Empty strings and the special strings "false" and "0" evaluate to false. Other strings evaluate to true.
  • Any other property value in an event cannot be converted to a Boolean and will not match.

Allows for multiple values? No

The following example shows a configuration that publishes events that have a "DetectOnly" property with a value false:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "Bool": {
          "DetectOnly": false
        }
      }
    }
  ]
}
      

Exists

The Exists condition tests for the existence or non-existence of a property in an event. The value of the property is not considered.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Severity" but does not have the property "Title":

{    
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "Exists": {
          "Severity": true,
          "Title": false
        }
      }
    }
  ]
}
      

IpAddress

The IpAddress condition tests the value of an event's property is an IP address in a range given in CIDR format, or exactly equals a single IP address.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "DestinationIP" with an IP address in the range 64.23.0.0/16, or to 216.104.20.189:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "IpAddress": {
          "DestinationIP": ["64.23.0.0/16", "216.104.20.189"]
        }
      }
    }
  ]
}
      

NotIpAddress

The NotIpAddress condition tests the value of an event's property is not an IP address in any of the specified IP address ranges.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "DestinationIP" with an IP address not in the range 10.0.0.0/8:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NotIpAddress": {
          "DestinationIP": "10.0.0.0/8"
        }
      }
    }
  ]
}
      

NumericEquals

The NumericEquals condition tests the numeric value of an event's property equals one or more desired values. If the property in the event exists but is not itself a numeric value, the property is tested as follows:

  • Strings are converted to numbers. Strings that cannot be converted to numbers will not match.
  • Any other property value in an event cannot be converted to a number and will not match.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "Protocol" with the value 6 or 17:

{    
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericEquals": {
          "Protocol": [6, 17]
        }
      }
    }
  ]
}
      

NumericNotEquals

The NumericNotEquals condition tests the numeric value of an event's property is not equal to any one of an undesired set of values.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "Protocol" not equal to 6, and the property "Risk" not equal to 2 or 3:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericNotEquals": {
          "Protocol": 6,
          "Risk" : [2, 3]
        }
      }
    }
  ]
}
      

NumericGreaterThan

The NumericGreaterThan condition tests the numeric value of an event's property is strictly greater than a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Protocol" with the value greater than 6:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericGreaterThan": {
          "Protocol": 6
        }
      }
    }
  ]
}
      

NumericGreaterThanEquals

The NumericGreaterThanEquals condition tests the numeric value of an event's property is greater than or equal to a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Number" with a value greater than or equal to 600:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericGreaterThanEquals": {
          "Number": 600
        }
      }
    }
  ]
}
      

NumericLessThan

The NumericLessThan condition tests the numeric value of an event's property is strictly less than a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Number" with a value greater than 1000:

{    
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericLessThan": {
          "Number": 1000
        }
      }
    }
  ]
}
      

NumericLessThanEquals

The NumericLessThanEquals condition tests the numeric value of an event's property is less than or equal to a desired value. If the property in the event exists but is not itself a numeric value it is converted to a number as described for NumericEquals.

Allows for multiple values? No

The following example shows a configuration that publishes events when the event has the property "Number" with a value less than or equal to 500:

{    
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericLessThanEquals": {
          "Number": 500
        }
      }
    }
  ]
}
      

StringEquals

The StringEquals condition tests the string value of an event's property is strictly equal to or more desired values.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "EventType" equal to "SystemEvent" and property "TargetType" equal to "User" or "Role":

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringEquals": {
          "EventType": ["SystemEvent"],
          "TargetType" : ["User", "Role"]
        }
      }
    }
  ]
}
      

StringNotEquals

The StringNotEquals condition tests the string value of an event's property does not equal any of an undesired set of values.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "EventType" not equal to "PacketLog" or "IntegrityEvent":

{
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringNotEquals": {
          "EventType": ["PacketLog", "IntegrityEvent"]
        }
      }
    }
  ]
}
      

StringEqualsIgnoreCase

The StringEqualsIgnoreCase condition is the same as the StringEquals condition, except string matching is performed in a case-insensitive manner.

StringNotEqualsIgnoreCase

The StringNotEqualsIgnoreCase condition is the same as the StringNotEquals condition, except string matching is performed in a case-insensitive manner.

StringLike

The StringLike condition tests the string value of an event's property is equal to or more desired values, where the desired values may include the wildcard '*' to match any number of characters or '?' to match a single character. String comparisons are case-sensitive.

Allows for multiple values? Yes

The following example shows a configuration that publishes events when the event has the property "Title" which contains the string "User" or "Role":

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringLike": {
          "Title": ["*User*", "*Role*"]
        }
      }
    }
  ]
}
      

StringNotLike

The StringNotLike condition tests that the string value of an event's property is not equal to any of an undesired set of values, where the values may include the wildcard '*' to match any number of characters or '?' to match a single character. String comparisons are case-sensitive.

Allows for multiple values? Yes

The following example shows a configuration that publishes all events except the "System Settings Saved" event:

{    
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringNotLike": {
          "Title":"System Settings Saved"
        }
      }
    }
  ]
}
 

The next example shows a configuration that publishes events when the event has the property "Title" that does not start with "User" and does not end with "Created":

{    
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringNotLike": {
          "Title": ["User*", "*Created"]
        }
      }
    }
  ]
}
      

Event Description

When published to Amazon SNS, events are sent as simple JSON objects encoded as strings. The properties in the objects are the elements of the event, and the values of the properties are typically strings or numbers. This section describes the properties that events can have and what values these properties can take.

Event Data Types

Properties in an event will be one of the data types described in the following table:

Data Type Description
Boolean The value will be the JSON true or false value.
Integer The value will be a JSON int value. Deep Security does not output floating point numbers in events. Note that integer types in events are not guaranteed to fit in 32 bit integers.
Integer (enum) The value will be a JSON int value, with the additional restriction that it can only be one of a limited set of enumerated values.
String The value will be a JSON string value.
String (Date) The value will be a date and time encoded in a JSON string value. Dates are encoded using ISO 8601 format YYYY-MM-DDThh:mm:ss.sssZ, always using 'Z' for the time zone designator and including three digits for sub-seconds. See the W3C note on date and time formats for more details about this encoding.
String (IP) The value will be an IPv4 or IPv6 address encoded in a JSON string value.
String (MAC) The value will be a JSON string value, with the additional restriction that it will contain a network MAC address.
String (URL) The value will be a JSON string value, with the additional restriction that it will contain a URL.
String (enum) The value will be a JSON string value, with the additional restriction that it can only be one of a limited set of enumerated values.

Event Properties

This section describes all the properties that may be seen in an event. Note that events will not necessarily contain all of the properties that are listed as applicable for the event type; in some circumstances a property will not apply and will not be present in the JSON object.

Property Name Data Type Description Applies To Event Type(s)
Action Integer (enum) Action taken for intrusion prevention event. 0=Unknown, 1=Deny, 2=Reset, 3=Insert, 4=Delete, 5=Replace, 6=Log Only, 0x81=Detect Only: Deny, 0x82=Detect Only: Reset, 0x83=Detect Only: Insert, 0x84=Detect Only: Delete, 0x85=Detect Only: Replace. Intrusion prevention events
Action Integer (enum) Action taken for firewall event. "Detect Only" values show what would have happened if the rule had been enabled. 0=Unknown, 1=Deny, 6=Log Only, 0x81=Detect Only: Deny. Firewall events
ActionBy String The name of the Deep Security Manager User who performed the event, or "System" if the event was not generated by a User. System events
ActionString String Conversion of Action to a readable string. Firewall events, intrusion prevention events
AdministratorID Integer Unique identifier of the Deep Security User who performed an action. Events generated by the system and not by a user will not have an identifier. System events
ApplicationType String Name of the Application Type associated with the Intrusion Prevention Rule, if available. Intrusion prevention events
Change Integer (enum) What type of change was made to a file, process, registry key, etc. for an integrity monitoring event. 1=Created, 2=Updated, 3=Deleted, 4=Renamed. Integrity events, integrity events
ContainerID String ID of the Docker container where the malware was found. Anti-malware events
ContainerImageName String Image name of the Docker container where the malware was found. Anti-malware events
ContainerName String Name of the Docker container where the malware was found. Anti-malware events
Description String Description of the change made to the entity (created, deleted, updated) along with details about the attributes changed. Integrity events
Description String Brief description of what happened during an event. System events
DestinationIP String (IP) The IP Address of the destination of a packet. Firewall events, intrusion prevention events
DestinationMAC String (MAC) The MAC Address of the destination of a packet. Firewall events, intrusion prevention events
DestinationPort Integer The network port number a packet was sent to. Firewall events, intrusion prevention events
DetectionCategory Integer (enum) The detection category for a web reputation event. 12=User Defined, 13=Custom, 91=Global. Web reputation events
DetectOnly Boolean Whether or not the event was returned with the Detect Only flag turned on. If true, this indicates that the URL was not blocked, but access was detected. Web reputation events
Direction Integer (enum) Network packet direction. 0=Incoming, 1=Outgoing. Firewall events, intrusion prevention events
DirectionString String Conversion Direction to a readable string. Firewall events, intrusion prevention events
DriverTime Integer The time the log was generated as recorded by the driver. Firewall events, intrusion prevention events
EndLogDate String (Date) The last log date recorded for repeated events. Will not be present for events that did not repeat. Firewall events, intrusion prevention events
EngineType Integer The anti-malware engine type. Anti-malware events
EngineVersion String The anti-malware engine version. Anti-malware events
EntityType String (enum) The type of entity an integrity monitoring event applies to. One of: Directory, File, Group, InstalledSoftware, Port, Process, RegistryKey, RegistryValue, Service, User, Wql Integrity events
ErrorCode Integer Error code for malware scanning events. If non-zero the scan failed, and the scan action and scan result fields contain more details. Anti-malware events
EventID Integer The identifier of the event. Identifiers are unique per event type, but events of different types may share the same identifier. For example, it is possible for events with EventType firewall and ips to have EventID equal to 1. The combination of EventID, EventType and TenantID are required to completely identify an event in Deep Security. Note that this property is not related to the "Event ID" property of a System Event in the Deep Security Manager. All event types
EventType String (enum) The type of the event. One of: "SystemEvent", "PacketLog", "PayloadLog", "AntiMalwareEvent", "WebReputationEvent", "IntegrityEvent", "LogInspectionEvent". All event types
Flags String Flags recorded from a network packet; a space-separated list of strings. Firewall events, intrusion prevention events
Flow Integer (enum) Network connection flow. Possible values: -1=Not Applicable, 0=Connection Flow, 1=Reverse Flow Firewall events, intrusion prevention events
FlowString String Conversion of Flow to a readable string. Firewall events, intrusion prevention events
Frame Integer (enum) Frame type. -1=Unknown, 2048=IP, 2054=ARP, 32821=REVARP, 33169=NETBEUI, 0x86DD=IPv6 Firewall events, intrusion prevention events
FrameString String Conversion of Frame to a readable string. Firewall events, intrusion prevention events
HostAgentVersion String The version of the agent protecting the computer where the event was detected. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostAssetValue Integer The asset value assigned to the computer at the time the event was generated. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostGroupID Integer The unique identifier of the Computer Group of the computer where the event was detected. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostGroupName String The name of the Computer Group of the computer where the event was detected. Note that Computer Group names may not be unique. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostID Integer Unique identifier of the computer the event applies to. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostInstanceID String The cloud instance ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
Hostname String Name of the computer on which the event was generated. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostOS String The Operating System running on the computer where the event was detected. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostOwnerID String The cloud account ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostSecurityPolicyID Integer The unique identifier of the Security Policy applied to the computer where the event was detected. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostSecurityPolicyName String The name of the Security Policy applied to the computer where the event was detected. Note that Security Policy names may not be unique. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
HostVCUUID String The vCenter UUID of the computer the event applies to, if known. Anti-malware events, web reputation events, integrity events, log inspection events, firewall events, intrusion prevention events
InfectedFilePath String Path of the infected file in the case of malware detection. Anti-malware events
InfectionSource String The name of the computer that's the source of a malware infection, if known. Anti-malware events
Interface String (MAC) MAC address of the network interface sending or receiving a packet. Firewall events, intrusion prevention events
IPDatagramLength Integer The length of the IP datagram. Intrusion prevention events
IsHash String The SHA-1 content hash (hexadecimal encoded) of the file after it was modified. Integrity events
Key String The file or registry key an integrity event refers to. Integrity events
LogDate String (Date) The date and time the event was recorded. For Agent-generated events (Firewall, IPS, etc.) the date is the date the event was recorded by the Agent, not the time the event was sent to Deep Security Manager. All event types
MajorVirusType Integer (enum) The classification of malware detected. 0=Joke, 1=Trojan, 2=Virus, 3=Test, 4=Spyware, 5=Packer, 6=Generic, 7=Other Anti-malware events
MajorVirusTypeString String Conversion of MajorVirusType to a readable string. Anti-malware events
MalwareName String The name of the malware detected. Anti-malware events
MalwareType Integer (enum) The type of malware detected. 1=General malware, 2=Spyware. General malware events will have an InfectedFilePath, spyware events will not. Anti-malware events
ManagerNodeID Integer Unique identifier of the Deep Security Manager Node where the event was generated. System events
ManagerNodeName String Name of the Deep Security Manager Node where the event was generated. System events
Number Integer System events have an additional ID that identifies the event. Note that in the Deep Security Manager, this property appears as “Event ID”. System events
Origin Integer (enum) The origin of the event. -1=Unknown, 0=Agent, 1=In-VM guest agent, 2=Appliance, 3=Deep Security Manager All event types
OriginString String Conversion of Origin to a readable string. All event types
OSSEC_Action String OSSEC action Log inspection events
OSSEC_Command String OSSEC command Log inspection events
OSSEC_Data String OSSEC data Log inspection events
OSSEC_Description String OSSEC description Log inspection events
OSSEC_DestinationIP String OSSEC dstip Log inspection events
OSSEC_DestinationPort String OSSEC dstport Log inspection events
OSSEC_DestinationUser String OSSEC dstuser Log inspection events
OSSEC_FullLog String OSSEC full log Log inspection events
OSSEC_Groups String OSSEC groups result (e.g. syslog,authentication_failure) Log inspection events
OSSEC_Hostname String OSSEC hostname. This is the name of the host as read from a log entry, which is not necessarily the same as the name of the host on which the event was generated. Log inspection events
OSSEC_ID String OSSEC id Log inspection events
OSSEC_Level Integer (enum) OSSEC level. An integer in the range 0 to 15 inclusive. 0-3=Low severity, 4-7=Medium severity, 8-11=High severity, 12-15=Critical severity. Log inspection events
OSSEC_Location String OSSEC location Log inspection events
OSSEC_Log String OSSEC log Log inspection events
OSSEC_ProgramName String OSSEC program_name Log inspection events
OSSEC_Protocol String OSSEC protocol Log inspection events
OSSEC_RuleID Integer OSSEC rule id Log inspection events
OSSEC_SourceIP Integer OSSEC srcip Log inspection events
OSSEC_SourcePort Integer OSSEC srcport Log inspection events
OSSEC_SourceUser Integer OSSEC srcuser Log inspection events
OSSEC_Status Integer OSSEC status Log inspection events
OSSEC_SystemName Integer OSSEC systemname Log inspection events
OSSEC_URL Integer OSSEC url Log inspection events
PacketData Integer Hexadecimal encoding of captured packet data, if the rule was configured to capture packet data. Intrusion prevention events
PacketSize Integer The size of the network packet. Firewall events
PatternVersion Integer (enum) The malware detection pattern version. Anti-malware events
PayloadFlags Integer Intrusion Prevention Filter Flags. A bitmask value that can include the following flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data. 16 - Reference Data - References previously logged data. Intrusion prevention events
PosInBuffer Integer Position within packet of data that triggered the event. Intrusion prevention events
PosInStream Integer Position within stream of data that triggered the event. Intrusion prevention events
Process String The name of the process that generated the event, if available. Integrity events
Protocol Integer (enum) The numerical network protocol identifier. -1=Unknown, 1=ICMP, 2=IGMP, 3=GGP, 6=TCP, 12=PUP, 17=UDP, 22=IDP, 58=ICMPv6, 77=ND, 255=RAW Firewall events, Intrusion prevention events
ProtocolString String Conversion of Protocol to a readable string. Firewall events, intrusion prevention events
Rank Integer The numerical rank of the event; the product of the computer's assigned asset value and the severity value setting for an event of this severity. Integrity events, log inspection events, firewall events, intrusion prevention events
Reason String Name of the Firewall Rule that caused the event, or a mapping of Status to String if the event was not caused by a Rule. Firewall events
Reason String Name of Integrity Rule that caused this event, if known. Integrity events
Reason String Name of the Anti-Malware configuration that caused the event, if known. Anti-malware events
Reason String Name of the Intrusion Prevention Rule that caused the event, or a mapping of Status to String if the event was not caused by a Rule. Intrusion prevention events
RepeatCount Integer The number of times this event was sequentially repeated. A repeat count of 1 indicates the event was only observed once and did not repeat. Firewall events, intrusion prevention events
Risk Integer (enum) Translated risk level of the URL accessed. 2=Suspicious, 3=Highly Suspicious, 4=Dangerous, 5=Untested, 6=Blocked by Administrator Web reputation events
RiskLevel Integer The raw risk level of the URL from 0 to 100. Will not be present if the URL was blocked because it was blocked by a block rule. Web reputation events
RiskString String Conversion of Risk to a readable string. Web reputation events
ScanAction1 Integer Scan action 1. Scan action 1 & 2 and scan result actions 1 & 2 and ErrorCode are combined to form the single "summaryScanResult". Anti-malware events
ScanAction2 Integer Scan action 2. Anti-malware events
ScanResultAction1 Integer Scan result action 1. Anti-malware events
ScanResultAction2 Integer Scan result action 2. Anti-malware events
ScanResultString String Malware scan result, as a string. A combination of ScanAction 1 and 2, ScanActionResult 1 and 2, and ErrorCode. Anti-malware events
ScanType Integer (enum) Malware scan type that created the event. 0=Real-Time, 1=Manual, 2=Scheduled, 3=Quick Scan Anti-malware events
ScanTypeString String Conversion of ScanType to a readable string. Anti-malware events
Severity Integer 1=Info, 2=Warning, 3=Error System events
Severity Integer (enum) 1=Low, 2=Medium, 3=High, 4=Critical Integrity events, intrusion prevention events
SeverityString String Conversion of Severity to a readable string. System events, integrity events, intrusion prevention events
SeverityString String Conversion of OSSEC_Level to a readable string. Log inspection events
SourceIP String (IP) The IP address of the source of a packet. Firewall events, intrusion prevention events
SourceMAC String (MAC) The MAC Address of the source of a packet. Firewall events, intrusion prevention events
SourcePort Integer The network port number a packet was sent from. Firewall events, intrusion prevention events
Status Integer If this event was not generated by a specific Firewall Rule then this status is one of approximately 50 hard-coded rules, e.g. 123=Out Of Allowed Policy Firewall events
Status Integer If this event was not generated by a specific IPS Rule then this status is one of approximately 50 hard-coded reasons, e.g. -504=Invalid UTF8 encoding Intrusion prevention events, intrusion prevention events
Tags String Comma-separated list of tags that have been applied to the event. This list will only include tags that are automatically applied when the event is generated. All event types
TargetID Integer Unique identifier of the target of the event. This identifier is unique for the targets of the same type within a tenant. It is possible for target IDs to be reused across different types, for example, both a Computer and a Policy may have target ID 10. System events
TargetIP String (IP) IP Address that was being contacted when a Web Reputation Event was generated. Web reputation events
TargetName String The name of the target of the event. The target of a system event can be many things, including computers, policies, users, roles, and tasks. System events
TargetType String The type of the target of the event. System events
TenantID Integer Unique identifier of the tenant that generated the event. All event types
TenantName String Name of the tenant that generated the event. All event types
Title String Title of the event. System events
URL String (URL) The URL being accessed that generated the event. Web reputation events
User String The user account that was the target of an integrity monitoring event, if known. Integrity events

Example events in JSON format

The following is an example of a system event:

{
  "ActionBy": "System",
  "Description": "A request has been made to synchronize computers with Cloud Account: Amazon",
  "EventID": 4947,
  "EventType": "SystemEvent",
  "LogDate": "2014-10-29T13:13:38.500Z",
  "ManagerNodeID": 41,
  "ManagerNodeName": "192.168.0.1",
  "Number": 1906,
  "Origin": 3,
  "OriginString": "Manager",
  "Severity": 1,
  "SeverityString": "Info",
  "Tags": "",
  "TargetID": 1,
  "TargetName": "Amazon -  US East (Virginia)",
  "TargetType": "Cloud",
  "TenantID": 1984,
  "TenantName": "Planet Express",
  "Title": "Cloud Provider Synchronization Requested"
}
      

The following is an example of an integrity monitoring event:

{
  "Change": 4,
  "ChangeString": "Renamed",
  "Description": "No description is available.",
  "EventID": 2187499,
  "EventType": "IntegrityEvent",
  "HostAgentVersion": "9.0.0.883",
  "HostAssetValue": 1,
  "HostGroupID": 2,
  "HostGroupName": "Intranet",
  "HostID": 2,
  "Hostname": "hr_data2",
  "HostOS": "Microsoft Windows Server 2008 R2",
  "HostSecurityPolicyID": 9,
  "HostSecurityPolicyName": "Windows Server 2008",
  "Key": "C:\\Windows\\system32\\explorer.exe -\u003e C:\\Windows\\system32\\explorer2.exe",
  "LogDate": "2014-10-29T13:18:08.380Z",
  "Origin": 0,
  "OriginString": "Agent",
  "Process": "",
  "Rank": 50,
  "Reason": "1002777 - Microsoft Windows - System configuration file modified",
  "Severity": 3,
  "SeverityString": "High",
  "Tags": "",
  "TenantID": 0,
  "TenantName": "Primary",
  "Type": "File"
}

Example Configurations

This section gives some SNS configuration examples for different scenarios.

Send all critical intrusion prevention events to an SNS topic

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "NumericEquals": {
          "Severity": 4
        },
        "StringEquals" : {
          "EventType" : "PayloadLog"
        }
      }
    }
  ]
}
      

Send different events to different SNS topics

This example shows sending all system events to one topic and all integrity monitoring events to a different topic.

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:systemEventsTopic",
      "Condition": {
        "StringEquals" : {
          "EventType" : "SystemEvent"
        }
      }
    },
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:integrityTopic",
      "Condition": {
        "StringEquals" : {
          "EventType" : "IntegrityEvent"
        }
      }
    }
  ]
}

Multiple statements vs. multiple conditions

If you create multiple statements for the same SNS topic, those statements are evaluated as if they are joined by "or". If a statement contains multiple conditions, those conditions are evaluated as if they are joined by "and".

Multiple statements

This is an example of what not to do. The first statement says to forward all events other than "System Settings Saved". The second statement says to forward all "System Settings Saved" events. The result is that all events will be forwarded because any event will match either the condition in the first statement or the one in the second statement:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringNotLike" : {
          "Title" : "System Settings Saved"
        }
      }
    },
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringLike" : {
          "Title" : "System Settings Saved"
        }
      }
    }
  ]
}

Multiple conditions

This is another example of what not to do. The first condition says to forward all events other than "System Settings Saved". The second condition says to forward all "System Settings Saved" events. The result is that no events will be forwarded because no events will match both the condition in the first statement and the one in the second statement:

{   
  "Version": "2014-09-24",
  "Statement": [
    {
      "Topic": "arn:aws:sns:us-east-1:012345678901:myTopic",
      "Condition": {
        "StringNotLike" : {
          "Title" : "System Settings Saved"
    	 },
        "StringLike" : {
          "Title" : "System Settings Saved"
        }
      }
    }
  ]
}