Events in JSON format
When published to Amazon SNS, events are sent in the SNS Message as an array of JSON objects that are encoded as strings. Each object in the array is one event.
Valid properties vary by the type of event. For example, MajorVirusType is a valid property only for Deep Security Anti-Malware events, not system events etc. Valid property values vary for each property. For examples, see Example events in JSON format.
Event property values can be used to filter which events are published to the SNS topic. For details, see SNS configuration in JSON format.
Valid event properties
Some events don't have all of the properties that usually apply to their event type.
| Property Name | Data Type | Description | Applies To Event Type(s) |
|---|---|---|---|
| Action | String (enum) | Action taken for the application control event, such as "Execution of Software Blocked by Rule", "Execution of Unrecognized Software Allowed" (due to detect-only mode) or "Execution of Unrecognized Software Blocked". | Application control events |
| Action | Integer (enum) | Action taken for the firewall event. "Detect Only" values show what would have happened if the rule had been enabled. 0=Unknown, 1=Deny, 6=Log Only, 0x81=Detect Only: Deny. | Firewall events |
| Action | Integer (enum) | Action taken for the intrusion prevention event. 0=Unknown, 1=Deny, 2=Reset, 3=Insert, 4=Delete, 5=Replace, 6=Log Only, 0x81=Detect Only: Deny, 0x82=Detect Only: Reset, 0x83=Detect Only: Insert, 0x84=Detect Only: Delete, 0x85=Detect Only: Replace. | Intrusion prevention events |
| ActionBy | String | Name of the Deep Security Manager user who performed the event, or "System" if the event was not generated by a user. | System events |
| ActionString | String | Conversion of Action to a readable string. | Firewall events, intrusion prevention events |
| AdministratorID | Integer | Unique identifier of the Deep Security user who performed an action. Events generated by the system and not by a user will not have an identifier. | System events |
| AggregationType | Integer (enum) | Whether or not the Application Control event occurred repeatedly. If "AggregationType" is not "0", then the number of occurrences is in "RepeatCount." 0=Not aggregated, 1=Aggregated based on file name, path and event type, 2=Aggregated based on event type | Application control events |
| ApplicationType | String | Name of the network application type associated with the Intrusion Prevention rule, if available. | Intrusion prevention events |
| BlockReason | Integer (enum) | A reason that corresponds to the Action. 0=Unknown, 1=Blocked due to rule, 2=Blocked due to unrecognized | Application control events |
| Change | Integer (enum) | What type of change was made to a file, process, registry key, etc. for an Integrity Monitoring event. 1=Created, 2=Updated, 3=Deleted, 4=Renamed. | Integrity monitoring events |
| ContainerID | String | ID of the Docker container where the malware was found. | Anti-malware events |
| ContainerImageName | String | Image name of the Docker container where the malware was found. | Anti-malware events |
| ContainerName | String | Name of the Docker container where the malware was found. | Anti-malware events |
| Description | String | Description of the change made to the entity (created, deleted, updated) along with details about the attributes changed. | Integrity monitoring events |
| Description | String | Brief description of what happened during an event. | System events |
| DestinationIP | String (IP) | The IP address of the destination of a packet. | Firewall events, intrusion prevention events |
| DestinationMAC | String (MAC) | The MAC address of the destination of a packet. | Firewall events, intrusion prevention events |
| DestinationPort | Integer | The network port number a packet was sent to. | Firewall events, intrusion prevention events |
| DetectionCategory | Integer (enum) | The detection category for a web reputation event. 12=User Defined, 13=Custom, 91=Global. | Web reputation events |
| DetectOnly | Boolean | Whether or not the event was returned with the Detect Only flag turned on. If true, this indicates that the URL was not blocked, but access was detected. | Web reputation events |
| Direction | Integer (enum) | Network packet direction. 0=Incoming, 1=Outgoing. | Firewall events, intrusion prevention events |
| DirectionString | String | Conversion Direction to a readable string. | Firewall events, intrusion prevention events |
| DriverTime | Integer | The time the log was generated as recorded by the driver. | Firewall events, intrusion prevention events |
| EndLogDate | String (Date) | The last log date recorded for repeated events. Will not be present for events that did not repeat. | Firewall events, intrusion prevention events |
| EngineType | Integer | The Anti-Malware engine type. | Anti-malware events |
| EngineVersion | String | The Anti-Malware engine version. | Anti-malware events |
| EntityType | String (enum) | The type of entity an integrity monitoring event applies to: Directory, File, Group, InstalledSoftware, Port, Process, RegistryKey, RegistryValue, Service, User, or Wql | Integrity monitoring events |
| ErrorCode | Integer | Error code for malware scanning events. If non-zero the scan failed, and the scan action and scan result fields contain more details. | Anti-malware events |
| EventID | Integer | The identifier of the event. Identifiers are unique per event type, but events of different types may share the same identifier. For example, it is possible for events with both EventType firewall and ips to have EventID equal to 1. The combination of EventID, EventType and TenantID are required to completely, uniquely identify an event in Deep Security. Note that this property is not related to the "Event ID" property of a System Event in the Deep Security Manager. | All event types |
| EventType | String (enum) | The type of the event. One of: "SystemEvent", "PacketLog", "PayloadLog", "AntiMalwareEvent", "WebReputationEvent", "IntegrityEvent", "LogInspectionEvent", "AppControlEvent". | All event types |
| FileName | String | File name of the software that was allowed or blocked, such as "script.sh". (The full path is separate, in "Path".) | Application control events |
| Flags | String | Flags recorded from a network packet; a space-separated list of strings. | Firewall events, intrusion prevention events |
| Flow | Integer (enum) | Network connection flow. Possible values: -1=Not Applicable, 0=Connection Flow, 1=Reverse Flow | Firewall events, intrusion prevention events |
| FlowString | String | Conversion of Flow to a readable string. | Firewall events, intrusion prevention events |
| Frame | Integer (enum) | Frame type. -1=Unknown, 2048=IP, 2054=ARP, 32821=REVARP, 33169=NETBEUI, 0x86DD=IPv6 | Firewall events, intrusion prevention events |
| FrameString | String | Conversion of Frame to a readable string. | Firewall events, intrusion prevention events |
| GroupID | String | The group ID, if any, of the user account that tried to start the software, such as "0". | Application control events |
| GroupName | String | The group name, if any, of the user account that tried to start the software, such as "root". | Application control events |
| HostAgentVersion | String | The version of the Deep Security Agent that was protecting the computer where the event was detected. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| HostAgentGUID | String | The global unique identifier (GUID) of the Deep Security Agent when activated with the Deep Security Manager. | Application control events |
| HostAssetValue | Integer | The asset value assigned to the computer at the time the event was generated. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events, application control events |
| HostGroupID | Integer | The unique identifier of the Computer Group of the computer where the event was detected. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| HostGroupName | String | The name of the Computer Group of the computer where the event was detected. Note that Computer Group names may not be unique. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| HostID | Integer | Unique identifier of the computer where the event occurred. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events, application control events |
| HostInstanceID | String | The cloud instance ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| Hostname | String | Hostname of the computer on which the event was generated. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events, application control events |
| HostOS | String | The operating system of the computer where the event was detected. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events, application control events |
| HostOwnerID | String | The cloud account ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| HostSecurityPolicyID | Integer | The unique identifier of the Deep Security policy applied to the computer where the event was detected. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events, application control events |
| HostSecurityPolicyName | String | The name of the Deep Security policy applied to the computer where the event was detected. Note that security policy names may not be unique. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events, application control events |
| HostVCUUID | String | The vCenter UUID of the computer the event applies to, if known. | Anti-malware events, web reputation events, integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| InfectedFilePath | String | Path of the infected file in the case of malware detection. | Anti-malware events |
| InfectionSource | String | The name of the computer that's the source of a malware infection, if known. | Anti-malware events |
| Interface | String (MAC) | MAC address of the network interface sending or receiving a packet. | Firewall events, intrusion prevention events |
| IPDatagramLength | Integer | The length of the IP datagram. | Intrusion prevention events |
| IsHash | String | The SHA-1 content hash (hexadecimal encoded) of the file after it was modified. | Integrity monitoring events |
| Key | String | The file or registry key an integrity event refers to. | Integrity monitoring events |
| LogDate | String (Date) | The date and time when the event was recorded. For Deep Security Agent-generated events (Firewall, IPS, etc.), the time is when the event was recorded by the agent, not when the event was received by Deep Security Manager. | All event types |
| MajorVirusType | Integer (enum) | The classification of malware detected. 0=Joke, 1=Trojan, 2=Virus, 3=Test, 4=Spyware, 5=Packer, 6=Generic, 7=Other | Anti-malware events |
| MajorVirusTypeString | String | Conversion of MajorVirusType to a readable string. | Anti-malware events |
| MalwareName | String | The name of the malware detected. | Anti-malware events |
| MalwareType | Integer (enum) | The type of malware detected. 1=General malware, 2=Spyware. General malware events will have an InfectedFilePath, spyware events will not. | Anti-malware events |
| ManagerNodeID | Integer | Unique identifier of the Deep Security Manager Node where the event was generated. | System events |
| ManagerNodeName | String | Name of the Deep Security Manager Node where the event was generated. | System events |
| MD5 | String | The MD5 checksum (hash) of the software, if any. | Application control events |
| Number | Integer | System events have an additional ID that identifies the event. Note that in the Deep Security Manager, this property appears as "Event ID". | System events |
| Operation | Integer (enum) | 0=Unknown, 1=Allowed due to detect-only mode, 2=Blocked | Application control |
| Origin | Integer (enum) | The origin of the event. -1=Unknown, 0=Deep Security Agent, 1=In-VM guest agent, 2=Deep Security Appliance, 3=Deep Security Manager | All event types |
| OriginString | String | Conversion of Origin to a human-readable string. | All event types |
| OSSEC_Action | String | OSSEC action | Log inspection events |
| OSSEC_Command | String | OSSEC command | Log inspection events |
| OSSEC_Data | String | OSSEC data | Log inspection events |
| OSSEC_Description | String | OSSEC description | Log inspection events |
| OSSEC_DestinationIP | String | OSSEC dstip | Log inspection events |
| OSSEC_DestinationPort | String | OSSEC dstport | Log inspection events |
| OSSEC_DestinationUser | String | OSSEC dstuser | Log inspection events |
| OSSEC_FullLog | String | OSSEC full log | Log inspection events |
| OSSEC_Groups | String | OSSEC groups result (e.g. syslog,authentication_failure) | Log inspection events |
| OSSEC_Hostname | String | OSSEC hostname. This is the name of the host as read from a log entry, which is not necessarily the same as the name of the host on which the event was generated. | Log inspection events |
| OSSEC_ID | String | OSSEC id | Log inspection events |
| OSSEC_Level | Integer (enum) | OSSEC level. An integer in the range 0 to 15 inclusive. 0-3=Low severity, 4-7=Medium severity, 8-11=High severity, 12-15=Critical severity. | Log inspection events |
| OSSEC_Location | String | OSSEC location | Log inspection events |
| OSSEC_Log | String | OSSEC log | Log inspection events |
| OSSEC_ProgramName | String | OSSEC program_name | Log inspection events |
| OSSEC_Protocol | String | OSSEC protocol | Log inspection events |
| OSSEC_RuleID | Integer | OSSEC rule id | Log inspection events |
| OSSEC_SourceIP | Integer | OSSEC srcip | Log inspection events |
| OSSEC_SourcePort | Integer | OSSEC srcport | Log inspection events |
| OSSEC_SourceUser | Integer | OSSEC srcuser | Log inspection events |
| OSSEC_Status | Integer | OSSEC status | Log inspection events |
| OSSEC_SystemName | Integer | OSSEC systemname | Log inspection events |
| OSSEC_URL | Integer | OSSEC url | Log inspection events |
| PacketData | Integer | Hexadecimal encoding of captured packet data, if the rule was configured to capture packet data. | Intrusion prevention events |
| PacketSize | Integer | The size of the network packet. | Firewall events |
| Path | String | Directory path of the software file that was allowed or blocked, such as "/usr/bin/". (The file name is separate, in "FileName".) | Application control events |
| PatternVersion | Integer (enum) | The malware detection pattern version. | Anti-malware events |
| PayloadFlags | Integer | Intrusion Prevention Filter Flags. A bitmask value that can include the following flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data. 16 - Reference Data - References previously logged data. | Intrusion prevention events |
| PosInBuffer | Integer | Position within packet of data that triggered the event. | Intrusion prevention events |
| PosInStream | Integer | Position within stream of data that triggered the event. | Intrusion prevention events |
| Process | String | The name of the process that generated the event, if available. | Integrity monitoring events |
| ProcessID | Integer | The identifier (PID) of the process that generated the event, if available. | Application control events |
| ProcessName | String | The name of the process that generated the event, if available, such as "/usr/bin/bash". | Application control events |
| Protocol | Integer (enum) | The numerical network protocol identifier. -1=Unknown, 1=ICMP, 2=IGMP, 3=GGP, 6=TCP, 12=PUP, 17=UDP, 22=IDP, 58=ICMPv6, 77=ND, 255=RAW | Firewall events, Intrusion prevention events |
| ProtocolString | String | Conversion of Protocol to a readable string. | Firewall events, intrusion prevention events |
| Rank | Integer | The numerical rank of the event; the product of the computer's assigned asset value and the severity value setting for an event of this severity. | Integrity monitoring events, log inspection events, firewall events, intrusion prevention events |
| Reason | String | Name of the Deep Security rule or configuration object that triggered the event, or (for Firewall and Intrusion Prevention) a mapping of Status to String if the event was not triggered by a rule. For Application Control, "Reason" may be "None"; see "BlockReason" instead. | Firewall, intrusion prevention, integrity monitoring, log inspection, anti-malware, and application control events |
| RepeatCount | Integer | The number of times this event occurred repeatedly. A repeat count of 1 indicates the event was only observed once and did not repeat. | Firewall events, intrusion prevention events, application control events |
| Risk | Integer (enum) | Translated risk level of the URL accessed. 2=Suspicious, 3=Highly Suspicious, 4=Dangerous, 5=Untested, 6=Blocked by Administrator | Web reputation events |
| RiskLevel | Integer | The raw risk level of the URL from 0 to 100. Will not be present if the URL was blocked by a block rule. | Web reputation events |
| RiskString | String | Conversion of Risk to a readable string. | Web reputation events |
| ScanAction1 | Integer | Scan action 1. Scan action 1 & 2 and scan result actions 1 & 2 and ErrorCode are combined to form the single "summaryScanResult". | Anti-malware events |
| ScanAction2 | Integer | Scan action 2. | Anti-malware events |
| ScanResultAction1 | Integer | Scan result action 1. | Anti-malware events |
| ScanResultAction2 | Integer | Scan result action 2. | Anti-malware events |
| ScanResultString | String | Malware scan result, as a string. A combination of ScanAction 1 and 2, ScanActionResult 1 and 2, and ErrorCode. | Anti-malware events |
| ScanType | Integer (enum) | Malware scan type that created the event. 0=Real-Time, 1=Manual, 2=Scheduled, 3=Quick Scan | Anti-malware events |
| ScanTypeString | String | Conversion of ScanType to a readable string. | Anti-malware events |
| Severity | Integer | 1=Info, 2=Warning, 3=Error | System events |
| Severity | Integer (enum) | 1=Low, 2=Medium, 3=High, 4=Critical | Integrity monitoring events, intrusion prevention events |
| SeverityString | String | Conversion of Severity to a human-readable string. | System events, integrity monitoring events, intrusion prevention events |
| SeverityString | String | Conversion of OSSEC_Level to a human-readable string. | Log inspection events |
| SHA1 | String | The SHA-1 checksum (hash) of the software, if any. | Application control events |
| SHA256 | String | The SHA-256 checksum (hash) of the software, if any. | Application control events |
| SourceIP | String (IP) | The source IP address of a packet. | Firewall events, intrusion prevention events |
| SourceMAC | String (MAC) | The source MAC Address of the packet. | Firewall events, intrusion prevention events |
| SourcePort | Integer | The network source port number of the packet. | Firewall events, intrusion prevention events |
| Status | Integer | If this event was not generated by a specific Firewall rule, then this status is one of approximately 50 hard-coded rules, such as 123=Out Of Allowed Policy | Firewall events |
| Status | Integer | If this event was not generated by a specific IPS rule, then this status is one of approximately 50 hard-coded reasons, such as -504=Invalid UTF8 encoding | Intrusion prevention events |
| Tags | String | Comma-separated list of tags that have been applied to the event. This list will only include tags that are automatically applied when the event is generated. | All event types |
| TagSetID | Integer | Identifier of the group of tags that was applied to the event. | All event types |
| TargetID | Integer | Unique identifier of the target of the event. This identifier is unique for the targets of the same type within a tenant. It is possible for target IDs to be reused across different types, for example, both a Computer and a Policy may have target ID 10. | System events |
| TargetIP | String (IP) | IP Address that was being contacted when a Web Reputation Event was generated. | Web reputation events |
| TargetName | String | The name of the target of the event. The target of a system event can be many things, including computers, policies, users, roles, and tasks. | System events |
| TargetType | String | The type of the target of the event. | System events |
| TenantID | Integer | Unique identifier of the tenant associated with the event. | All event types |
| TenantName | String | Name of the tenant associated with the event. | All event types |
| Title | String | Title of the event. | System events |
| URL | String (URL) | The URL being accessed that generated the event. | Web reputation events |
| User | String | The user account that was the target of an integrity monitoring event, if known. | Integrity monitoring events |
| UserID | String | The user identifier (UID), if any, of the user account that tried to start the software, such as "0". | Application control events |
| UserName | String | The user name, if any, of the user account that tried to start the software, such as "root". | Application control events |
Data types of event properties
Events forwarded as JSON usually use strings to encode other data types.| Data Type | Description |
|---|---|
| Boolean |
JSON true or false.
|
| Integer | JSON Integers in events may be more than 32 bits. Verify the code that processes events can handle this. For example, JavaScript's |
| Integer (enum) |
JSON int, restricted to a set of enumerated values.
|
| String |
JSON string.
|
| String (Date) |
JSON string, formatted as a date and time in the pattern YYYY-MM-DDThh:mm:ss.sssZ (ISO 8601). 'Z' is the time zone. 'sss' are the three digits for sub-seconds. See also the W3C note on date and time formats.
|
| String (IP) |
JSON string, formatted as an IPv4 or IPv6 address.
|
| String (MAC) |
JSON string, formatted as a network MAC address.
|
| String (URL) |
JSON string, formatted as a URL.
|
| String (enum) |
JSON string, restricted to a set of enumerated values.
|
Example events in JSON format
System event
{
"Type" : "Notification",
"MessageId" : "123abc-123-123-123-123abc",
"TopicArn" : "arn:aws:sns:us-west-2:123456789:DS_Events",
"Message" : "[
{
"ActionBy":"System",
"Description":"Alert: New Pattern Update is Downloaded and Available\\nSeverity: Warning\",
"EventID":6813,
"EventType":"SystemEvent",
"LogDate":"2018-12-04T15:54:24.086Z",
"ManagerNodeID":123,
"ManagerNodeName":"job7-123",
"Number":192,
"Origin":3,
"OriginString":"Manager",
"Severity":1,
"SeverityString":"Info",
"Tags":"\",
"TargetID":1,
"TargetName":"ec2-12-123-123-123.us-west-2.compute.amazonaws.com",
"TargetType":"Host",
"TenantID":123,
"TenantName":"Umbrella Corp.",
"Title":"Alert Ended"
}
]",
"Timestamp" : "2018-12-04T15:54:25.130Z",
"SignatureVersion" : "1",
"Signature" : "500PER10NG5!gnaTURE==",
"SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-abc123.pem",
"UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456:DS_Events:123abc-123-123-123-123abc"
}
Anti-malware events
Multiple virus detection events can be in each SNS Message. (For brevity, repeated event properties are omitted below, indicated by "...".)
{
"Type" : "Notification",
"MessageId" : "123abc-123-123-123-123abc",
"TopicArn" : "arn:aws:sns:us-west-2:123456789:DS_Events",
"Message" : "[
{
"AMTargetTypeString":"N/A",
"ATSEDetectionLevel":0,
"CreationTime":"2018-12-04T15:57:18.000Z",
"EngineType":1207959848,
"EngineVersion":"10.0.0.1040",
"ErrorCode":0,
"EventID":1,
"EventType":"AntiMalwareEvent",
"HostAgentGUID":"4A5BF25A-4446-DD8B-DFB7-564C275F5F6B",
"HostAgentVersion":"11.1.0.163",
"HostID":1,
"HostOS":"Amazon Linux (64 bit) (4.14.62-65.117.amzn1.x86_64)",
"HostSecurityPolicyID":3,
"HostSecurityPolicyName":"PolicyA",
"Hostname":"ec2-12-123-123-123.us-west-2.compute.amazonaws.com",
"InfectedFilePath":"/tmp/eicar_1543939038890.txt",
"LogDate":"2018-12-04T15:57:19.000Z",
"MajorVirusType":2,
"MajorVirusTypeString":"Virus",
"MalwareName":"Eicar_test_file",
"MalwareType":1,
"ModificationTime":"2018-12-04T15:57:18.000Z",
"Origin":0,
"OriginString":"Agent",
"PatternVersion":"14.665.00",
"Protocol":0,
"Reason":"Default Real-Time Scan Configuration",
"ScanAction1":4,
"ScanAction2":3,
"ScanResultAction1":-81,
"ScanResultAction2":0,
"ScanResultString":"Quarantined",
"ScanType":0,
"ScanTypeString":"Real Time",
"Tags":"\",
"TenantID":123,
"TenantName":"Umbrella Corp."},
{
"AMTargetTypeString":"N/A",
"ATSEDetectionLevel":0,
"CreationTime":"2018-12-04T15:57:21.000Z",
...},
{
"AMTargetTypeString":"N/A",
"ATSEDetectionLevel":0,
"CreationTime":"2018-12-04T15:57:29.000Z",
...
}
]",
"Timestamp" : "2018-12-04T15:57:50.833Z",
"SignatureVersion" : "1",
"Signature" : "500PER10NG5!gnaTURE==",
"SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-abc123.pem",
"UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456:DS_Events:123abc-123-123-123-123abc"
}