Events

Managing Conformity events.

List All Events

get/events

This endpoint allows you to collect events that you have access to.

IMPORTANT:    Some guidelines about using this endpoint:

  1. If accountIds are not provided, events are returned from all accounts you have access to. If you are ADMIN, organisation-level events are also returned.
  2. If you provide an accountId to an account you do not have at least ReadOnly access to, you will receive a 403 Forbidden error.
  3. You can pull 4 types of events from this endpoint. By default, you will receive all events if you don't provide the any event type.
    • aws=true&azure=false&gcp=false&cc=false or azure=false&gcp=false&cc=false will only return AWS events;
    • aws=false&azure=false&gcp=false&cc=true or aws=false&azure=false&gcp=false will only return Cloud Conformity activity-events;
    • aws=true&azure=true&gcp=true&cc=false or cc=false will return AWS, Azure, and GCP events. For more information, see example below.
  4. All events have a name attribute. Some important Cloud Conformity events are listed in the Event Names Table.
    Using the filter[name] as part of your query will get a history of that specific event. filter[name] also supports wildcards.
    • Asterisk at the end: filter[name]=account.bot.update* will get all events where the name starts with account.bot.update.
    • Asterisk in the middle:filter[name]=account.*.update* will match all account updating events like account.bot.update and account.rule.update.
    • Use of question marks: filter[name]=a??.check.create will match api.check.created and not account.check.created. Each ? is a character wildcard.

Filtering

The filter query parameter is reserved to be used as the basis for filtering. Any plural filter parameters (e.g. filter[region s]) accepts a comma-separated list. E.g. filter[regions]=us-east-1,us-east-2

The table below give more information about filter options:

Name Values
filter[regions] global | us-east-2 | us-east-1 | us-west-1 | us-west-2 | ap-south-1 | ap-northeast-2 |
ap-southeast-1 | ap-southeast-2 | ap-northeast-1 | ca-central-1 | eu-central-1 | eu-west-1 |
eu-west-2 | sa-east-1

The region filter is only available for AWS events. For more information about regions, please refer to Cloud Conformity Region Endpoint
filter[services] AutoScaling | CloudConformity |CloudFormation | CloudFront | CloudTrail | CloudWatch |
CloudWatchEvents | CloudWatchLogs | Config | DynamoDB | EBS | EC2 | ElastiCache | Elasticsearch | ELB | IAM | KMS | RDS | Redshift | ResourceGroup | Route53 | S3 | SES |
SNS | SQS | VPC | WAF | ACM | Inspector | TrustedAdvisor | Shield | EMR | Lambda |
Support | Organizations | Kinesis | EFS
Subscriptions | ActivityLog | Network

For more information about services, please refer to Cloud Conformity Services Endpoint

Additionally, events we receive from AWS may have different service labels such as "ec2.amazonaws.com"
filter[userIds] A comma-separated list of Cloud Conformity userIds. Only activity-events will have userIds.
filter[name] String, name of event. Supports wild cards (see point 4 above )
filter[identities] Only incoming AWS, Azure, and GCP events will have identities.
filter[since] Refers to the start of the time range you want to query for events.

The numeric value of the specified time as the number of milliseconds since January 1, 1970, 00:00:00 UTC
filter[until] Refers to the end of the time range you want to query for events.

The numeric value of the specified date as the number of milliseconds since January 1, 1970, 00:00:00 UTC

For example, the following is a request for static-deployer events within a specified time frame on one account:

curl -g -H "Content-Type: application/vnd.api+json" \
     -H "Authorization: ApiKey S1YnrbQuWagQS0MvbSchNHDO73XHqdAqH52RxEPGAggOYiXTxrwPfmiTNqQkTq3p" \
     https://us-west-2-api.cloudconformity.com/v1/events?accountIds=ryi9NPivK&filter[identities]=static-deployer&filter[since]=1519919272016&filter[until]=1519932055819

Example Response:

Each event can be quite large and the example below is purposefully truncated.

{
    "data": [
        {
            "type": "events",
            "id": "rkTkAsr_GSJlpyCoB_M",
            "attributes": {
                "name": "account.monitoring.activity",
                "time": 1519922649000,
                "service": "cloudfront.amazonaws.com",
                "identity": "static-deployer",
                "region": "us-east-1",
                "description": "cloudfront.amazonaws.com/CreateInvalidation",
                "hasChildren": true
            },
            "relationships": {
                "account": {
                    "data": {
                        "type": "account",
                        "id": "ryi9NPivK"
                    }
                }
            }
        }
    ],
    "meta": {
        "total-pages": 1
    }
}

Event Names
event.attributes.name Information
AWS EVENTS
account.monitoring.activity All AWS events have this name
Azure EVENTS
azure.activity.logs All Azure events have this name
GCP EVENTS
gcp.cloud.logging All GCP events have this name
USER LEVEL
user.created.first First user has been created
user.created New user has been created
user.invite.accepted A user invitation has been accepted
user.login.c1 User logged in
user.login.error User failed logging in
user.login.mfa.error User failed to login with MFA
user.login.mfa User logged in with MFA
user.login.saml.error User failed to log in through SAML
user.login.saml User logged in through SAML
user.login User logged in
user.mfa.setup User set their Multi-Factor Authentication (MFA)
user.mfa.unset User unset their Multi-Factor Authentication (MFA)
user.mfa.verified User verified their Multi-Factor Authentication (MFA)
user.password.removed SSO user has removed their password
user.password.reset.requested User has requested to reset their password
user.password.reset User has reset their password
user.password.updated User has updated their password
user.phone.mobile.removed User had their mobile number removed
user.phone.mobile.verified User had their mobile number verified
user.updated User has updated their information
user.verification.resent Verification email resent
user.verified User has been verified
ACCOUNT LEVEL
account.activated The account has been activated
account.bot.aborted Conformity Bot has been aborted
account.bot.update.delay.decreased delay between automatic conformity bot run has been decreased
account.bot.update.delay.increased delay between automatic conformity bot run has been increased
account.bot.update.disabled.region some previously enabled regions are now disabled
account.bot.update.disabled.until account bot was enabled and is now temporarily disabled until a set time.
account.bot.update.disabled account bot was enabled and was disabled indefinitely
account.bot.update.enabled.region some previously disabled regions are now enabled
account.bot.update.enabled account bot was disabled and is now enabled
account.bot.update.system.enabled Conformity Bot has been re-enabled
account.created An account creation has finished
account.creating An account creation has started
account.deactivated The account has been deactivated
account.delete.requested An account has been deleted
account.inventory.aborted One of Conformity bot's processes encountered an error
account.monitoring.activated Real-time threat monitoring has been activated for the account
account.note.added A note has been added to a rule
account.report.ready Conformity report is ready for download
account.report.requested A new Conformity Report has been requested
account.rule.send.slack A rule has been sent to Slack
account.rule.send.user A rule has been sent via email
account.rule.update.disabled some previously enabled rule is now disabled
account.rule.update.enabled some previously disabled rule is now enabled
account.rule.update.exceptions.filterTags.added Tag(s) exceptions have been added to a rule setting
account.rule.update.exceptions.filterTags.removed Tag(s) exceptions have been removed from a rule setting
account.rule.update.exceptions.filterTags.updated Tag(s) exceptions have been updated for a rule setting
account.rule.update.exceptions.resources.added There were no exception resources and now some have been added
account.rule.update.exceptions.resources.removed There were some exception resources and now all have been removed
account.rule.update.exceptions.resources.updated List of exception resources has been updated
account.rule.update.exceptions.tags.added There were no exception tags and now some have been added
account.rule.update.exceptions.tags.removed There were some exception tags and now all have been removed
account.rule.update.exceptions.tags.updated List of exception tags has been updated
account.rule.update.riskLevel rule risk level has been changed
account.subscription.updated The subscription for this account has been updated
account.update.access Account access settings have been updated
account.update.bot Conformity Bot settings have been updated
account.update.channel A communication channel has been updated
account.update.rule A rule setting has been configured
account.update.settings Account settings have been updated
account.update.tags Account tags have been updated
GROUP LEVEL
group.created A new accounts group has been created
group.deleted Accounts group has been deleted
group.updated Accounts group has been updated
ORGANISATION LEVEL
organisation.acl.updated A user's role and/or account access settings has been changed.
organisation.created A new organisation has been created
organisation.note.added A note has been added to an organisation level rule
organisation.rule.updated Settings have been changed for an organisation level rule
organisation.updated Organisation details updated
organisation.user.invite.failed An error happened when inviting a user
organisation.user.invited A user invitation has been sent
organisation.user.revoked A user has been revoked
CHECKS RELATED
account.check.note.added A note has been added to a check
account.check.requested Conformity Bot run was manually requested
account.check.sns.sent A failure check result was sent via SNS
account.check.ticket.create.requested A communication channel ticket was created
account.check.update.custom.suppressed.until An account level check was temporarily suppressed until a set time.
account.check.update.custom.suppressed An account level check was suppressed indefinitely.
account.check.update.custom.unsuppressed An account level check has been unsuppressed indefinitely
account.check.update.custom A custom check has been updated
account.check.update.suppressed.until A check has been suppressed until a set time
account.check.update.suppressed A check has been suppressed
account.check.update.unsuppressed A check has been unsuppressed
API & API KEYS
api.account.check.requested A Conformity Bot run has been requested via the API
api.account.created An account has been created via the API
api.account.delete.requested An account deletion has been requested via the API
api.account.note.added A rule settings note was added via the api
api.account.notes.added Notes were batch added via the api
api.account.rule.setting.update A rule setting for an account was updated via the api
api.account.rule.settings.update Rule settings were batch-updated via the api
api.account.subscription.updated An account subscription has been updated via the API
api.account.update An account has been updated via the API
api.check.created Custom check has been created
api.check.deleted Custom check has been deleted
api.check.updated Custom check has been updated
api.setting.communication.update A communication setting was updated via the api
api.setting.communications.create Communication settings were created via the api
api.setting.delete A setting was deleted via the api
apiKey.created A Cloud Conformity API Key has been generated
apiKey.deleted A Cloud Conformity API Key has been deleted
apiKey.update.status A Cloud Conformity API Key has been updated
SETTINGS
rtm-webhook-config.deployment-script.created A RTM webhook deployment script was generated
setting.created.communication A communication channel has been created
setting.created.profile A profile has been created
setting.created.rule A rule configuration has been created
setting.created An user setting has been created
setting.deleted.communication A communication channel has been deleted
setting.deleted.profile A profile has been deleted
setting.deleted.rule A rule configuration has been deleted
setting.deleted An user setting has been deleted
setting.updated.communication A communication channel has been updated
setting.updated.profile A profile has been updated
setting.updated.rule A rule configuration has been updated
setting.updated An user setting has been updated

SecurityApiKeyAuth
Request
query Parameters
accountIds
string

A comma-separated list of Cloud Conformity accountIds.

aws
boolean
Default: true

If true returns AWS events.

azure
boolean
Default: true

If true returns Azure events.

cc
boolean
Default: true

If true returns Cloud Conformity activity-events.

object

Optional parameter including regions, services, userIds, name, identities, since, until

gcp
boolean
Default: true

If true returns GCP events.

object

Optional parameter including page size, and page number returned

Responses
200

OK

400

Bad Request. Cannot process request due to a client error.

401

Unauthorized. The requesting user does not have enough privilege.

423

Organisation is not currently accessible via the API

500

Internal Server Error

Response samples
application/json
{
  • "data": [
    ]
}