Events in JSON format

When published to Amazon SNS, events are sent in the SNS Message as an array of JSON objects that are encoded as strings. Each object in the array is one event.

Valid properties vary by the type of event. For example, MajorVirusType is a valid property only for Workload Security Anti-Malware events, not system events etc. Valid property values vary for each property. For examples, see Example events in JSON format.

Event property values can be used to filter which events are published to the SNS topic. For details, see SNS configuration in JSON format.

Valid event properties

Some events don't have all of the properties that usually apply to their event type.

Property Name Data Type Description Applies To Event Type(s)
Action String (enum) Action taken for the application control event, such as "Execution of Software Blocked by Rule", "Execution of Unrecognized Software Allowed" (due to detect-only mode) or "Execution of Unrecognized Software Blocked". Application Control events
Action Integer (enum) Action taken for the firewall event. "Detect Only" values show what would have happened if the rule had been enabled. 0=Unknown, 1=Deny, 6=Log Only, 0x81=Detect Only: Deny. Firewall events
Action Integer (enum) Action taken for the Intrusion Prevention event. 0=Unknown, 1=Deny, 2=Reset, 3=Insert, 4=Delete, 5=Replace, 6=Log Only, 0x81=Detect Only: Deny, 0x82=Detect Only: Reset, 0x83=Detect Only: Insert, 0x84=Detect Only: Delete, 0x85=Detect Only: Replace. Intrusion Prevention events
ActionBy String Name of the Workload Security user who performed the event, or "System" if the event was not generated by a user. System events
ActionString String Conversion of Action to a readable string. Firewall events, Intrusion Prevention events
AdministratorID Integer Unique identifier of the Workload Security user who performed an action. Events generated by the system and not by a user will not have an identifier. System events
AggregationType Integer (enum) Whether or not the Application Control event occurred repeatedly. If "AggregationType" is not "0", then the number of occurrences is in "RepeatCount." 0=Not aggregated, 1=Aggregated based on file name, path and event type, 2=Aggregated based on event type Application Control events
ApplicationType String Name of the network application type associated with the Intrusion Prevention rule, if available. Intrusion Prevention events
BlockReason Integer (enum) A reason that corresponds to the Action. 0=Unknown, 1=Blocked due to rule, 2=Blocked due to unrecognized Application Control events
Change Integer (enum) What type of change was made to a file, process, registry key, etc. for an Integrity Monitoring event. 1=Created, 2=Updated, 3=Deleted, 4=Renamed. Integrity Monitoring events
ContainerID String ID of the container where the event occurred. Anti-Malware events, Intrusion Prevention events, Firewall events
ContainerImageName String Image name of the Docker container where the malware was found. Anti-Malware events
ContainerName String Name of the container where the event occurred. Anti-Malware events, Intrusion Prevention events, Firewall events
Description String Description of the change made to the entity (created, deleted, updated) along with details about the attributes changed. Integrity Monitoring events
Description String Brief description of what happened during an event. System events
DestinationIP String (IP) The IP address of the destination of a packet. Firewall events, Intrusion Prevention events
DestinationMAC String (MAC) The MAC address of the destination of a packet. Firewall events, Intrusion Prevention events
DestinationPort Integer The network port number a packet was sent to. Firewall events, Intrusion Prevention events
DetectionCategory Integer (enum) The detection category for a web reputation event. 12=User Defined, 13=Custom, 91=Global. Web Reputation events
DetectOnly Boolean Whether or not the event was returned with the Detect Only flag turned on. If true, this indicates that the URL was not blocked, but access was detected. Web Reputation events
Direction Integer (enum) Network packet direction. 0=Incoming, 1=Outgoing. Firewall events, Intrusion Prevention events
DirectionString String Conversion Direction to a readable string. Firewall events, Intrusion Prevention events
DriverTime Integer The time the log was generated as recorded by the driver. Firewall events, Intrusion Prevention events
EndLogDate String (Date) The last log date recorded for repeated events. Will not be present for events that did not repeat. Firewall events, Intrusion Prevention events
EngineType Integer The Anti-Malware engine type. Anti-Malware events
EngineVersion String The Anti-Malware engine version. Anti-Malware events
EntityType String (enum) The type of entity an integrity monitoring event applies to: Directory, File, Group, InstalledSoftware, Port, Process, RegistryKey, RegistryValue, Service, User, or Wql Integrity Monitoring events
ErrorCode Integer Error code for malware scanning events. If non-zero the scan failed, and the scan action and scan result fields contain more details. Anti-Malware events
EventID Integer The identifier of the event. Identifiers are unique per event type, but events of different types may share the same identifier. For example, it is possible for events with both EventType firewall and ips to have EventID equal to 1. The combination of EventID, EventType and TenantID are required to completely, uniquely identify an event in Workload Security. Note that this property is not related to the "Event ID" property of a System Event in Workload Security. All event types
EventType String (enum) The type of the event. One of: "SystemEvent", "PacketLog", "PayloadLog", "AntiMalwareEvent", "WebReputationEvent", "IntegrityEvent", "LogInspectionEvent", "AppControlEvent". All event types
FileName String File name of the software that was allowed or blocked, such as "script.sh". (The full path is separate, in "Path".) Application Control events
Flags String Flags recorded from a network packet; a space-separated list of strings. Firewall events, Intrusion Prevention events
Flow Integer (enum) Network connection flow. Possible values: -1=Not Applicable, 0=Connection Flow, 1=Reverse Flow Firewall events, Intrusion Prevention events
FlowString String Conversion of Flow to a readable string. Firewall events, Intrusion Prevention events
Frame Integer (enum) Frame type. -1=Unknown, 2048=IP, 2054=ARP, 32821=REVARP, 33169=NETBEUI, 0x86DD=IPv6 Firewall events, Intrusion Prevention events
FrameString String Conversion of Frame to a readable string. Firewall events, Intrusion Prevention events
GroupID String The group ID, if any, of the user account that tried to start the software, such as "0". Application Control events
GroupName String The group name, if any, of the user account that tried to start the software, such as "root". Application Control events
HostAgentVersion String The version of the Deep Security Agent that was protecting the computer where the event was detected. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostAgentGUID String The global unique identifier (GUID) of the Deep Security Agent when activated with Workload Security. Application Control events
HostAssetValue Integer The asset value assigned to the computer at the time the event was generated. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostGroupID Integer The unique identifier of the Computer Group of the computer where the event was detected. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostGroupName String The name of the Computer Group of the computer where the event was detected. Note that Computer Group names may not be unique. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostID Integer Unique identifier of the computer where the event occurred. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostInstanceID String The cloud instance ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
Hostname String Hostname of the computer on which the event was generated. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostOS String The operating system of the computer where the event was detected. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostOwnerID String The cloud account ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostSecurityPolicyID Integer The unique identifier of the Workload Security policy applied to the computer where the event was detected. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostSecurityPolicyName String The name of the Workload Security policy applied to the computer where the event was detected. Note that security policy names may not be unique. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostVCUUID String The vCenter UUID of the computer the event applies to, if known. Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
ImageDigest String A unique digest that identifies the container image. Intrusion Prevention events, Firewall events
ImageName String Image name that was used to create the container where the event occurred. Intrusion Prevention events, Firewall events
InfectedFilePath String Path of the infected file in the case of malware detection. Anti-Malware events
InfectionSource String The name of the computer that's the source of a malware infection, if known. Anti-Malware events
Interface String (MAC) MAC address of the network interface sending or receiving a packet. Firewall events, Intrusion Prevention events
InterfaceType String Container interface type. 0=physical interfaces belong to host that can be controlled separately in Workload Security, 1=all virtual interfaces, 7=unknown type (typically the host interface). Intrusion Prevention events, Firewall events
IPDatagramLength Integer The length of the IP datagram. Intrusion Prevention events
IsHash String The SHA-1 content hash (hexadecimal encoded) of the file after it was modified. Integrity Monitoring events
Key String The file or registry key an integrity event refers to. Integrity Monitoring events
LogDate String (Date) The date and time when the event was recorded. For Deep Security Agent-generated events (Firewall, IPS, etc.), the time is when the event was recorded by the agent, not when the event was received by Workload Security. All event types
MajorVirusType Integer (enum) The classification of malware detected. 0=Joke, 1=Trojan, 2=Virus, 3=Test, 4=Spyware, 5=Packer, 6=Generic, 7=Other Anti-Malware events
MajorVirusTypeString String Conversion of MajorVirusType to a readable string. Anti-Malware events
MalwareName String The name of the malware detected. Anti-Malware events
MalwareType Integer (enum) The type of malware detected. 1=General malware, 2=Spyware. General malware events will have an InfectedFilePath, spyware events will not. Anti-Malware events
ManagerNodeID Integer Unique identifier of the Workload Security Node where the event was generated. System events
ManagerNodeName String Name of the Workload Security Node where the event was generated. System events
MD5 String The MD5 checksum (hash) of the software, if any. Application Control events
Number Integer System events have an additional ID that identifies the event. Note that in Workload Security, this property appears as "Event ID". System events
Operation Integer (enum) 0=Unknown, 1=Allowed due to detect-only mode, 2=Blocked Application control
Origin Integer (enum) The origin of the event. -1=Unknown, 0=Deep Security Agent, 3=Workload Security All event types
OriginString String Conversion of Origin to a human-readable string. All event types
OSSEC_Action String OSSEC action Log Inspection events
OSSEC_Command String OSSEC command Log Inspection events
OSSEC_Data String OSSEC data Log Inspection events
OSSEC_Description String OSSEC description Log Inspection events
OSSEC_DestinationIP String OSSEC dstip Log Inspection events
OSSEC_DestinationPort String OSSEC dstport Log Inspection events
OSSEC_DestinationUser String OSSEC dstuser Log Inspection events
OSSEC_FullLog String OSSEC full log Log Inspection events
OSSEC_Groups String OSSEC groups result (e.g. syslog,authentication_failure) Log Inspection events
OSSEC_Hostname String OSSEC hostname. This is the name of the host as read from a log entry, which is not necessarily the same as the name of the host on which the event was generated. Log Inspection events
OSSEC_ID String OSSEC id Log Inspection events
OSSEC_Level Integer (enum) OSSEC level. An integer in the range 0 to 15 inclusive. 0-3=Low severity, 4-7=Medium severity, 8-11=High severity, 12-15=Critical severity. Log Inspection events
OSSEC_Location String OSSEC location Log Inspection events
OSSEC_Log String OSSEC log Log Inspection events
OSSEC_ProgramName String OSSEC program_name Log Inspection events
OSSEC_Protocol String OSSEC protocol Log Inspection events
OSSEC_RuleID Integer OSSEC rule id Log Inspection events
OSSEC_SourceIP Integer OSSEC srcip Log Inspection events
OSSEC_SourcePort Integer OSSEC srcport Log Inspection events
OSSEC_SourceUser Integer OSSEC srcuser Log Inspection events
OSSEC_Status Integer OSSEC status Log Inspection events
OSSEC_SystemName Integer OSSEC systemname Log Inspection events
OSSEC_URL Integer OSSEC url Log Inspection events
PacketData Integer Hexadecimal encoding of captured packet data, if the rule was configured to capture packet data. Intrusion Prevention events
PacketSize Integer The size of the network packet. Firewall events
Path String Directory path of the software file that was allowed or blocked, such as "/usr/bin/". (The file name is separate, in "FileName".) Application Control events
PatternVersion Integer (enum) The malware detection pattern version. Anti-Malware events
PayloadFlags Integer Intrusion Prevention Filter Flags. A bitmask value that can include the following flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data. 16 - Reference Data - References previously logged data. Intrusion Prevention events
PodID String Pod unique ID (UID) Intrusion Prevention events, Firewall events
PosInBuffer Integer Position within packet of data that triggered the event. Intrusion Prevention events
PosInStream Integer Position within stream of data that triggered the event. Intrusion Prevention events
Process String The name of the process that generated the event, if available. Integrity Monitoring events
ProcessID Integer The identifier (PID) of the process that generated the event, if available. Application Control events, Intrusion Prevention events, Firewall events
ProcessName String The name of the process that generated the event, if available, such as "/usr/bin/bash". Application Control events, Intrusion Prevention events, Firewall events
Protocol Integer (enum) The numerical network protocol identifier. -1=Unknown, 1=ICMP, 2=IGMP, 3=GGP, 6=TCP, 12=PUP, 17=UDP, 22=IDP, 58=ICMPv6, 77=ND, 255=RAW Firewall events, Intrusion Prevention events
ProtocolString String Conversion of Protocol to a readable string. Firewall events, Intrusion Prevention events
Rank Integer The numerical rank of the event; the product of the computer's assigned asset value and the severity value setting for an event of this severity. Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
Reason String Name of the Workload Security rule or configuration object that triggered the event, or (for Firewall and Intrusion Prevention) a mapping of Status to String if the event was not triggered by a rule. For Application Control, "Reason" may be "None"; see "BlockReason" instead. Firewall, Intrusion Prevention, integrity monitoring, anti-malware, and Application Control events
RepeatCount Integer The number of times this event occurred repeatedly. A repeat count of 1 indicates the event was only observed once and did not repeat. Firewall events, Intrusion Prevention events, Application Control events
Risk Integer (enum) Translated risk level of the URL accessed. 2=Suspicious, 3=Highly Suspicious, 4=Dangerous, 5=Untested, 6=Blocked by Administrator Web Reputation events
RiskLevel Integer The raw risk level of the URL from 0 to 100. Will not be present if the URL was blocked by a block rule. Web Reputation events
RiskString String Conversion of Risk to a readable string. Web Reputation events
ScanAction1 Integer Scan action 1. Scan action 1 & 2 and scan result actions 1 & 2 and ErrorCode are combined to form the single "summaryScanResult". Anti-Malware events
ScanAction2 Integer Scan action 2. Anti-Malware events
ScanResultAction1 Integer Scan result action 1. Anti-Malware events
ScanResultAction2 Integer Scan result action 2. Anti-Malware events
ScanResultString String Malware scan result, as a string. A combination of ScanAction 1 and 2, ScanActionResult 1 and 2, and ErrorCode. Anti-Malware events
ScanType Integer (enum) Malware scan type that created the event. 0=Real-Time, 1=Manual, 2=Scheduled, 3=Quick Scan Anti-Malware events
ScanTypeString String Conversion of ScanType to a readable string. Anti-Malware events
Severity Integer 1=Info, 2=Warning, 3=Error System events
Severity Integer (enum) 1=Low, 2=Medium, 3=High, 4=Critical Integrity Monitoring events, Intrusion Prevention events
SeverityString String Conversion of Severity to a human-readable string. System events, Integrity Monitoring events, Intrusion Prevention events
SeverityString String Conversion of OSSEC_Level to a human-readable string. Log Inspection events
SHA1 String The SHA-1 checksum (hash) of the software, if any. Application Control events
SHA256 String The SHA-256 checksum (hash) of the software, if any. Application Control events
SourceIP String (IP) The source IP address of a packet. Firewall events, Intrusion Prevention events
SourceMAC String (MAC) The source MAC Address of the packet. Firewall events, Intrusion Prevention events
SourcePort Integer The network source port number of the packet. Firewall events, Intrusion Prevention events
Status Integer If this event was not generated by a specific Firewall rule, then this status is one of approximately 50 hard-coded rules, such as 123=Out Of Allowed Policy Firewall events
Status Integer If this event was not generated by a specific IPS rule, then this status is one of approximately 50 hard-coded reasons, such as -504=Invalid UTF8 encoding Intrusion Prevention events
Tags String Comma-separated list of tags that have been applied to the event. This list will only include tags that are automatically applied when the event is generated. All event types
TagSetID Integer Identifier of the group of tags that was applied to the event. All event types
TargetID Integer Unique identifier of the target of the event. This identifier is unique for the targets of the same type within a tenant. It is possible for target IDs to be reused across different types, for example, both a Computer and a Policy may have target ID 10. System events
TargetIP String (IP) IP Address that was being contacted when a Web Reputation Event was generated. Web Reputation events
TargetName String The name of the target of the event. The target of a system event can be many things, including computers, policies, users, roles, and tasks. System events
TargetType String The type of the target of the event. System events
TenantID Integer Unique identifier of the tenant associated with the event. All event types
TenantName String Name of the tenant associated with the event. All event types
ThreadID String ID of the thread (from the container) that caused the event. Intrusion Prevention events, Firewall events
Title String Title of the event. System events
URL String (URL) The URL being accessed that generated the event. Web Reputation events
User String The user account that was the target of an integrity monitoring event, if known. Integrity Monitoring events
UserID String The user identifier (UID), if any, of the user account that tried to start the software, such as "0". Application Control events
UserName String The user name, if any, of the user account that tried to start the software, such as "root". Application Control events

Data types of event properties

Events forwarded as JSON usually use strings to encode other data types.
Data Type Description
Boolean JSON true or false.
Integer

JSON int. Workload Security does not output floating point numbers in events.

Integers in events may be more than 32 bits. Verify the code that processes events can handle this. For example, JavaScript's Number data type cannot safely handle larger than 32-bit integers.

Integer (enum) JSON int, restricted to a set of enumerated values.
String JSON string.
String (Date) JSON string, formatted as a date and time in the pattern YYYY-MM-DDThh:mm:ss.sssZ (ISO 8601). 'Z' is the time zone. 'sss' are the three digits for sub-seconds. See also the W3C note on date and time formats.
String (IP) JSON string, formatted as an IPv4 or IPv6 address.
String (MAC) JSON string, formatted as a network MAC address.
String (URL) JSON string, formatted as a URL.
String (enum) JSON string, restricted to a set of enumerated values.

Example events in JSON format

System event

{
  "Type" :            "Notification",
  "MessageId" :       "123abc-123-123-123-123abc",
  "TopicArn" :        "arn:aws:sns:us-west-2:123456789:DS_Events",
  "Message" :         "[
                        {
                          "ActionBy":"System",
                          "Description":"Alert: New Pattern Update is Downloaded and Available\nSeverity: Warning\",
                          "EventID":6813,
                          "EventType":"SystemEvent",
                          "LogDate":"2018-12-04T15:54:24.086Z",
                          "ManagerNodeID":123,
                          "ManagerNodeName":"job7-123",
                          "Number":192,
                          "Origin":3,
                          "OriginString":"Manager",
                          "Severity":1,
                          "SeverityString":"Info",
                          "Tags":"\",
                          "TargetID":1,
                          "TargetName":"ec2-12-123-123-123.us-west-2.compute.amazonaws.com",
                          "TargetType":"Host",
                          "TenantID":123,
                          "TenantName":"Umbrella Corp.",
                          "Title":"Alert Ended"
                        }
                      ]",
  "Timestamp" :       "2018-12-04T15:54:25.130Z",
  "SignatureVersion" : "1",
  "Signature" :       "500PER10NG5!gnaTURE==",
  "SigningCertURL" :  "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-abc123.pem",
  "UnsubscribeURL" :  "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456:DS_Events:123abc-123-123-123-123abc"
}
      

Anti-Malware events

Multiple virus detection events can be in each SNS Message. (For brevity, repeated event properties are omitted below, indicated by "...".)

{
  "Type" :            "Notification",
  "MessageId" :       "123abc-123-123-123-123abc",
  "TopicArn" :        "arn:aws:sns:us-west-2:123456789:DS_Events",
  "Message" :         "[
                        {
                          "AMTargetTypeString":"N/A",
                          "ATSEDetectionLevel":0,
                          "CreationTime":"2018-12-04T15:57:18.000Z",
                          "EngineType":1207959848,
                          "EngineVersion":"10.0.0.1040",
                          "ErrorCode":0,
                          "EventID":1,
                          "EventType":"AntiMalwareEvent",
                          "HostAgentGUID":"4A5BF25A-4446-DD8B-DFB7-564C275F5F6B",
                          "HostAgentVersion":"11.1.0.163",
                          "HostID":1,
                          "HostOS":"Amazon Linux (64 bit) (4.14.62-65.117.amzn1.x86_64)",
                          "HostSecurityPolicyID":3,
                          "HostSecurityPolicyName":"PolicyA",
                          "Hostname":"ec2-12-123-123-123.us-west-2.compute.amazonaws.com",
                          "InfectedFilePath":"/tmp/eicar_1543939038890.txt",
                          "LogDate":"2018-12-04T15:57:19.000Z",
                          "MajorVirusType":2,
                          "MajorVirusTypeString":"Virus",
                          "MalwareName":"Eicar_test_file",
                          "MalwareType":1,
                          "ModificationTime":"2018-12-04T15:57:18.000Z",
                          "Origin":0,
                          "OriginString":"Agent",
                          "PatternVersion":"14.665.00",
                          "Protocol":0,
                          "Reason":"Default Real-Time Scan Configuration",
                          "ScanAction1":4,
                          "ScanAction2":3,
                          "ScanResultAction1":-81,
                          "ScanResultAction2":0,
                          "ScanResultString":"Quarantined",
                          "ScanType":0,
                          "ScanTypeString":"Real Time",
                          "Tags":"\",
                          "TenantID":123,
                          "TenantName":"Umbrella Corp."},
                        {
                          "AMTargetTypeString":"N/A",
                          "ATSEDetectionLevel":0,
                          "CreationTime":"2018-12-04T15:57:21.000Z",
                          ...},
                        {
                          "AMTargetTypeString":"N/A",
                          "ATSEDetectionLevel":0,
                          "CreationTime":"2018-12-04T15:57:29.000Z",
                          ...
                        }
                      ]",
  "Timestamp" :       "2018-12-04T15:57:50.833Z",
  "SignatureVersion" : "1",
  "Signature" :       "500PER10NG5!gnaTURE==",
  "SigningCertURL" :  "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-abc123.pem",
  "UnsubscribeURL" :  "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456:DS_Events:123abc-123-123-123-123abc"
}