Threat event payload
You can use the following threat event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.
Name | Data type | Description |
---|---|---|
data.anomalous_event_count | Number | An estimate of the number of anomalous events observed during the anomaly duration. |
data.anomalous_suspicious_ips | String | A list of IPs from suspicious_ips that showed anomalous behavior in the last
hour when compared with last 7 days behavior. |
data.component | String | The category for the type of events that was analyzed to generate the threat alert. The
values can be Login activity or Management activity . |
data.compromised_users | String | A list of users that were successfully accessed from the suspicious IPs during the attack. |
data.date | Date | The date, when the anomaly was observed. |
data.end_time | String | The time up to which the events were analyzed for the anomaly. |
data.impacted_user_count | Number | The number of unique users that logged in during the attack interval. |
|
String | These attributes contains the list of values responsible for 75% of the suspicious traffic. |
data.normal_traffic_volume | Number | The 90th percentile value of event count from non-anomalous intervals. |
data.rule_id | String | The rule alias. |
data.rule_name | String | A short description of the type of anomaly. |
data.severity | String | The severity level of the alert. For example, warning or
critical . |
data.source | String | The fields on which the data is partitioned and fields that are filtered. For example, taken from the config section. |
data.start_time | String | The time from when the anomaly was detected. |
data.summary | String | The overview of the alert that contains the source and time of attack or anomaly. |
data.top5_affected_data_grant_type | String | The top 5 grant types that resulted in the most failures during the anomaly. |
data.top5_affected_data_mfamethod | String | The top 5 types of mfa method that resulted in the most failures during the anomaly |
data.top5_affected_data_origin | String | The top 5 IP addresses of the system were attacked most during the anomaly. |
data.top5_affected_data_username | String | The top 5 IP addresses of the systemusernames were attacked most during the
anomaly. |
data.top5_affected_geoip_country_name | String | The top 5 countries from which most of the anomalous traffic originated. |
data.top5_affected_tenantname | String | Top 5 tenantnames that were attacked most during the anomaly. |
Example
The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.
{
"data": {
"date": "2023-07-10",
"rule_attribute": "ibm:threat_abnormal_user_activities",
"most_significant_data_origin": [
"<IP>"
],
"top5_affected_data_username": "{'username': 20}",
"source": "[('data.mfamethod', 'Voice OTP'), ('data.username', 'username')]",
"suspicious_ips_count": 1,
"most_significant_data_mfamethod": [
"Voice OTP"
],
"most_significant_geoip_country_name": [
"India"
],
"most_significant_data_grant_type": [],
"top5_affected_tenantname": "{'tenant_name': 20}",
"anomalous_event_count": 20,
"most_significant_tenantname": [
"tenant_name"
],
"summary": "Abnormal number of device enrollments: 20 anomalous events are observed, beyond normal traffic volume, from 2023-07-10 19:00:00 UTC to 2023-07-10 20:00:00 UTC.",
"severity": "critical",
"top5_affected_data_origin": "{'<IP>': 20}",
"rule_name": "Abnormal number of device enrollments",
"impacted_user_count": 1,
"end_time": "2023-07-10 20:00:00",
"anomalous_suspicious_ips": [
"<IP>"
],
"rule_id": "ABNORMAL_DEVICE_ENROLLMENT",
"top5_affected_geoip_country_name": "{'India': 20}",
"start_time": "2023-07-10 19:00:00",
"component": "Login activity",
"normal_traffic_volume": 0,
"top5_affected_data_grant_type": "{}",
"top5_affected_data_mfamethod": "{'Voice OTP': 20}",
"most_significant_data_username": [
"username"
]
},
"year": 2023,
"event_type": "threat",
"month": 7,
"indexed_at": 1689019317074,
"tenantid": "tenant_id",
"tenantname": "tenant_name",
"servicename": "Anomaly-Detector",
"id": "<event_identifier>",
"time": 1689019315275,
"day": 10
}