Events in JSON format | Trend Micro Service Central

Views:

When published to Amazon SNS, events are sent in the SNS Message as an array of JSON objects that are encoded as strings. Each object in the array is one event.

Valid properties vary by the type of event. For example, MajorVirusType is a valid property only for Server & Workload Protection Anti-Malware events, not system events etc. Valid property values vary for each property. For examples, see Example events in JSON format.

Event property values can be used to filter which events are published to the SNS topic. For details, see SNS configuration in JSON format.

Valid event properties

Note

Some events don't have all of the properties that usually apply to their event type.

Property Name	Data Type	Description	Applies To Event Type(s)
ACRulesetID	Integer	The unique identifier of the Application Control Ruleset applied to the computer where the event was detected.	Application Control events
Action	String (enum)	Action taken for the application control event, such as "Execution of Software Blocked by Rule", "Execution of Unrecognized Software Allowed" (due to detect-only mode) or "Execution of Unrecognized Software Blocked".	Application Control events
Action	Integer (enum)	Action taken for the firewall event. "Detect Only" values show what would have happened if the rule had been enabled. 0=Unknown, 1=Deny, 6=Log Only, 0x81=Detect Only: Deny.	Firewall events
Action	Integer (enum)	Action taken for the Intrusion Prevention event. 0=Unknown, 1=Deny, 2=Reset, 3=Insert, 4=Delete, 5=Replace, 6=Log Only, 0x81=Detect Only: Deny, 0x82=Detect Only: Reset, 0x83=Detect Only: Insert, 0x84=Detect Only: Delete, 0x85=Detect Only: Replace.	Intrusion Prevention events
ActionBy	String	Name of the Server & Workload Protection user who performed the event, or "System" if the event was not generated by a user.	System events
ActionReasonDesc	String	The reason the Action was blocked.	Application Control events
ActionString	String	Conversion of Action to a readable string.	Firewall events, Intrusion Prevention events
AdministratorID	Integer	Unique identifier of the Server & Workload Protection user who performed an action. Events generated by the system and not by a user will not have an identifier.	System events
AggregationType	Integer (enum)	Whether or not the Application Control event occurred repeatedly. If "AggregationType" is not "0", then the number of occurrences is in "RepeatCount." 0=Not aggregated, 1=Aggregated based on file name, path and event type, 2=Aggregated based on event type	Application Control events
AMTarget	String	The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple."	Anti-Malware events
AMTargetCount	Integer	The number of target files.	Anti-Malware events
AMTargetType	Integer	The numeric code for the type of system resources that this malware was trying to affect. For the descriptive version, see AMTargetTypeString. 0=Unknown, 1=Process, 2=Registry, 3=File System, 4=Invoke, 5=Exploit, 6=API, 7=Memory, 8=Network Connection, 9=Uncategorized	Anti-Malware events
AMTargetTypeString	String	The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry.	Anti-Malware events
ATSEDDetectionLevel	Integer	The detection level of document exploit protection.	Anti-Malware events
ApplicationType	String	Name of the network application type associated with the Intrusion Prevention rule, if available.	Intrusion Prevention events
BehaviorRuleId	String	The behavior monitoring rule ID for internal malware case tracking.	Anti-Malware events
BehaviorType	String	The type of behavior monitoring event detected.	Anti-Malware events
BlockReason	Integer (enum)	A reason that corresponds to the Action. 0=Unknown, 1=Blocked due to rule, 2=Blocked due to unrecognized	Application Control events
Change	Integer (enum)	What type of change was made to a file, process, registry key, etc. for an Integrity Monitoring event. 1=Created, 2=Updated, 3=Deleted, 4=Renamed.	Integrity Monitoring events
ChangeString	String	What type of change was made to a file, process, registry key, etc. for an Integrity Monitoring event: Created, Updated, Deleted, or Renamed.	Integrity Monitoring events
CloudOneAccountID	String	The ID of the Cloud One Account.	All event types
CommandLine	String	The commands that the subject process executed.	Anti-Malware events
ContainerID	String	ID of the container where the event occurred.	Anti-Malware events, Intrusion Prevention events, Firewall events
ContainerImageName	String	Image name of the Docker container where the malware was found.	Anti-Malware events
ContainerName	String	Name of the container where the event occurred.	Anti-Malware events, Intrusion Prevention events, Firewall events
CreationTime	String (Date)	The creation time of the infected file.	Anti-Malware events
Cve	String	The CVE information, if the process behavior is identified in one of Common Vulnerabilities and Exposures.	Anti-Malware events
DataIndex	Integer	A unique ID for packet data.	Intrusion Prevention events
Description	String	Description of the change made to the entity (created, deleted, updated) along with details about the attributes changed.	Integrity Monitoring events
Description	String	Brief description of what happened during an event.	System events
DestinationIP	String (IP)	The IP address of the destination of a packet.	Firewall events, Intrusion Prevention events
DestinationMAC	String (MAC)	The MAC address of the destination of a packet.	Firewall events, Intrusion Prevention events
DestinationPort	Integer	The network port number a packet was sent to.	Firewall events, Intrusion Prevention events
DetectionCategory	Integer (enum)	The detection category for a web reputation event. 12=User Defined, 13=Custom, 91=Global.	Web Reputation events
DetectOnly	Boolean	Whether or not the event was returned with the Detect Only flag turned on. If true, this indicates that the URL was not blocked, but access was detected.	Web Reputation events
Direction	Integer (enum)	Network packet direction. 0=Incoming, 1=Outgoing.	Firewall events, Intrusion Prevention events
DirectionString	String	Conversion Direction to a readable string.	Firewall events, Intrusion Prevention events
DriverTime	Integer	The time the log was generated as recorded by the driver.	Firewall events, Intrusion Prevention events
EndLogDate	String (Date)	The last log date recorded for repeated events. Will not be present for events that did not repeat.	Firewall events, Intrusion Prevention events
EngineType	Integer	The Anti-Malware engine type.	Anti-Malware events
EngineVersion	String	The Anti-Malware engine version.	Anti-Malware events
EntityType	String (enum)	The type of entity an integrity monitoring event applies to: Directory, File, Group, InstalledSoftware, Port, Process, RegistryKey, RegistryValue, Service, User, or Wql	Integrity Monitoring events
ErrorCode	Integer	Error code for malware scanning events. If non-zero the scan failed, and the scan action and scan result fields contain more details.	Anti-Malware events
EventID	Integer	DEPRECATED. Use UniqueID instead. The value of this field will always be 0 on or after January 1, 2021.	All event types
EventType	String (enum)	The type of the event. One of: "SystemEvent", "PacketLog", "PayloadLog", "AntiMalwareEvent", "WebReputationEvent", "IntegrityEvent", "LogInspectionEvent", "AppControlEvent".	All event types
FileName	String	File name of the software that was allowed or blocked, such as "script.sh". (The full path is separate, in "Path".)	Application Control events
FileSHA1	String	The filesha1 (Secure Hash Algorithm 1 result) of the infected file.	Anti-Malware events
FileSize	Integer	File size of the software that was allowed or blocked	Application Control events
Flags	String	Flags recorded from a network packet; a space-separated list of strings.	Firewall events, Intrusion Prevention events
Flow	Integer (enum)	Network connection flow. Possible values: -1=Not Applicable, 0=Connection Flow, 1=Reverse Flow	Firewall events, Intrusion Prevention events
FlowString	String	Conversion of Flow to a readable string.	Firewall events, Intrusion Prevention events
ForwardedSrc	Array (Byte)	The source information of a forwarded packet	Intrusion Prevention events
Frame	Integer (enum)	Frame type. -1=Unknown, 2048=IP, 2054=ARP, 32821=REVARP, 33169=NETBEUI, 0x86DD=IPv6	Firewall events, Intrusion Prevention events
FrameString	String	Conversion of Frame to a readable string.	Firewall events, Intrusion Prevention events
GroupID	String	The group ID, if any, of the user account that tried to start the software, such as "0".	Application Control events
GroupName	String	The group name, if any, of the user account that tried to start the software, such as "root".	Application Control events
HostAgentVersion	String	The version of the agent that was protecting the computer where the event was detected.	Application Control events, Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostAgentGUID	String	The global unique identifier (GUID) of the agent when activated with Server & Workload Protection.	Anti-Malware events, Application Control events, Firewall events, Integrity Monitoring events, Intrusion Prevention events, Log Inspection events, Web Reputation events
HostAssetValue	Integer	The asset value assigned to the computer at the time the event was generated.	Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostCloudType	String	The cloud service provider where the Deep Security Agent is hosted.	Anti-Malware events, Application Control events, Firewall events, Integrity Monitoring events, Intrusion Prevention events, Log Inspection events, Web Reputation events
HostGUID	String	The global unique identifier (GUID) of the Deep Security Agent.	Anti-Malware events, Application Control events, Firewall events, Integrity Monitoring events, Intrusion Prevention events, Log Inspection events, Web Reputation events
HostGroupID	Integer	The unique identifier of the Computer Group of the computer where the event was detected.	Application Control events, Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostGroupName	String	The name of the Computer Group of the computer where the event was detected. Note that Computer Group names may not be unique.	Application Control events, Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostID	Integer	Unique identifier of the computer where the event occurred.	Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostInstanceID	String	The cloud instance ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector.	Application Control events, Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostLastIPUsed	String (IP)	The latest IP address updated from the agent when communicated to Deep Security Manager.	Anti-Malware events, Application Control events, Firewall events, Integrity Monitoring events, Intrusion Prevention events, Log Inspection events, Web Reputation events
Hostname	String	Hostname of the computer on which the event was generated.	Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostOS	String	The operating system of the computer where the event was detected.	Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostOwnerID	String	The cloud account ID of the computer where the event was detected. This property will only be set for computers synchronized with a Cloud Connector.	Application Control events, Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
HostSecurityPolicyID	Integer	The unique identifier of the Server & Workload Protection policy applied to the computer where the event was detected.	Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostSecurityPolicyName	String	The name of the Server & Workload Protection policy applied to the computer where the event was detected. Note that security policy names may not be unique.	Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events, Application Control events
HostVCUUID	String	The vCenter UUID of the computer the event applies to, if known.	Application Control events, Anti-Malware events, Web Reputation events, Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
ImageDigest	String	A unique summary of data used to identify the container image.	Intrusion Prevention events, Firewall events
ImageID	String	Image ID of the Docker container where the event occurred	Intrusion Prevention events
ImageName	String	Image name that was used to create the container where the event occurred.	Intrusion Prevention events, Firewall events
InfectedFilePath	String	Path of the infected file in the case of malware detection.	Anti-Malware events
InfectionSource	String	The name of the computer that's the source of a malware infection, if known.	Anti-Malware events
Interface	String (MAC)	MAC address of the network interface sending or receiving a packet.	Firewall events, Intrusion Prevention events
InterfaceType	String	Container interface type. 0=physical interfaces belong to host that can be controlled separately in Server & Workload Protection, 1=all virtual interfaces, 7=unknown type (typically the host interface).	Intrusion Prevention events, Firewall events
IPDatagramLength	Integer	The length of the IP datagram.	Intrusion Prevention events
IsHash	String	The SHA-1 content hash (hexadecimal encoded) of the file after it was modified.	Integrity Monitoring events
Key	String	The file or registry key an integrity event refers to.	Integrity Monitoring events
LogDate	String (Date)	The date and time when the event was recorded. For agent-generated events (Firewall, IPS, etc.), the time is when the event was recorded by the agent, not when the event was received by Server & Workload Protection.	All event types
MajorVirusType	Integer (enum)	The classification of malware detected. 0=Joke, 1=Trojan, 2=Virus, 3=Test, 4=Spyware, 5=Packer, 6=Generic, 7=Other	Anti-Malware events
MajorVirusTypeString	String	Conversion of MajorVirusType to a readable string.	Anti-Malware events
MalwareName	String	The name of the malware detected.	Anti-Malware events
MalwareType	Integer (enum)	The type of malware detected. 1=General malware, 2=Spyware. General malware events will have an InfectedFilePath, spyware events will not.	Anti-Malware events
ManagerNodeID	Integer	Unique identifier of the Server & Workload Protection Node where the event was generated.	System events
ManagerNodeName	String	Name of the Server & Workload Protection Node where the event was generated.	System events
MD5	String	The MD5 checksum (hash) of the software, if any.	Application Control events
Mitre	String	The MITRE information, if the process behavior is identified in one of MITRE attack scenarios.	Anti-Malware events
ModificationTime	String (Date)	The modification time of the infected file.	Anti-Malware events
Note	Array (Byte)	Encoded note about the packet where the event occurred.	Intrusion Prevention events
Number	Integer	System events have an additional ID that identifies the event. Note that in Server & Workload Protection, this property appears as "Event ID".	System events
Operation	Integer (enum)	0=Unknown, 1=Allowed due to detect-only mode, 2=Blocked	Application control
OperationDesc	String	Describes the Operation value	Application Control events
Origin	Integer (enum)	The origin of the event. -1=Unknown, 0=Agent, 3=Server & Workload Protection	All event types
OriginString	String	Conversion of Origin to a human-readable string.	All event types
OSSEC_Action	String	OSSEC action	Log Inspection events
OSSEC_Command	String	OSSEC command	Log Inspection events
OSSEC_Data	String	OSSEC data	Log Inspection events
OSSEC_Description	String	OSSEC description	Log Inspection events
OSSEC_DestinationIP	String	OSSEC dstip	Log Inspection events
OSSEC_DestinationPort	String	OSSEC dstport	Log Inspection events
OSSEC_DestinationUser	String	OSSEC dstuser	Log Inspection events
OSSEC_FullLog	String	OSSEC full log	Log Inspection events
OSSEC_Groups	String	OSSEC groups result (e.g. syslog,authentication_failure)	Log Inspection events
OSSEC_Hostname	String	OSSEC hostname. This is the name of the host as read from a log entry, which is not necessarily the same as the name of the host on which the event was generated.	Log Inspection events
OSSEC_ID	String	OSSEC id	Log Inspection events
OSSEC_Level	Integer (enum)	OSSEC level. An integer in the range 0 to 15 inclusive. 0-3=Low severity, 4-7=Medium severity, 8-11=High severity, 12-15=Critical severity.	Log Inspection events
OSSEC_Location	String	OSSEC location	Log Inspection events
OSSEC_Log	String	OSSEC log	Log Inspection events
OSSEC_ProgramName	String	OSSEC program_name	Log Inspection events
OSSEC_Protocol	String	OSSEC protocol	Log Inspection events
OSSEC_RuleID	Integer	OSSEC rule id	Log Inspection events
OSSEC_SourceIP	Integer	OSSEC srcip	Log Inspection events
OSSEC_SourcePort	Integer	OSSEC srcport	Log Inspection events
OSSEC_SourceUser	Integer	OSSEC srcuser	Log Inspection events
OSSEC_Status	Integer	OSSEC status	Log Inspection events
OSSEC_SystemName	Integer	OSSEC systemname	Log Inspection events
OSSEC_URL	Integer	OSSEC url	Log Inspection events
PacketData	Integer	Hexadecimal encoding of captured packet data, if the rule was configured to capture packet data.	Intrusion Prevention events
PacketSize	Integer	The size of the network packet.	Firewall events
Path	String	Directory path of the software file that was allowed or blocked, such as "/usr/bin/". (The file name is separate, in "FileName".)	Application Control events
PatternVersion	Integer (enum)	The malware detection pattern version.	Anti-Malware events
PayloadFlags	Integer	Intrusion Prevention Filter Flags. A bitmask value that can include the following flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data. 16 - Reference Data - References previously logged data.	Intrusion Prevention events
PodID	String	Pod unique ID (UID)	Intrusion Prevention events, Firewall events
PosInBuffer	Integer	Position within packet of data that triggered the event.	Intrusion Prevention events
PosInStream	Integer	Position within stream of data that triggered the event.	Intrusion Prevention events
Process	String	The name of the process that generated the event, if available.	Integrity Monitoring events
Process	String	The process name of behavior monitoring event detected.	Anti-Malware events
ProcessID	Integer	The identifier (PID) of the process that generated the event, if available.	Application Control events, Intrusion Prevention events, Firewall events
ProcessName	String	The name of the process that generated the event, if available, such as "/usr/bin/bash".	Application Control events, Intrusion Prevention events, Firewall events
Protocol	Integer (enum)	The numerical network protocol identifier. -1=Unknown, 1=ICMP, 2=IGMP, 3=GGP, 6=TCP, 12=PUP, 17=UDP, 22=IDP, 58=ICMPv6, 77=ND, 255=RAW	Firewall events, Intrusion Prevention events
Protocol	Integer	The numerical value for the file scan protocol. 0=Local file	Anti-Malware events
ProtocolString	String	Conversion of Protocol to a readable string.	Firewall events, Intrusion Prevention events
Rank	Integer	The numerical rank of the event; the product of the computer's assigned asset value and the severity value setting for an event of this severity.	Integrity Monitoring events, Log Inspection events, Firewall events, Intrusion Prevention events
Reason	String	Name of the Server & Workload Protection rule or configuration object that triggered the event, or (for Firewall and Intrusion Prevention) a mapping of Status to String if the event was not triggered by a rule. For Application Control, "Reason" may be "None"; see "BlockReason" instead.	Firewall, Intrusion Prevention, Integrity Monitoring, Log Inspection, Anti-Malware, and Application Control events
RepeatCount	Integer	The number of times this event occurred repeatedly. A repeat count of 1 indicates the event was only observed once and did not repeat.	Firewall events, Intrusion Prevention events, Application Control events
Risk	Integer (enum)	Translated risk level of the URL accessed. 2=Suspicious, 3=Highly Suspicious, 4=Dangerous, 5=Untested, 6=Blocked by Administrator	Web Reputation events
RiskLevel	Integer	The raw risk level of the URL from 0 to 100. Will not be present if the URL was blocked by a block rule.	Web Reputation events
RiskString	String	Conversion of Risk to a readable string.	Web Reputation events
ScanAction1	Integer	Scan action 1. Scan action 1 & 2 and scan result actions 1 & 2 and ErrorCode are combined to form the single "summaryScanResult".	Anti-Malware events
ScanAction2	Integer	Scan action 2.	Anti-Malware events
ScanResultAction1	Integer	Scan result action 1.	Anti-Malware events
ScanResultAction2	Integer	Scan result action 2.	Anti-Malware events
ScanResultString	String	Malware scan result, as a string. A combination of ScanAction 1 and 2, ScanActionResult 1 and 2, and ErrorCode.	Anti-Malware events
ScanType	Integer (enum)	Malware scan type that created the event. 0=Real-Time, 1=Manual, 2=Scheduled, 3=Quick Scan	Anti-Malware events
ScanTypeString	String	Conversion of ScanType to a readable string.	Anti-Malware events
Severity	Integer	1=Info, 2=Warning, 3=Error	System events
Severity	Integer (enum)	1=Low, 2=Medium, 3=High, 4=Critical	Integrity Monitoring events, Intrusion Prevention events
SeverityString	String	Conversion of Severity to a human-readable string.	System events, Integrity Monitoring events, Intrusion Prevention events
SeverityString	String	Conversion of OSSEC_Level to a human-readable string.	Log Inspection events
SHA1	String	The SHA-1 checksum (hash) of the software, if any.	Application Control events
SHA256	String	The SHA-256 checksum (hash) of the software, if any.	Application Control events
SourceIP	String (IP)	The source IP address of a packet.	Firewall events, Intrusion Prevention events
SourceMAC	String (MAC)	The source MAC Address of the packet.	Firewall events, Intrusion Prevention events
SourcePort	Integer	The network source port number of the packet.	Firewall events, Intrusion Prevention events
Status	Integer	If this event was not generated by a specific Firewall rule, then this status is one of approximately 50 hard-coded rules, such as 123=Out Of Allowed Policy	Firewall events
Status	Integer	If this event was not generated by a specific IPS rule, then this status is one of approximately 50 hard-coded reasons, such as -504=Invalid UTF8 encoding	Intrusion Prevention events
Tags	String	Comma-separated list of tags that have been applied to the event. This list will only include tags that are automatically applied when the event is generated.	All event types
TagSetID	Integer	Identifier of the group of tags that was applied to the event.	All event types
TargetID	Integer	Unique identifier of the target of the event. This identifier is unique for the targets of the same type within a tenant. It is possible for target IDs to be reused across different types, for example, both a Computer and a Policy may have target ID 10.	System events
TargetIP	String (IP)	IP Address that was being contacted when a Web Reputation Event was generated.	Web Reputation events
TargetName	String	The name of the target of the event. The target of a system event can be many things, including computers, policies, users, roles, and tasks.	System events
TargetType	String	The type of the target of the event.	System events
TenantGUID	String	The global unique identifier (GUID) of the tenant associated with the event.	All event types
TenantID	Integer	Unique identifier of the tenant associated with the event.	All event types
TenantName	String	Name of the tenant associated with the event.	All event types
ThreadID	String	ID of the thread (from the container) that caused the event.	Intrusion Prevention events, Firewall events
Title	String	Title of the event.	System events
UniqueID	Integer	The globally unique identifier of the event. The field that uniquely identifies the event across all platforms, services, and storage types.	All event types
URL	String (URL)	The URL being accessed that generated the event.	Web Reputation events
User	String	The user account that was the target of an integrity monitoring event, if known.	Integrity Monitoring events
UserID	String	The user identifier (UID), if any, of the user account that tried to start the software, such as "0".	Application Control events
UserName	String	For Anti-Malware events, this is the user account name who triggered the event. For Application Control events, this is the user name, if any, of the user account that tried to start the software, such as "root".	Anti-Malware events, Application Control events

Data types of event properties

Events forwarded as JSON usually use strings to encode other data types.

Data Type

Description

Array (Byte)

JSON

array

, composed of byte values.

Boolean

JSON

true

false

Integer

JSON

int

. Server & Workload Protection does not output floating point numbers in events.

Note

Integers in events may be more than 32 bits. Verify the code that processes events can handle this. For example, JavaScript's Number data type cannot safely handle larger than 32-bit integers.

Integer (enum)

JSON

int, restricted to a set of enumerated
                                    values.

String

JSON

string

String (Date)

JSON

string

, formatted as a date and time in the pattern YYYY-MM-DDThh:mm:ss.sssZ (ISO 8601). 'Z' is the time zone. 'sss' are the three digits for sub-seconds. See also the W3C note on date and time formats.

String (IP)

JSON

string

, formatted as an IPv4 or IPv6 address.

String (MAC)

JSON

string

, formatted as a network MAC address.

String (URL)

JSON

string

, formatted as a URL.

String (enum)

JSON

string

, restricted to a set of enumerated values.

Example events in JSON format

System event

{
  "Type" :            "Notification",
  "MessageId" :       "123abc-123-123-123-123abc",
  "TopicArn" :        "arn:aws:sns:us-west-2:123456789:DS_Events",
  "Message" :         "[
                        {
                          "ActionBy":"System",
                          "CloudOneAccountID": "012345678900"
                          "Description":"Alert: New Pattern Update is Downloaded and Available\\nSeverity: Warning\",
                          "EventID":6813,
                          "EventType":"SystemEvent",
                          "LogDate":"2018-12-04T15:54:24.086Z",
                          "ManagerNodeID":123,
                          "ManagerNodeName":"job7-123",
                          "Number":192,
                          "Origin":3,
                          "OriginString":"Manager",
                          "Severity":1,
                          "SeverityString":"Info",
                          "Tags":"\",
                          "TargetID":1,
                          "TargetName":"ec2-12-123-123-123.us-west-2.compute.amazonaws.com",
                          "TargetType":"Host",
                          "TenantID":123,
                          "TenantName":"Umbrella Corp.",
                          "Title":"Alert Ended"
                          "UniqueID": "2e447b1889e712340f6d071cebd92ea9"
                        }
                      ]",
  "Timestamp" :       "2018-12-04T15:54:25.130Z",
  "SignatureVersion" : "1",
  "Signature" :       "500PER10NG5!gnaTURE==",
  "SigningCertURL" :  "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-abc123.pem",
  "UnsubscribeURL" :  "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&amp;SubscriptionArn=arn:aws:sns:us-west-2:123456:DS_Events:123abc-123-123-123-123abc"
}

Anti-Malware events

Multiple virus detection events can be in each SNS Message. (For brevity, repeated event properties are omitted below, indicated by "...".)

{
  "Type" :            "Notification",
  "MessageId" :       "123abc-123-123-123-123abc",
  "TopicArn" :        "arn:aws:sns:us-west-2:123456789:DS_Events",
  "Message" :         "[
                        {
                          "AMTarget": "VDSO memory",
                          "AMTargetCount": 1,
                          "AMTargetType": 7,
                          "AMTargetTypeString": "Memory",
                          "ATSEDetectionLevel": 0,
                          "BehaviorRuleId": "DIRTYCOW_MADVISE_EXPL",
                          "BehaviorType": "Exploit_Detection",
                          "CloudOneAccountID": "012345678900"
                          "CommandLine": "/tmp/demo -f esiv [xxxx]",
                          "Cve": "CVE-2016-5195",
                          "ErrorCode": 0,
                          "EventID": 1179519,
                          "EventType": "AntiMalwareEvent",
                          "FileSHA1": "CEF4644713633C0864D4283FEFA0CE174D48F115",
                          "HostAgentGUID": "FF8162DF-4CB5-B158-DE42-EBD52967FCF7",
                          "HostAgentVersion": "20.0.0.1685",
                          "HostGUID": "9089E800-41D3-2CA9-FF0B-3A30A42ED650",
                          "HostID": 38,
                          "HostLastIPUsed": "172.31.21.47",
                          "HostOS": "Red Hat Enterprise 7 (64 bit) (3.10.0-957.12.2.el7.x86_64)",
                          "HostSecurityPolicyID": 11,
                          "HostSecurityPolicyName": "Linux_AM_Sensor",
                          "Hostname": "ec2-3-131-151-239.us-east-2.compute.amazonaws.com",
                          "InfectedFilePath": "/tmp/demo",
                          "LogDate": "2021-01-07T10:32:11.000Z",
                          "MajorVirusType": 14,
                          "MajorVirusTypeString": "Suspicious Activity",
                          "MalwareName": "TM_MALWARE_BEHAVIOR",
                          "MalwareType": 4,
                          "Mitre": "T1068",
                          "Origin": 0,
                          "OriginString": "Agent",
                          "PatternVersion": "1.2.1189",
                          "Process": "testsys_m64",
                          "Protocol": 0,
                          "Reason": "Default Real-Time Scan Configuration",
                          "ScanAction1": 1,
                          "ScanAction2": 0,
                          "ScanResultAction1": 0,
                          "ScanResultAction2": 0,
                          "ScanResultString": "Passed",
                          "ScanType": 0,
                          "ScanTypeString": "Real Time",
                          "Tags": "",
                          "TenantGUID": "",
                          "TenantID": 0,
                          "TenantName": "Primary",
                          "UniqueID": "2e447b1889e712340f6d071cebd92ea9"
                          "UserName": "root"  
                        }
                      ]",
  "Timestamp" :       "2018-12-04T15:57:50.833Z",
  "SignatureVersion" : "1",
  "Signature" :       "500PER10NG5!gnaTURE==",
  "SigningCertURL" :  "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-abc123.pem",
  "UnsubscribeURL" :  "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&amp;SubscriptionArn=arn:aws:sns:us-west-2:123456:DS_Events:123abc-123-123-123-123abc"
}