Threat event payload

You can use the following threat event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.

Table 1. Threat attributes
Name Data type Description
data.anomalous_event_count Number An estimate of the number of anomalous events observed during the anomaly duration.
data.anomalous_suspicious_ips String A list of IPs from suspicious_ips that showed anomalous behavior in the last hour when compared with last 7 days behavior.
data.component String The category for the type of events that was analyzed to generate the threat alert. The values can be Login activity or Management activity.
data.compromised_users String A list of users that were successfully accessed from the suspicious IPs during the attack.
data.date Date The date, when the anomaly was observed.
data.end_time String The time up to which the events were analyzed for the anomaly.
data.impacted_user_count Number The number of unique users that logged in during the attack interval.
  • data.most_significant_data_cause
  • data.most_significant_data_client_name
  • data.most_significant_data-mfamethod
  • data.most_significant_data_origin
  • data.most_significant_data_redirecturl
  • data.most_significant_data_scope
  • data.most_significant_data_sourcetype
  • data.most_significant_data_subtype
  • data.most significant_data_username
  • data.most_significant_geoip_country_name
  • data.most_significant_tenantname
 String These attributes contains the list of values responsible for 75% of the suspicious traffic.
data.normal_traffic_volume Number The 90th percentile value of event count from non-anomalous intervals.
data.rule_id String The rule alias.
data.rule_name String A short description of the type of anomaly.
data.severity String The severity level of the alert. For example, warning or critical.
data.source String The fields on which the data is partitioned and fields that are filtered. For example, taken from the config section.
data.start_time String The time from when the anomaly was detected.
data.summary String The overview of the alert that contains the source and time of attack or anomaly.
data.top5_affected_data_grant_type String The top 5 grant types that resulted in the most failures during the anomaly.
data.top5_affected_data_mfamethod String The top 5 types of mfa method that resulted in the most failures during the anomaly
data.top5_affected_data_origin String The top 5 IP addresses of the system were attacked most during the anomaly.
data.top5_affected_data_username String The top 5 IP addresses of the systemusernames were attacked most during the anomaly.
data.top5_affected_geoip_country_name String The top 5 countries from which most of the anomalous traffic originated.
data.top5_affected_tenantname String Top 5 tenantnames that were attacked most during the anomaly.
geoip.city_name

geoio.continent_name

geoip.country_iso_code

geoip.country_name

geoip.location

geoip.region_name

 String Augmented by Event service by using data.origin.

Example

The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.

{
    "data": {
      "date": "2023-07-10",
      "rule_attribute": "ibm:threat_abnormal_user_activities",
      "most_significant_data_origin": [
        "<IP>"
      ],
      "top5_affected_data_username": "{'username': 20}",
      "source": "[('data.mfamethod', 'Voice OTP'), ('data.username', 'username')]",
      "suspicious_ips_count": 1,
      "most_significant_data_mfamethod": [
        "Voice OTP"
      ],
      "most_significant_geoip_country_name": [
        "India"
      ],
      "most_significant_data_grant_type": [],
      "top5_affected_tenantname": "{'tenant_name': 20}",
      "anomalous_event_count": 20,
      "most_significant_tenantname": [
        "tenant_name"
      ],
      "summary": "Abnormal number of device enrollments: 20 anomalous events are observed, beyond normal traffic volume, from 2023-07-10 19:00:00 UTC to 2023-07-10 20:00:00 UTC.",
      "severity": "critical",
      "top5_affected_data_origin": "{'<IP>': 20}",
      "rule_name": "Abnormal number of device enrollments",
      "impacted_user_count": 1,
      "end_time": "2023-07-10 20:00:00",
      "anomalous_suspicious_ips": [
        "<IP>"
      ],
      "rule_id": "ABNORMAL_DEVICE_ENROLLMENT",
      "top5_affected_geoip_country_name": "{'India': 20}",
      "start_time": "2023-07-10 19:00:00",
      "component": "Login activity",
      "normal_traffic_volume": 0,
      "top5_affected_data_grant_type": "{}",
      "top5_affected_data_mfamethod": "{'Voice OTP': 20}",
      "most_significant_data_username": [
        "username"
      ]
    },
    "year": 2023,
    "event_type": "threat",
    "month": 7,
    "indexed_at": 1689019317074,
    "tenantid": "tenant_id",
    "tenantname": "tenant_name",
    "servicename": "Anomaly-Detector",
    "id": "<event_identifier>",
    "time": 1689019315275,
    "day": 10
  }