Examples of Events
This section presents examples of recorded events in JSON, CEF, and LEEF for various auditing needs.
User Password Update Failed (JSON)
This example event shows a user password change that failed validation. Event type user.update_password shows "status": "failure", and the notification shows that the user's attempted new password did not meet complexity requirements.
{
"href": "/orgs/1/events/xxxxxxxx-39bd-43f1-a680-cc17c6984925",
"timestamp": "2018-08-29T22:07:00.978Z",
"pce_fqdn": "pce1.bigco.com",
"created_by": {
"system": {}
},
"event_type": "user.update_password",
"status": "failure",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-a5f7-4975-a2a5-b4dbd8b74493",
"api_endpoint": "/login/users/password/update",
"api_method": "PUT",
"http_status_code": 302,
"src_ip": "10.3.6.116"
},
"resource_changes": [],
"notifications": [{
"uuid": "xxxxxxxx-7b8e-4205-a62a-1f070d8a0ee2",
"notification_type": "user.pw_complexity_not_met",
"info": null
}, {
"uuid": "xxxxxxxx-9721-4971-b613-d15aa67a4ee7",
"notification_type": "user.pw_change_failure",
"info": {
"reason": "Password must have minimum of 1 new character(s)"
}
}],
"version": 2
}
Resource Updated (JSON)
This example shows the before and after values of a successful update event rule_set.update. The name of the ruleset changed from "before": "rule_set_2" to "after": "rule_set_3".
{ "href": "/orgs/1/events/xxxxxxxx-8033-4f1a-83e9-fde57c425807",
"timestamp": "2018-08-29T22:04:04.733Z",
"pce_fqdn": "pce1.bigco.com",
"created_by": {
"user": {
"href": "/users/1",
"username": "[email protected]"
}
},
"event_type": "rule_set.update",
"status": "success",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-7488-480b-9ef9-0cd2a8496004",
"api_endpoint": "/api/v2/orgs/1/sec_policy/draft/rule_sets/6",
"api_method": "PUT",
"http_status_code": 204,
"src_ip": "10.3.6.116"
},
"resource_changes": [{
"uuid": "xxxxxxxx-1d13-4e5e-8f0b-e0e8bccc44e0",
"resource": {
"rule_set": {
"href": "/orgs/1/sec_policy/draft/rule_sets/6",
"name": "rule_set_3",
"scopes": [
[{
"label": {
"href": "/orgs/1/labels/19",
"key": "app",
"value": "app2"
}
}, {
"label": {
"href": "/orgs/1/labels/20",
"key": "env",
"value": "env2"
}
}, {
"label": {
"href": "/orgs/1/labels/21",
"key": "loc",
"value": "loc2"
}
}]
]
}
},
"changes": {
"name": {
"before": "rule_set_2",
"after": "rule_set_3"
}
},
"change_type": "update"
}],
"notifications": [],
"version": 2
}Security Rule Created (JSON)
In this example of a successful sec_rule composite event, a new security rule is created. Because this is a creation event, the before values are null.
{ "href": "/orgs/1/events/xxxxxxxx-6d29-4905-ad32-ee863fb63697",
"timestamp": "2018-08-29T21:48:28.954Z",
"pce_fqdn": "pce24.bigco.com",
"created_by": {
"user": {
"href": "/users/1",
"username": "[email protected]"
}
},
"event_type": "sec_rule.create",
"status": "success",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-165b-4e06-aaac-60e4d8b0b9a0",
"api_endpoint": "/api/v2/orgs/1/sec_policy/draft/rule_sets/1/sec_rules",
"api_method": "POST",
"http_status_code": 201,
"src_ip": "10.6.1.156"
},
"resource_changes": [{
"uuid": "9fcf6feb-bf25-4de8-a68a-a50598df4cf6",
"resource": {
"sec_rule": {
"href": "/orgs/1/sec_policy/draft/rule_sets/1/sec_rules/5"
}
},
"changes": {
"rule_list": {
"before": null,
"after": {
"href": "/orgs/1/sec_policy/draft/rule_sets/1"
}
},
"description": {
"before": null,
"after": "WinRM HTTP/HTTPS and RDP"
},
"type": {
"before": null,
"after": "SecRule"
},
"resolve_labels": {
"before": null,
"after": "1010"
},
"providers": {
"created": [{
"provider": true,
"actors": "ams"
}]
},
"consumers": {
"created": [{
"provider": false,
"actors": "ams"
}, {
"provider": false,
"ip_list": {
"href": "/orgs/1/sec_policy/draft/ip_lists/1"
}
}]
},
"ingress_services": {
"created": [{
"href": "/orgs/1/sec_policy/draft/services/7",
"name": "WinRM HTTP/HTTPS and RDP"
}]
}
},
"change_type": "create"
}],
"notifications": [],
"version": 2
}User Logged In (JSON)
[
{
"href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2019-06-25T23:34:12.948Z",
"pce_fqdn": "someFullyQualifiedDomainName",
"created_by": {
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
},
"event_type": "user.sign_in",
"status": "success",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"api_endpoint": "/login/users/sign_in",
"api_method": "POST",
"http_status_code": 302,
"src_ip": "xxx.xxx.xx.x"
},
"resource_changes": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"resource": {
"user": {
"href": "/users/1",
"type": "local",
"username": "someUser@someDomain"
}
},
"changes": {
"sign_in_count": {
"before": 4,
"after": 5
}
},
"change_type": "update"
}
],
"notifications": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"notification_type": "user.login_session_created",
"info": {
"user": {
"href": "/users/1",
"type": "local",
"username": "someUser@someDomain"
}
}
}
]
},
{
"href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2019-06-25T23:34:15.147Z",
"pce_fqdn": "someFullyQualifiedDomainName",
"created_by": {
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
},
"event_type": "user.login",
"status": "success",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"api_endpoint": "/api/v2/users/login",
"api_method": "GET",
"http_status_code": 200,
"src_ip": "xxx.xxx.xx.x"
},
"resource_changes": [
],
"notifications": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"notification_type": "user.pce_session_created",
"info": {
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
}
}
]
}
]User Logged Out (JSON)
[
{
"href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2019-06-25T23:35:16.636Z",
"pce_fqdn": "someFullyQualifiedDomainName",
"created_by": {
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
},
"event_type": "user.sign_out",
"status": "success",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"api_endpoint": "/login/logout",
"api_method": "GET",
"http_status_code": 302,
"src_ip": "xxx.xxx.xx.x"
},
"resource_changes": [
],
"notifications": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"notification_type": "user.login_session_terminated",
"info": {
"reason": "user_logout",
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
}
}
]
},
{
"href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2019-06-25T23:35:16.636Z",
"pce_fqdn": "someFullyQualifiedDomainName",
"created_by": {
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
},
"event_type": "user.sign_out",
"status": "success",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"api_endpoint": "/login/logout",
"api_method": "GET",
"http_status_code": 302,
"src_ip": "xxx.xxx.xx.x"
},
"resource_changes": [
],
"notifications": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"notification_type": "user.login_session_terminated",
"info": {
"reason": "user_logout",
"user": {
"href": "/users/1",
"username": "someUser@someDomain"
}
}
}
]
}
]Login Failed — Incorrect Username (JSON)
{
"href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2019-06-25T23:35:41.560Z",
"pce_fqdn": "someFullyQualifiedDomainName",
"created_by": {
"system": {
}
},
"event_type": "user.sign_in",
"status": "failure",
"severity": "info",
"action": {
"uuid": "someFullyQualifiedDomainName",
"api_endpoint": "/login/users/sign_in",
"api_method": "POST",
"http_status_code": 200,
"src_ip": "xxx.xxx.xx.x"
},
"resource_changes": [
],
"notifications": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"notification_type": "user.login_failed",
"info": {
"associated_user": {
"supplied_username": "invalid_username@someDomain"
}
}
}
]
}Login Failed — Incorrect Password (JSON)
{
"href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"timestamp": "2019-06-25T23:35:27.649Z",
"pce_fqdn": "someFullyQualifiedDomainName",
"created_by": {
"system": {
}
},
"event_type": "user.sign_in",
"status": "failure",
"severity": "info",
"action": {
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"api_endpoint": "/login/users/sign_in",
"api_method": "POST",
"http_status_code": 200,
"src_ip": "xxx.xxx.xx.x"
},
"resource_changes": [
],
"notifications": [
{
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"notification_type": "user.login_failed",
"info": {
"associated_user": {
"supplied_username": "someUser@someDomain"
}
}
}
]
}User Log Out (CEF)
This example of an event record in CEF shows a successful user log out.
CEF:0|Illumio|PCE|19.3.0|user.logout.success|User Logout Success|1|rt=Mar 06 2020
18:38:59.900 +0000 dvchost=mypce.com duser=system dst=10.6.5.4 outcome=success
cat=audit_events request=/api/v2/users/logout_from_jwt requestMethod=POST reason=204
cs2= cs2Label=resource_changes cs4=[{"uuid":"b5ba8bf0-7ca8-47fc-870f-6c61ddc1648d",
"notification_type":"user.pce_session_terminated","info":{"reason":"user_logout",
"user":{"href":"/users/1","username":"[email protected]"}}}] cs4Label=notifications
cn2=2 cn2Label=schema-version cs1Label=event_href cs1=/system_events/
e97bd255-4316-4b5e-a885-5b937f756f17Workload Security Policy Updated (LEEF)
This example of an event record in LEEF shows a successful update of security policy for a workload's Ethernet interfaces.
LEEF:2.0|Illumio|PCE|18.2.0|interface_status.update.success|src=xx.xxx.xxx.xxx
cat=organizational devTime=someUTCdatetime devTimeFormat=yyyy-mm-dd'T'HH:mm:ss.ttttttZ
sev=1
usrName=albert.einstein url=/orgs/7/agents/someUUID version=2 pce_fqdn=someFQDN
created_by={"agent":{"href":"/orgs/7/agents/someUUID","hostname":"someHostname"}}
action={"uuid":"someUUID",
"api_endpoint":"/api/v6/orgs/7/agents/xxxxxx/interface_statuses/update",
"api_method":"PUT","http_status_code":200,"src_ip":"someIP"}
resource_changes=[{"uuid":"someUUID",
"resource":{"workload":{"href":"/orgs/7/workloads/someUUID","name":null,
"hostname":"someHostname",
"labels":[{"href":"/orgs/7/labels/xxxxxx","key":"loc","value":"test_place_1"},
{"href":"/orgs/7/labels/xxxxxx","key":"env","value":"test_env_1"},
{"href":"/orgs/7/labels/xxxxxx","key":"app","value":"test_app_1"},
{"href":"/orgs/7/labels/xxxxxx","key":"role","value":"test_access_1"}]}},
"changes":{"workload_interfaces":
{"updated":[{"resource":
{"href":"/orgs/7/workloads/someUUID/interfaces/eth1","name":"eth0","
address":{"family":2,"addr":xxxxxxxxx,"mask_addr":someMask}},
"changes":{"address":{"before":null,"after":
{"family":2,"addr":xxxxxxxxx,"mask_addr":someMask}},
"cidr_block":{"before":null,"after":16},"default_gateway_address":
{"before":null,"after":{"family":2,"addr":someGateway,"mask_addr":someMask}},
"link_state":{"before":"unknown","after":"up"},
"network":{"before":null,"after":{"href":"/orgs/7/networks/xx"}},
"network_detection_mode":{"before":null,"after":"single_private_brn"}}},
{"resource":{"href":"/orgs/7/workloads/someUUID/interfaces/eth1",
"name":"eth1","address":{"family":2,"addr":someAddress,"mask_addr":someMask}},
"changes":{"address":{"before":null,"after":{"family":2,"addr":someAddress,
"mask_addr":someMask}},
"cidr_block":{"before":null,"after":16},"link_state":{"before":"unknown","after":"up"},
"network":{"before":null,"after":{"href":"/orgs/7/networks/xx"}},
"network_detection_mode":{"before":null,"after":"single_private_brn"}}}]}},
"change_type":"update"}] notifications=[] event_href=/orgs/7/events/someUUID