Examples of Events
This section presents examples of recorded events in JSON, CEF, and LEEF for various auditing needs.
User Password Update Failed (JSON)
This example event shows a user password change that failed validation. Event type user.update_password
shows "status": "failure"
, and the notification shows that the user's attempted new password did not meet complexity requirements.
{ "href": "/orgs/1/events/xxxxxxxx-39bd-43f1-a680-cc17c6984925", "timestamp": "2018-08-29T22:07:00.978Z", "pce_fqdn": "pce1.bigco.com", "created_by": { "system": {} }, "event_type": "user.update_password", "status": "failure", "severity": "info", "action": { "uuid": "xxxxxxxx-a5f7-4975-a2a5-b4dbd8b74493", "api_endpoint": "/login/users/password/update", "api_method": "PUT", "http_status_code": 302, "src_ip": "10.3.6.116" }, "resource_changes": [], "notifications": [{ "uuid": "xxxxxxxx-7b8e-4205-a62a-1f070d8a0ee2", "notification_type": "user.pw_complexity_not_met", "info": null }, { "uuid": "xxxxxxxx-9721-4971-b613-d15aa67a4ee7", "notification_type": "user.pw_change_failure", "info": { "reason": "Password must have minimum of 1 new character(s)" } }], "version": 2 }
Resource Updated (JSON)
This example shows the before and after values of a successful update event rule_set.update
. The name of the ruleset changed from "before": "rule_set_2"
to "after": "rule_set_3"
.
{ "href": "/orgs/1/events/xxxxxxxx-8033-4f1a-83e9-fde57c425807", "timestamp": "2018-08-29T22:04:04.733Z", "pce_fqdn": "pce1.bigco.com", "created_by": { "user": { "href": "/users/1", "username": "[email protected]" } }, "event_type": "rule_set.update", "status": "success", "severity": "info", "action": { "uuid": "xxxxxxxx-7488-480b-9ef9-0cd2a8496004", "api_endpoint": "/api/v2/orgs/1/sec_policy/draft/rule_sets/6", "api_method": "PUT", "http_status_code": 204, "src_ip": "10.3.6.116" }, "resource_changes": [{ "uuid": "xxxxxxxx-1d13-4e5e-8f0b-e0e8bccc44e0", "resource": { "rule_set": { "href": "/orgs/1/sec_policy/draft/rule_sets/6", "name": "rule_set_3", "scopes": [ [{ "label": { "href": "/orgs/1/labels/19", "key": "app", "value": "app2" } }, { "label": { "href": "/orgs/1/labels/20", "key": "env", "value": "env2" } }, { "label": { "href": "/orgs/1/labels/21", "key": "loc", "value": "loc2" } }] ] } }, "changes": { "name": { "before": "rule_set_2", "after": "rule_set_3" } }, "change_type": "update" }], "notifications": [], "version": 2 }
Security Rule Created (JSON)
In this example of a successful sec_rule
composite event, a new security rule is created. Because this is a creation event, the before
values are null
.
{ "href": "/orgs/1/events/xxxxxxxx-6d29-4905-ad32-ee863fb63697", "timestamp": "2018-08-29T21:48:28.954Z", "pce_fqdn": "pce24.bigco.com", "created_by": { "user": { "href": "/users/1", "username": "[email protected]" } }, "event_type": "sec_rule.create", "status": "success", "severity": "info", "action": { "uuid": "xxxxxxxx-165b-4e06-aaac-60e4d8b0b9a0", "api_endpoint": "/api/v2/orgs/1/sec_policy/draft/rule_sets/1/sec_rules", "api_method": "POST", "http_status_code": 201, "src_ip": "10.6.1.156" }, "resource_changes": [{ "uuid": "9fcf6feb-bf25-4de8-a68a-a50598df4cf6", "resource": { "sec_rule": { "href": "/orgs/1/sec_policy/draft/rule_sets/1/sec_rules/5" } }, "changes": { "rule_list": { "before": null, "after": { "href": "/orgs/1/sec_policy/draft/rule_sets/1" } }, "description": { "before": null, "after": "WinRM HTTP/HTTPS and RDP" }, "type": { "before": null, "after": "SecRule" }, "resolve_labels": { "before": null, "after": "1010" }, "providers": { "created": [{ "source": true, "actors": "ams" }] }, "destinations": { "created": [{ "source": false, "actors": "ams" }, { "source": false, "ip_list": { "href": "/orgs/1/sec_policy/draft/ip_lists/1" } }] }, "ingress_services": { "created": [{ "href": "/orgs/1/sec_policy/draft/services/7", "name": "WinRM HTTP/HTTPS and RDP" }] } }, "change_type": "create" }], "notifications": [], "version": 2 }
User Logged In (JSON)
[ { "href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "timestamp": "2019-06-25T23:34:12.948Z", "pce_fqdn": "someFullyQualifiedDomainName", "created_by": { "user": { "href": "/users/1", "username": "someUser@someDomain" } }, "event_type": "user.sign_in", "status": "success", "severity": "info", "action": { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "api_endpoint": "/login/users/sign_in", "api_method": "POST", "http_status_code": 302, "src_ip": "xxx.xxx.xx.x" }, "resource_changes": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "resource": { "user": { "href": "/users/1", "type": "local", "username": "someUser@someDomain" } }, "changes": { "sign_in_count": { "before": 4, "after": 5 } }, "change_type": "update" } ], "notifications": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "notification_type": "user.login_session_created", "info": { "user": { "href": "/users/1", "type": "local", "username": "someUser@someDomain" } } } ] }, { "href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "timestamp": "2019-06-25T23:34:15.147Z", "pce_fqdn": "someFullyQualifiedDomainName", "created_by": { "user": { "href": "/users/1", "username": "someUser@someDomain" } }, "event_type": "user.login", "status": "success", "severity": "info", "action": { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "api_endpoint": "/api/v2/users/login", "api_method": "GET", "http_status_code": 200, "src_ip": "xxx.xxx.xx.x" }, "resource_changes": [ ], "notifications": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "notification_type": "user.pce_session_created", "info": { "user": { "href": "/users/1", "username": "someUser@someDomain" } } } ] } ]
User Logged Out (JSON)
[ { "href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "timestamp": "2019-06-25T23:35:16.636Z", "pce_fqdn": "someFullyQualifiedDomainName", "created_by": { "user": { "href": "/users/1", "username": "someUser@someDomain" } }, "event_type": "user.sign_out", "status": "success", "severity": "info", "action": { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "api_endpoint": "/login/logout", "api_method": "GET", "http_status_code": 302, "src_ip": "xxx.xxx.xx.x" }, "resource_changes": [ ], "notifications": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "notification_type": "user.login_session_terminated", "info": { "reason": "user_logout", "user": { "href": "/users/1", "username": "someUser@someDomain" } } } ] }, { "href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "timestamp": "2019-06-25T23:35:16.636Z", "pce_fqdn": "someFullyQualifiedDomainName", "created_by": { "user": { "href": "/users/1", "username": "someUser@someDomain" } }, "event_type": "user.sign_out", "status": "success", "severity": "info", "action": { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "api_endpoint": "/login/logout", "api_method": "GET", "http_status_code": 302, "src_ip": "xxx.xxx.xx.x" }, "resource_changes": [ ], "notifications": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "notification_type": "user.login_session_terminated", "info": { "reason": "user_logout", "user": { "href": "/users/1", "username": "someUser@someDomain" } } } ] } ]
Login Failed — Incorrect Username (JSON)
{ "href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "timestamp": "2019-06-25T23:35:41.560Z", "pce_fqdn": "someFullyQualifiedDomainName", "created_by": { "system": { } }, "event_type": "user.sign_in", "status": "failure", "severity": "info", "action": { "uuid": "someFullyQualifiedDomainName", "api_endpoint": "/login/users/sign_in", "api_method": "POST", "http_status_code": 200, "src_ip": "xxx.xxx.xx.x" }, "resource_changes": [ ], "notifications": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "notification_type": "user.login_failed", "info": { "associated_user": { "supplied_username": "invalid_username@someDomain" } } } ] }
Login Failed — Incorrect Password (JSON)
{ "href": "/orgs/1/events/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "timestamp": "2019-06-25T23:35:27.649Z", "pce_fqdn": "someFullyQualifiedDomainName", "created_by": { "system": { } }, "event_type": "user.sign_in", "status": "failure", "severity": "info", "action": { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "api_endpoint": "/login/users/sign_in", "api_method": "POST", "http_status_code": 200, "src_ip": "xxx.xxx.xx.x" }, "resource_changes": [ ], "notifications": [ { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "notification_type": "user.login_failed", "info": { "associated_user": { "supplied_username": "someUser@someDomain" } } } ] }
User Log Out (CEF)
This example of an event record in CEF shows a successful user log out.
CEF:0|Illumio|PCE|19.3.0|user.logout.success|User Logout Success|1|rt=Mar 06 2020 18:38:59.900 +0000 dvchost=mypce.com duser=system dst=10.6.5.4 outcome=success cat=audit_events request=/api/v2/users/logout_from_jwt requestMethod=POST reason=204 cs2= cs2Label=resource_changes cs4=[{"uuid":"b5ba8bf0-7ca8-47fc-870f-6c61ddc1648d", "notification_type":"user.pce_session_terminated","info":{"reason":"user_logout", "user":{"href":"/users/1","username":"[email protected]"}}}] cs4Label=notifications cn2=2 cn2Label=schema-version cs1Label=event_href cs1=/system_events/ e97bd255-4316-4b5e-a885-5b937f756f17
Workload Security Policy Updated (LEEF)
This example of an event record in LEEF shows a successful update of security policy for a workload's Ethernet interfaces.
LEEF:2.0|Illumio|PCE|18.2.0|interface_status.update.success|src=xx.xxx.xxx.xxx cat=organizational devTime=someUTCdatetime devTimeFormat=yyyy-mm-dd'T'HH:mm:ss.ttttttZ sev=1 usrName=albert.einstein url=/orgs/7/agents/someUUID version=2 pce_fqdn=someFQDN created_by={"agent":{"href":"/orgs/7/agents/someUUID","hostname":"someHostname"}} action={"uuid":"someUUID", "api_endpoint":"/api/v6/orgs/7/agents/xxxxxx/interface_statuses/update", "api_method":"PUT","http_status_code":200,"src_ip":"someIP"} resource_changes=[{"uuid":"someUUID", "resource":{"workload":{"href":"/orgs/7/workloads/someUUID","name":null, "hostname":"someHostname", "labels":[{"href":"/orgs/7/labels/xxxxxx","key":"loc","value":"test_place_1"}, {"href":"/orgs/7/labels/xxxxxx","key":"env","value":"test_env_1"}, {"href":"/orgs/7/labels/xxxxxx","key":"app","value":"test_app_1"}, {"href":"/orgs/7/labels/xxxxxx","key":"role","value":"test_access_1"}]}}, "changes":{"workload_interfaces": {"updated":[{"resource": {"href":"/orgs/7/workloads/someUUID/interfaces/eth1","name":"eth0"," address":{"family":2,"addr":xxxxxxxxx,"mask_addr":someMask}}, "changes":{"address":{"before":null,"after": {"family":2,"addr":xxxxxxxxx,"mask_addr":someMask}}, "cidr_block":{"before":null,"after":16},"default_gateway_address": {"before":null,"after":{"family":2,"addr":someGateway,"mask_addr":someMask}}, "link_state":{"before":"unknown","after":"up"}, "network":{"before":null,"after":{"href":"/orgs/7/networks/xx"}}, "network_detection_mode":{"before":null,"after":"single_private_brn"}}}, {"resource":{"href":"/orgs/7/workloads/someUUID/interfaces/eth1", "name":"eth1","address":{"family":2,"addr":someAddress,"mask_addr":someMask}}, "changes":{"address":{"before":null,"after":{"family":2,"addr":someAddress, "mask_addr":someMask}}, "cidr_block":{"before":null,"after":16},"link_state":{"before":"unknown","after":"up"}, "network":{"before":null,"after":{"href":"/orgs/7/networks/xx"}}, "network_detection_mode":{"before":null,"after":"single_private_brn"}}}]}}, "change_type":"update"}] notifications=[] event_href=/orgs/7/events/someUUID