Events exported to JSON format

JSON is a lightweight format for data exchange. It is built on collection of name / value pairs and an ordered list of values.

Exported events

This section contains details on the format and meaning of attributes of all exported events. The event message is in the form of a JSON object with some mandatory and some optional keys. Each one exported event will contain the following key:

event_type

string

 

Type of exported events: Threat_Event, FirewallAggregated_Event, HipsAggregated_Event.

ipv4

string

optional

IPv4 address of the computer generating the event.

ipv6

string

optional

IPv6 address of the computer generating the event.

source_uuid

string

 

UUID of the computer generating the event.

occurred

string

 

UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S

severity

string

 

Severity of the event. Possible values (form least severe to most severe) are: Information Notice Warning Error CriticalFatal

 

Custom keys according to event_type:

1.ThreatEvent

All Threats events generated by managed endpoints will be forwarded to Syslog. Threat event specific key:

threat_type

string

optional

Type of threat

threat_name

string

optional

Name of threat

threat_flags

string

optional

Threat related flags

scanner_id

string

optional

Scanner ID

scan_id

string

optional

Scan ID

engine_version

string

optional

Version of the scanning engine

object_type

string

optional

Type of object related to this event

object_uri

string

optional

Object URI

action_taken

string

optional

Action taken by the Endpoint

action_error

string

optional

Error message in case the “action” was not successful

threat_handled

bool

optional

Indicates whether or not the threat was handled

need_restart

bool

optional

Whether or not the restart is needed

username

string

optional

Name of the user account associated with the event

processname

string

optional

Name of the process associated with the event

circumstances

string

optional

Short description of what caused the event

2.FirewallAggregated_Event

Event logs generated by ESET Personal Firewall are aggregated by the managing ESET Remote Administrator Agent to avoid wasting bandwidth during ERA Agent/ ERA Server replication. Firewall event specific key:

event

string

optional

Event name

source_address

string

optional

Address of the event source

source_address_type

string

optional

Type of address of the event source

source_port

number

optional

Port of the event source

target_address

string

optional

Address of the event destination

target_address_type

string

optional

Type of address of the event destination

target_port

number

optional

Port of the event destination

protocol

string

optional

Protocol

account

string

optional

Name of the user account associated with the event

process_name

string

optional

Name of the process associated with the event

rule_name

string

optional

Rule name

rule_id

string

optional

Rule ID

inbound

bool

optional

Whether or not the connection was inbound

threat_name

string

optional

Name of the threat

aggregate_count

number

optional

How many exact same messages were generated by the endpoint between two consecutive replications between ERA Server and managing ERA Agent

3.HIPSAggregated_Event

Events from Host-based Intrusion Prevention System are filtered on severity before they are sent further as Syslog messages. Only events with severity levels Error, Critical and Fatal are sent to Syslog. HIPS specific attributes are as follows:

application

string

optional

Application name

operation

string

optional

Operation

target

string

optional

Target

action

string

optional

Action

rule_name

string

optional

Rule name

rule_id

string

optional

Rule ID

aggregate_count

number

optional

How many exact same messages were generated by the endpoint between two consecutive replications between ERA Server and managing ERA Agent

4.Audit Event

ERA 6.5 forwards Server's internal audit log messages to Syslog. Specific attributes are as follows:

domain

string

optional

Audit log domain

action

string

optional

Action taking place

target

string

optional

Target action is operating on

detail

string

optional

Detailed description of the action

user

string

optional

Security user involved

result

string

optional

Result of the action

5.Enterprise Inspector Alert Event

ERA 6.5 forwards ESET Enterprise Inspector Alerts to Syslog. Specific attributes are as follows:

processname

string

optional

Name of the process causing this alert

username

string

optional

Owner of the process

rulename

string

optional

Name of the Enterprise Inspector rule triggering this alert

count

number

optional

Number of alerts of this type generated since last alert