Events exported to JSON format

JSON is a lightweight format for data exchange. It is built on collection of name / value pairs and an ordered list of values.

Exported events

This section contains details on the format and meaning of attributes of all exported events. The event message is in the form of a JSON object with some mandatory and some optional keys. Each one exported event will contain the following key:

event_type

string

 

Type of exported events:

Threat_Event (icon_antivirusAntivirus detections)

FirewallAggregated_Event (icon_firewall Firewall detections)

HipsAggregated_Event (icon_hips HIPS detections)

Audit_Event (Audit log)

FilteredWebsites_Event (Filtered websites—icon_web_protection Web Protection)

EnterpriseInspectorAlert_Event (icon_ei_alert ESET Inspect Alerts)

BlockedFiles_Event (icon_blocked Blocked files)

ipv4

string

optional

IPv4 address of the computer generating the event.

ipv6

string

optional

IPv6 address of the computer generating the event.

source_uuid

string

 

UUID of the computer generating the event.

occurred

string

 

UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S

severity

string

 

Severity of the event. Possible values (from least severe to most severe) are: Information, Notice, Warning, Error, Critical, Fatal.


note

All event types listed below with all severity levels are reported to Syslog server. To filter the event logs sent to Syslog, create a log category notification with a defined filter.

The reported values depend on the ESET security product (and its version) installed on the managed computer, and ESET PROTECT only reports the received data. Therefore, ESET cannot provide an exhaustive list of all values. We recommend watching your network and filtering the logs based on the values you receive.

Custom keys according to event_type:

Threat_Event

All icon_antivirusAntivirus detection events generated by managed endpoints will be forwarded to Syslog. Detection event specific key:

threat_type

string

optional

Type of detection

threat_name

string

optional

Name of detection

threat_flags

string

optional

Detection related flags

scanner_id

string

optional

Scanner ID

scan_id

string

optional

Scan ID

engine_version

string

optional

Version of the scanning engine

object_type

string

optional

Type of object related to this event

object_uri

string

optional

Object URI

action_taken

string

optional

Action taken by the Endpoint

action_error

string

optional

Error message if the "action" was not successful

threat_handled

bool

optional

Indicates whether or not the detection was handled

need_restart

bool

optional

Whether or not the restart is needed

username

string

optional

Name of the user account associated with the event

processname

string

optional

Name of the process associated with the event

circumstances

string

optional

Short description of what caused the event

hash

string

optional

SHA1 hash of the (detection) data stream.

firstseen

string

optional

Time and date when the detection was found for the first time at that machine. ESET PROTECT employs different date-time formats for the firstseen attribute (and any other date-time attribute) depending on log output format (JSON or LEEF):

JSON format: "%d-%b-%Y %H:%M:%S"

LEEF format: "%b %d %Y %H:%M:%S"

arrow_down_business Threat_Event log example:

FirewallAggregated_Event

Event logs generated by ESET Firewall (icon_firewall Firewall detections) are aggregated by the managing ESET Management Agent to avoid wasting bandwidth during ESET Management Agent/ ESET PROTECT Server replication. Firewall event specific key:

event

string

optional

Event name

source_address

string

optional

Address of the event source

source_address_type

string

optional

Type of address of the event source

source_port

number

optional

Port of the event source

target_address

string

optional

Address of the event destination

target_address_type

string

optional

Type of address of the event destination

target_port

number

optional

Port of the event destination

protocol

string

optional

Protocol

account

string

optional

Name of the user account associated with the event

process_name

string

optional

Name of the process associated with the event

rule_name

string

optional

Rule name

rule_id

string

optional

Rule ID

inbound

bool

optional

Whether or not the connection was inbound

threat_name

string

optional

Name of the detection

aggregate_count

number

optional

How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent

action

string

optional

Action taken

handled

string

optional

Indicates whether or not the detection was handled

arrow_down_business FirewallAggregated_Event log example:

HIPSAggregated_Event

Events from Host-based Intrusion Prevention System (icon_hips HIPS detections) are filtered on severity before they are sent further as Syslog messages. HIPS specific attributes are as follows:

application

string

optional

Application name

operation

string

optional

Operation

target

string

optional

Target

action

string

optional

Action taken

action_taken

string

optional

Action taken by the Endpoint

rule_name

string

optional

Rule name

rule_id

string

optional

Rule ID

aggregate_count

number

optional

How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent

handled

string

optional

Indicates whether or not the detection was handled

arrow_down_business HipsAggregated_Event log example:

Audit_Event

ESET PROTECT forwards internal audit log messages to Syslog. Specific attributes are as follows:

domain

string

optional

Audit log domain

action

string

optional

Action taking place

target

string

optional

Target action is operating on

detail

string

optional

Detailed description of the action

user

string

optional

Security user involved

result

string

optional

Result of the action

arrow_down_business Audit_Event log example:

FilteredWebsites_Event

ESET PROTECT forwards the filtered websites (icon_web_protection Web Protection detections) to Syslog. Specific attributes are as follows:

hostname

string

optional

Hostname of the computer with the event

processname

string

optional

Name of the process associated with the event

username

string

optional

Name of the user account associated with the event

hash

string

optional

SHA1 hash of the filtered object

event

string

optional

Event type

rule_id

string

optional

Rule ID

action_taken

string

optional

Action taken

scanner_id

string

optional

Scanner ID

object_uri

string

optional

Object URI

target_address

string

optional

Address of the event destination

target_address_type

string

optional

Type of address of the event destination (25769803777 = IPv4; 25769803778 = IPv6)

handled

string

optional

Indicates whether or not the detection was handled

arrow_down_business FilteredWebsites_Event log example:

EnterpriseInspectorAlert_Event

ESET PROTECT forwards icon_ei_alertESET Inspect Alerts to Syslog. Specific attributes are as follows:

processname

string

optional

Name of the process causing this alarm

username

string

optional

Owner of the process

rulename

string

optional

Name of the rule triggering this alarm

count

number

optional

Number of alerts of this type generated since last alarm

hash

string

optional

SHA1 hash of the alarm

eiconsolelink

string

optional

Link to the alarm in ESET Inspect console

eialarmid

string

optional

ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$)

computer_severity_score

number

optional

Computer severity score

severity_score

number

optional

Rule severity score

arrow_down_business EnterpriseInspectorAlert_Event log example:

BlockedFiles_Event

ESET PROTECT forwards ESET Inspect icon_blocked Blocked files to Syslog. Specific attributes are as follows:

hostname

string

optional

Hostname of the computer with the event

processname

string

optional

Name of the process associated with the event

username

string

optional

Name of the user account associated with the event

hash

string

optional

SHA1 hash of the blocked file

object_uri

string

optional

Object URI

action

string

optional

Action taken

firstseen

string

optional

Time and date when the detection was found for the first time at that machine (date and time format).

cause

string

optional

 

description

string

optional

Description of the blocked file

handled

string

optional

Indicates whether or not the detection was handled