Skip to content

Event objects

What are event objects in Soveren?

Besides the UI, Soveren provides you with representations of events as structured JSON messages. You can use those messages in your own SIEM or process management software, as well as create customized alerts in the messaging apps.

Example of an event JSON object
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
{
  "title": "Internal asset Asset 3 is sharing Person with third parties",
  "sensitivity": "Medium",
  "time": "2013-10-21T13:28:06.419Z",
  "event_link": "https://app.soveren.io/events?id=123",
  "category": "New data type",
  "event_type": "policy_violation",
  "data_types": [
    "Person",
    "Email"
  ],
  "event_triggered_by": "sending",

  "sending": {
    "link": "https://app.soveren.io/data-inventory/internal-assets/1",
    "name": "service 1",
    "namespace": "namespace 1",
    "groups": [
      {
        "link": "https://app.soveren.io/asset-groups/1/info",
        "name": "group 1"
      },
      {
        "link": "https://app.soveren.io/asset-groups/2/info",
        "name": "group 2"
      }
    ]
  },
  "receiving": {
    "link": "https://app.soveren.io/data-inventory/internal-assets/2",
    "name": "service 2",
    "namespace": "namespace 2",
    "groups": []
  },
  "endpoint": {
    "link": "https://app.soveren.io/data-inventory/sample?id=432&direction=response",
    "url": "api/v1/path-1",
    "hostname": "soveren.io",
    "method": "POST"
  },

  "policy": {
    "link": "https://app.soveren.io/policies/234",
    "name": "Policy 234"
  },

  "conflicting_assets":[
    {
      "name":"Asset 1",
      "link": "https://app.soveren.io/data-inventory/external-assets/1"
    },
    {
      "name":"Asset 2",
      "link": "https://app.soveren.io/data-inventory/external-assets/2"
    }
  ],
  "third_party_ip": "123.1.1.1",
  "user_agent": "some user agent"
}

Each JSON message carries significant information about an event and is composed of the following attributes:

  1. title: A human-readable title for the event, such as a brief summary or description.

  2. sensitivity: A string that indicates the sensitivity level of the event. It can be 'High', 'Medium', or 'Low', according to the event policy.

  3. time: The timestamp when the event was created, formatted according to the JavaScript ISO string format.

  4. event_link: A URL linking to the event details in the Soveren app. Users can follow this link directly into the product.

  5. category: The category of the event. Helps in broadly classifying the event.

  6. event_type: The specific type of the event. Helps in identifying the concrete nature of the event.

  7. data_types: An array of strings that specify the detected data types involved in the event.

  8. event_triggered_by: A string identifying the asset causing the event. It can be sending or receiving.

    1. sending: The event is triggered by the sender of the data.

    2. receiving: The event is triggered by the receiver of the data.

  9. sending and receiving: The assets involved in the event. They each contain the following sub-attributes:

    1. link: URL linking to the asset's details.

    2. name: The name of the asset.

    3. namespace: The Kubernetes namespace to which the asset belongs.

    4. groups: Groups to which the asset belongs, each with link and name attributes.

  10. endpoint: An object that represents the endpoint involved in the event, defined by the following attributes:

    1. link: URL linking to endpoint details.

    2. URL: The URL associated with the endpoint.

    3. hostname: The endpoint's associated hostname.

    4. method: HTTP method used by the endpoint.

  11. policy: An object that represents the policy related to the event. It includes a link to the policy details and the policy name.

  12. conflicting_assets: This array comprises objects, each representing an asset that conflicts with the event policy. These objects contain a link to the asset details and the asset's name. A common example of such a conflict occurs when the same third_party_ip address is assigned to multiple custom assets, leading to several policy violations being triggered.

  13. third_party_ip: The IP address of a third party involved in the event, if relevant.

  14. user_agent: The user agent information for the event, if relevant.

Event categories

The events that Soveren detects belong to one of following four categories:

  1. New Data Type: events of this type are recorded whenever Soveren observes a data type for the first time in your infrastructure.

  2. Data Flow Change: this category encapsulates all changes related to both internal and external senders and receivers: introduction of new assets (senders or receivers), detection of previously unobserved data types in them.

  3. Policy Violation: cover all events triggered by violations of policies configured in the Soveren app.

  4. Other: this category encompasses a variety of aspects not related to detected data types, flow changes or policy violatoins. For example, data map is built and ready for review, misconfiguration of the rules either in Soveren or in your infrastructure.

Event types

Besides being broadly categorized, the events in Soveren are also fine-grained into specific types describing concrete situations that require your pointed attention.

Here's the list of the event types by category. Your can use event_type and event category to build automation around specific cases when getting event messages through integrations with Soveren.

Event category (category) Event type (event_type) Triggered when
new_data_types new_data_type A new data type is observed for the first time.
data_flow_changes new_internal_receiver An internal asset is newly registered to receive data.
new_internal_sender An internal asset is newly registered to send data.
updated_internal_receiver An existing internal asset (data receiver) starts receiving new data type.
updated_internal_sender An existing internal asset (data sender) starts sending new data type.
new_external_receiver A new external asset is registered to receive data.
updated_external_receiver An existing external asset (data receiver) starts receiving new data type.
updated_enduser_receiver An existing end-user (external data receiver) starts receiving new data type.
updated_robot_receiver An existing robot (external data receiver) starts receiving new data type.
policy_violations policy_violation A violation of policy configured within the Soveren app is detected.
3rd_party_policy_violation A violation of a third-party policy (sending data to 3rd party) is detected.
others discovery_complete A discovery process concludes, all assets are present on the data map.
custom_asset_rule_conflict A rule conflict related to a custom asset arises.
email_clustered There are actual emails used in your URLs, Soveren detected & masked them in those URLs in Soveren app.