Event objects¶
What are event objects in Soveren?¶
Besides the UI, Soveren provides you with representations of events as structured JSON messages. You can use those messages in your own SIEM or process management software, as well as create customized alerts in the messaging apps.
Example of an event JSON object
Each JSON message carries significant information about an event and is composed of the following attributes:
-
title
: A human-readable title for the event, such as a brief summary or description. -
sensitivity
: A string that indicates the sensitivity level of the event. It can be 'High', 'Medium', or 'Low', according to the event policy. -
time
: The timestamp when the event was created, formatted according to the JavaScript ISO string format. -
event_link
: A URL linking to the event details in the Soveren app. Users can follow this link directly into the product. -
category
: The category of the event. Helps in broadly classifying the event. -
event_type
: The specific type of the event. Helps in identifying the concrete nature of the event. -
data_types
: An array of strings that specify the detected data types involved in the event. -
event_triggered_by
: A string identifying the service causing the event. It can besending
orreceiving
.-
sending
: The event is triggered by the sender of the data. -
receiving
: The event is triggered by the receiver of the data.
-
-
sending
andreceiving
: The services involved in the event. They each contain the following sub-attributes:-
link
: URL linking to the service's details. -
name
: The name of the service. -
namespace
: The Kubernetes namespace to which the service belongs. -
groups
: Groups to which the service belongs, each withlink
andname
attributes.
-
-
endpoint
: An object that represents the endpoint involved in the event, defined by the following attributes:-
link
: URL linking to endpoint details. -
URL
: The URL associated with the endpoint. -
hostname
: The endpoint's associated hostname. -
method
: HTTP method used by the endpoint.
-
-
policy
: An object that represents the policy related to the event. It includes alink
to the policy details and the policyname
. -
conflicting_assets
: This array comprises objects, each representing a service that conflicts with the event policy. These objects contain alink
to the service details and the service'sname
. A common example of such a conflict occurs when the samethird_party_ip
address is assigned to multiple external connections, leading to several policy violations being triggered. -
third_party_ip
: The IP address of a third party involved in the event, if relevant. -
user_agent
: The user agent information for the event, if relevant.
Event categories¶
The events that Soveren detects belong to one of following four categories:
-
New Data Type: events of this type are recorded whenever Soveren observes a data type for the first time in your infrastructure.
-
Data Flow Change: this category encapsulates all changes related to both internal and external senders and receivers: introduction of new services or external connections (senders or receivers), detection of previously unobserved data types in them.
-
Policy Violation: cover all events triggered by violations of policies configured in the Soveren app.
-
Other: this category encompasses a variety of aspects not related to detected data types, flow changes or policy violatoins. For example, data map is built and ready for review, misconfiguration of the rules either in Soveren or in your infrastructure.
Event types¶
Besides being broadly categorized, the events in Soveren are also fine-grained into specific types describing concrete situations that require your pointed attention.
Here's the list of the event types by category. Your can use event_type
and event category
to build automation around specific cases when getting event messages through integrations with Soveren.
Event category (category ) |
Event type (event_type ) |
Triggered when |
---|---|---|
new_data_types |
new_data_type |
A new data type is observed for the first time. |
data_flow_changes |
new_internal_receiver |
A service is newly registered to receive data. |
new_internal_sender |
An service is newly registered to send data. | |
updated_internal_receiver |
An existing service (data receiver) starts receiving new data type. | |
updated_internal_sender |
An existing service (data sender) starts sending new data type. | |
new_external_receiver |
A new external connection is registered to receive data. | |
updated_external_receiver |
An existing external connection (data receiver) starts receiving new data type. | |
updated_enduser_receiver |
An existing end-user (external data receiver) starts receiving new data type. | |
updated_robot_receiver |
An existing robot (external data receiver) starts receiving new data type. | |
policy_violations |
policy_violation |
A violation of policy configured within the Soveren app is detected. |
3rd_party_policy_violation |
A violation of a third-party policy (sending data to 3rd party) is detected. | |
others |
discovery_complete |
A discovery process concludes, all services, external connections and data sources are present on the data map. |
custom_asset_rule_conflict |
A rule conflict related to a custom external connection arises. | |
email_clustered |
There are actual emails used in your URLs, Soveren detected & masked them in those URLs in Soveren app. |