Skip to content

Event objects

Besides the Activity log UI, Soveren provides event representations as structured JSON messages. You can use these messages in your own SIEM or process management software, or create customized alerts in messaging apps.

Integrations with Jira, Slack, and webhooks all use the same fields, categories, and types, as described below, though the formatting may vary for each integration type.

Event categories

Events detected by Soveren belong to one of the following four categories:

category Description
Infrastructure updates Events related to changes in your infrastructure such as new data types or services
Data at risk Events indicating potential risks to your data such as policy violations or anomalies
Misconfiguration Events indicating misconfigurations in your infrastructure such as unencrypted storage or public access
Other Other events such as discovery completion or update notifications

Event types

Besides broad categorization, events in Soveren are also classified into fine-grained types, each describing specific situations that require your focused attention.

Below is the list of event types grouped by category. You can use the event_type and category fields to build automation for handling specific scenarios when receiving event messages through integrations with Soveren.

event_type category title
3rd_party_policy_violation Data at risk Service {name} is sharing {dataTypeName} with third parties
anomaly_detected Data at risk Anomaly detected
excessive_db_access Data at risk Excessive database access detected
policy_violation Data at risk Data type {dataTypeName} is outside the allowed set of assets
policy_violation_dar Data at risk Data type {dataTypeName} is outside the allowed set of data stores
custom_asset_rule_conflict Infrastructure updates Conflict in rules for custom external connections
email_clustered Infrastructure updates Data type in API URL path detected
new_data_type Infrastructure updates New data type {dataTypeName} in the infrastructure
new_external_receiver Infrastructure updates External connection {name} started receiving data
new_internal_receiver Infrastructure updates Service {name} started receiving data
new_internal_sender Infrastructure updates Service {name} started sending data
new_potential_data_storage Infrastructure updates New {objectType} found

Relevant for SQL Database server instances and Kafka clusters as {objectTypes}
new_data_storage Infrastructure updates New {objectType} {objectName} found

Relevant for S3 buckets, Databases and Kafka topics as {objectTypes}. {objectName} provides the name of the bucket or database or topic
started_storing_data Infrastructure updates {objectType} {objectName} started storing data {additionalInfo}

Relevant for Databases and Kafka topics as {objectTypes}. {additionalInfo} provides information about table, collection or topic
started_storing_datatype Infrastructure updates {objectType} {objectName} started storing data {additionalInfo}

Relevant for Databases and Kafka topics as {objectTypes}. {additionalInfo} provides information about table, collection or topic
updated_enduser_receiver Infrastructure updates End users {name} is receiving new data type(s)
updated_external_receiver Infrastructure updates External connection {name} is receiving new data type(s)
updated_internal_receiver Infrastructure updates Service {name} is receiving new data type(s)
updated_internal_sender Infrastructure updates Service {name} is sending new data type(s)
updated_robot_receiver Infrastructure updates Robots {name} is receiving new data type(s)
policy_public_s3_bucket Misconfiguration Data type {dataTypeName} is stored in publicly available S3 bucket
policy_unencrypted_network Misconfiguration Service {name} is sharing {dataTypeName} in unencrypted traffic
policy_unencrypted_rds Misconfiguration Data type {dataTypeName} is stored in unencrypted RDS
policy_unencrypted_s3_bucket Misconfiguration Data type {dataTypeName} is stored in unencrypted S3 bucket
dar_release_update Other A data-at-rest sensor update is now available
dar_release_update_critical Other A critical update for the data-at-rest sensor is now available
dim_release_update Other A data-in-motion sensor update is now available
dim_release_update_critical Other A critical update for the data-in-motion sensor is now available
discovery_complete Other Initial discovery of your infrastructure is complete

Event object structure

Below is the structure of the event object:

Field Conditions Possible values
title Always present The title of the event, providing a human-readable summary of what happened.
Example: "New data type Card in the infrastructure"
time Always present The time when the event occurred, in ISO 8601 format.
Example: 2023-01-15T14:22:35.123Z
category Always present One of the event categories.
Example: Data at risk
event_type Always present One of the event types.
Example: new_data_type
event_link Always present A link to view more details about the event.
Example: https://app.soveren.io/activity-log?id=12345
release_notes_link Present for release update events A link to view release notes.
Example: https://github.com/soverenio/helm-charts/blob/master/charts/soveren-agent/release-notes.md#dim-2511
sensitivity Present when data types exist One of the following: Low, Medium, High.
See also the sensitivity model
data_types Present when data types exist Array of data type names involved in the event.
Example: [Card, SSN]
event_triggered_by Present when the event involves Services sending or receiving
Indicates which side triggered the event
sending Present when the event involves Services See nested structures
receiving Present when the event involves Services See nested structures
endpoint Present when the event involves Services See nested structures
evidence_link Present when the event involves Services A link to view evidence related to the event.
Example: https://app.soveren.io/activity-log/12345/sample
policy Present for policy violation events or when a policy is relevant to the event See nested structures
conflicting_assets Present for custom connection rule conflict events.
A common example of such a conflict occurs when the same third_party_ip address is assigned to multiple external connections, leading to several policy violations being triggered		 See nested structures
third_party_ip Present for third-party policy violation events IP address of the third party.
Example: 203.0.113.42
user_agent Present for third-party policy violation events User agent string of the client.
Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
object_type Present for events involving specific infrastructure components.
Not present for general events like release updates		 Service, S3 bucket, Database, Kafka topic.

For new_potential_data_storage events: SQL Database instance, Kafka cluster
entity_name Present when the event involves S3 bucket or Database or Kafka topic, and for new_potential_data_storage events. Object name in S3 bucket, database name, or topic name.

For new_potential_data_storage events — SQL database instance name or Kafka cluster name
s3_bucket Present when object_type is S3 bucket See nested structures
database_type Present when object_type is Database. Present for new_potential_data_storage events when object_type is Database The type of database.
Example: PostgreSQL
database_name Present when object_type is Database The name of the database. Same as entity_name.
Example: users-db
table Present when Database is an SQL database The name of the database table.
Example: users
collection Present when Database is a NoSQL database The name of the NoSQL database collection.
Example: users
topic Present when object_type is a Kafka topic The name of the Kafka topic. Same as entity_name.
Example: user-created
scheme Present when object_type is a Kafka topic The name of the Kafka scheme.
Example: user-events

Nested structures

The events described above use complex objects or nested structures:

Structure Field Description
sending link Link to the service details.
Example: https://app.soveren.io/service-catalog/services/12345
sending name Name of the service.
Example: payment-service
sending namespace Namespace of the service.
Example: production
sending cluster Name of the cluster the service belongs to.
Example: us-west-cluster
sending groups Groups the service belongs to. Each group has a name and value.
Example: [{name: environment, value: production}]
receiving link Link to the service details.
Example: https://app.soveren.io/service-catalog/services/67890
receiving name Name of the service.
Example: analytics-service
receiving namespace Namespace of the service.
Example: production
receiving cluster Name of the cluster the service belongs to.
Example: us-east-cluster
receiving groups Groups the service belongs to. Each group has a name and value.
Example: [{name: environment, value: production}]
endpoint link Link to the endpoint details.
Example: https://app.soveren.io/api-endpoints/sample?id=12345&direction=response
endpoint url URL of the endpoint.
Example: /api/v1/some
endpoint hostname Hostname of the endpoint.
Example: api.example.com
endpoint method HTTP method of the endpoint.
Example: POST
policy link Link to the policy details.
Example: https://app.soveren.io/policies/234
policy name Name of the policy.
Example: PCI-DSS Compliance
s3_bucket name Name of the S3 bucket.
Example: user-uploads
s3_bucket aws_region_code AWS region code where the bucket is located.
Example: us-east-1
s3_bucket aws_region_description Description of the AWS region.
Example: US East (N. Virginia)
s3_bucket aws_link Link to the bucket in AWS console.
Example: https://console.aws.amazon.com/s3/buckets/user-uploads
conflicting_assets link Link to the service details.
Example: https://app.soveren.io/service-catalog/services/12345
conflicting_assets name Name of the service.
Example: user-service