Welcome to the new Evident.io Support Portal. Our goal was to make it easier to navigate, so please let us know if you have any questions or concerns. We have migrated the ticket content from the old portal, but you may need to re-register to log in and view your tickets.

Amazon SNS Integration Payload (2/6/18)

Below is a sample payload schema of an Amazon SNS integration notification JSON.  This was the schema taken as of 2/6/18.  Please be aware that the format may have changed since then.

{
    "data": {
    "id": 1,
    "type":"alerts",
    "attributes": {
      "created_at":"2018-02-06T20:45:46.000Z",
      "status":"fail|warn|error|pass|info",
      "risk_level":"low|medium|high",
      "resource":"resource-1",
      "ended_reason":"from_api|new_alert|from_scan|not_present_after_scan|signature_deleted|custom_signature_deleted|suppression_created|suppression_deactivated|custom_risk_level_created|custom_risk_level_deleted", # can be null
      "replaced_by_id": 1, # can be null
      "replaced_by_status":"fail|warn|error|pass|info", # can be null
      "updated_at":"2018-02-06T20:45:46.000Z",
      "started_at":"2018-02-06T20:45:46.000Z",
      "ended_at":"2018-02-06T20:45:46.000Z" # can be null
    },
    "relationships": {
      "external_account": {
        "data": {
          "id":"1",
          "type":"external_accounts"
        },
        "links": {
          "related":"https://esp.evident.io/api/v2/external_accounts/1.json"
        }
      },
      "region": {
        "data": {
          "id":"8",
          "type":"regions"
        },
        "links": { 
          "related":"https://esp.evident.io/api/v2/regions/8.json"
        }
      },
      "signature": {
        "data": { # this or custom signature is null
          "id":"34", 
          "type":"signatures"
        },
        "links": {
          "related":"https://esp.evident.io/api/v2/signatures/34.json" # can be null
        }
      },
      "custom_signature": {
        "data": { # this or signature is null
          "id":"34", 
          "type":"signatures"
        },
        "links": {
          "related":"https://esp.evident.io/api/v2/custom_signatures/34.json # can be null
        }
      },
      "suppression": {
        "data": { # may not exist
          "id":"1", 
          "type":"suppressions"
        },
        "links": {
          "related":"https://api.evident.io/api/v2/suppressions/12.json" # can be null
        }
      },
      "metadata": {
        "data": {
          "id":"1",
          "type":"metadata"
        },
        "links": {
          "related":"https://esp.evident.io/api/v2/alerts/1/metadata.json"
        }
      },
      "attribution": {
        "data":null,
        "links": {
          "related":"https://esp.evident.io/api/v2/alerts/1/attribution.json"
        }
      },
      "cloud_trail_events": {
        "data":[],
        "links": {
          "related":"https://esp.evident.io/api/v2/alerts/1/cloud_trail_events.json"
        }
      },
      "tags": {
        "data":[],
        "links": {
          "related":"https://esp.evident.io/api/v2/alerts/1/tags.json"
        }
      },
      "compliance_controls": {
        "links": {
          "related":"https://esp.evident.io/api/v2/alerts/1/compliance_controls.json"
        }
      },
      "custom_compliance_controls": {
        "links": {
          "related":"https://esp.evident.io/api/v2/alerts/1/custom_compliance_controls.json"
        }
      }
    }
  },
  "included": [
    {
      "id":"1",
      "type":"external_accounts",
      "attributes": {
        "created_at":"2017-12-15T23:17:45.000Z",
        "name":"Support",
        "updated_at":"2018-02-06T20:39:34.000Z",
        "provider":"amazon",
        "arn":"arn:aws:iam::123456789012:role/Evident-Service-Role",
        "account":"660003967022",
        "external_id":"11111111-1111-1111-1111-111111111111",
        "cloudtrail_name":"EvidentAttribution"
      },
      "relationships": {
        "organization": {
          "links": {
            "related":"https://esp.evident.io/api/v2/organizations/1.json"
          }
        },
        "sub_organization": {
          "links": {
            "related":"https://esp.evident.io/api/v2/sub_organizations/1.json"
          }
        },
        "team": {
          "links": {
            "related":"https://esp.evident.io/api/v2/teams/1.json"
          }
        },
        "scan_intervals": {
          "links": {
            "related":"https://esp.evident.io/api/v2/external_accounts/1/scan_intervals.json"
          }
        },
        "disabled_signatures": {
          "links": {
            "related":"https://esp.evident.io/api/v2/external_accounts/1/disabled_signatures.json"
          }
        },
        "credentials": {
          "links": {
            "related":"https://esp.evident.io/api/v2/external_accounts/1/amazon.json"
          }
        }
      }
    },
    {
      "id":"8",
      "type":"regions",
      "attributes": {
        "code":"us_west_2",
        "name":null,
        "created_at":"2014-06-05T23:42:37.000Z",
        "updated_at":"2014-06-05T23:42:37.000Z",
        "provider":"amazon"
      }
    },
    {
      "id":"34",
      "type":"signatures",
      "attributes": {
        "created_at":"2014-06-05T23:43:30.000Z",
        "description":"Global permission to access the well known services TCP port 22 (SSH) should not be allowed in a security group.\n\n",
        "identifier":"AWS:EC2-002",
        "name":"Global Admin Port Access - SSH (TCP Port 22) Detected",
        "resolution":"Reduce the permitted IP Addresses or ranges allowed to communicate to destination hosts on TCP port 22.\n\nWe recommend utilizing the static office or home IP addresses of your employees as the permitted hosts, or deploying a bastion host with 2-factor authentication if this is infeasible. This bastion host becomes the only permitted IP to communicate with any other nodes inside your account.\n\nIf you must permit global access to TCP port 22 (SSH), then you may suppress this alert.  \n  \nFor more information on Ports, see [AWS: Ports.]( http://docs.aws.amazon.com/workspaces/latest/adminguide/client_ports.html)\n\n",
        "risk_level":"high",
        "updated_at":"2017-12-06T19:20:27.000Z"
      },
      "relationships": {
        "service": {
          "links": {
            "related":"https://esp.evident.io/api/v2/services/1.json"
          }
        },
        "disabled_external_accounts": {
          "links": {
            "related":"https://esp.evident.io/api/v2/signatures/34/disabled_external_accounts.json"
          }
        }
      }
    },
    {
      "id":"1",
      "type":"metadata",
      "attributes": {
        "data": {
          "details": {
            "message":"Alert message",
            "tags":[]
            # can include various other fields
          }
        }
      }
    }
  ]
}
  • 154
  • 07-Feb-2018
  • 45 Views