Amazon SNS Integration JSON Payload
12502
Created On 09/26/18 13:45 PM - Last Modified 06/09/23 07:45 AM
Resolution
Below is a sample payload schema of an Amazon SNS integration notification JSON. The schema was taken on 2/6/18. Please be aware that the format may have changed since then.
{
"data": {
"id": 1,
"type":"alerts",
"attributes": {
"created_at":"2018-02-06T20:45:46.000Z",
"status":"fail|warn|error|pass|info",
"risk_level":"low|medium|high",
"resource":"resource-1",
"ended_reason":"from_api|new_alert|from_scan|not_present_after_scan|signature_deleted|custom_signature_deleted|suppression_created|suppression_deactivated|custom_risk_level_created|custom_risk_level_deleted", # can be null
"replaced_by_id": 1, # can be null
"replaced_by_status":"fail|warn|error|pass|info", # can be null
"updated_at":"2018-02-06T20:45:46.000Z",
"started_at":"2018-02-06T20:45:46.000Z",
"ended_at":"2018-02-06T20:45:46.000Z" # can be null
},
"relationships": {
"external_account": {
"data": {
"id":"1",
"type":"external_accounts"
},
"links": {
"related":"https://esp.evident.io/api/v2/external_accounts/1.json"
}
},
"region": {
"data": {
"id":"8",
"type":"regions"
},
"links": {
"related":"https://esp.evident.io/api/v2/regions/8.json"
}
},
"signature": {
"data": { # this or custom signature is null
"id":"34",
"type":"signatures"
},
"links": {
"related":"https://esp.evident.io/api/v2/signatures/34.json" # can be null
}
},
"custom_signature": {
"data": { # this or signature is null
"id":"34",
"type":"signatures"
},
"links": {
"related":"https://esp.evident.io/api/v2/custom_signatures/34.json # can be null
}
},
"suppression": {
"data": { # may not exist
"id":"1",
"type":"suppressions"
},
"links": {
"related":"https://api.evident.io/api/v2/suppressions/12.json" # can be null
}
},
"metadata": {
"data": {
"id":"1",
"type":"metadata"
},
"links": {
"related":"https://esp.evident.io/api/v2/alerts/1/metadata.json"
}
},
"attribution": {
"data":null,
"links": {
"related":"https://esp.evident.io/api/v2/alerts/1/attribution.json"
}
},
"cloud_trail_events": {
"data":[],
"links": {
"related":"https://esp.evident.io/api/v2/alerts/1/cloud_trail_events.json"
}
},
"tags": {
"data":[],
"links": {
"related":"https://esp.evident.io/api/v2/alerts/1/tags.json"
}
},
"compliance_controls": {
"links": {
"related":"https://esp.evident.io/api/v2/alerts/1/compliance_controls.json"
}
},
"custom_compliance_controls": {
"links": {
"related":"https://esp.evident.io/api/v2/alerts/1/custom_compliance_controls.json"
}
}
}
},
"included": [
{
"id":"1",
"type":"external_accounts",
"attributes": {
"created_at":"2017-12-15T23:17:45.000Z",
"name":"Support",
"updated_at":"2018-02-06T20:39:34.000Z",
"provider":"amazon",
"arn":"arn:aws:iam::123456789012:role/Evident-Service-Role",
"account":"660003967022",
"external_id":"11111111-1111-1111-1111-111111111111",
"cloudtrail_name":"EvidentAttribution"
},
"relationships": {
"organization": {
"links": {
"related":"https://esp.evident.io/api/v2/organizations/1.json"
}
},
"sub_organization": {
"links": {
"related":"https://esp.evident.io/api/v2/sub_organizations/1.json"
}
},
"team": {
"links": {
"related":"https://esp.evident.io/api/v2/teams/1.json"
}
},
"scan_intervals": {
"links": {
"related":"https://esp.evident.io/api/v2/external_accounts/1/scan_intervals.json"
}
},
"disabled_signatures": {
"links": {
"related":"https://esp.evident.io/api/v2/external_accounts/1/disabled_signatures.json"
}
},
"credentials": {
"links": {
"related":"https://esp.evident.io/api/v2/external_accounts/1/amazon.json"
}
}
}
},
{
"id":"8",
"type":"regions",
"attributes": {
"code":"us_west_2",
"name":null,
"created_at":"2014-06-05T23:42:37.000Z",
"updated_at":"2014-06-05T23:42:37.000Z",
"provider":"amazon"
}
},
{
"id":"34",
"type":"signatures",
"attributes": {
"created_at":"2014-06-05T23:43:30.000Z",
"description":"Global permission to access the well known services TCP port 22 (SSH) should not be allowed in a security group.\n\n",
"identifier":"AWS:EC2-002",
"name":"Global Admin Port Access - SSH (TCP Port 22) Detected",
"resolution":"Reduce the permitted IP Addresses or ranges allowed to communicate to destination hosts on TCP port 22.\n\nWe recommend utilizing the static office or home IP addresses of your employees as the permitted hosts, or deploying a bastion host with 2-factor authentication if this is infeasible. This bastion host becomes the only permitted IP to communicate with any other nodes inside your account.\n\nIf you must permit global access to TCP port 22 (SSH), then you may suppress this alert. \n \nFor more information on Ports, see [AWS: Ports.]( http://docs.aws.amazon.com/workspaces/latest/adminguide/client_ports.html)\n\n",
"risk_level":"high",
"updated_at":"2017-12-06T19:20:27.000Z"
},
"relationships": {
"service": {
"links": {
"related":"https://esp.evident.io/api/v2/services/1.json"
}
},
"disabled_external_accounts": {
"links": {
"related":"https://esp.evident.io/api/v2/signatures/34/disabled_external_accounts.json"
}
}
}
},
{
"id":"1",
"type":"metadata",
"attributes": {
"data": {
"details": {
"message":"Alert message",
"tags":[]
# can include various other fields
}
}
}
}
]
}