Amazon EventBridge event schema for Amazon Macie findings - Amazon Macie

Amazon EventBridge event schema for Amazon Macie findings

To support integration with other applications, services, and systems, such as monitoring or event management systems, Amazon Macie automatically publishes findings to Amazon EventBridge as finding events. EventBridge, formerly called Amazon CloudWatch Events, is a serverless event bus service that delivers a stream of real-time data from applications and other AWS services to targets such as AWS Lambda functions, Amazon Simple Notification Service topics, and Amazon Kinesis streams. To learn more about EventBridge and EventBridge events, see the Amazon EventBridge User Guide.

Note

If you currently use CloudWatch Events, note that EventBridge and CloudWatch Events are the same underlying service and API. However, EventBridge includes additional features that enable you to receive events from Software-as-a-Service (SaaS) applications and your own applications. Because the underlying service and API are the same, the event schema for Macie findings is also the same. In addition, you can use either console or API to create rules for Macie finding events.

Macie publishes events for all new findings and subsequent occurrences of existing policy findings. (This excludes findings that you archive automatically using suppression rules.) Each event is a JSON object that conforms to the EventBridge schema for AWS events and contains a JSON representation of a finding. Because the findings data is structured as an EventBridge event, you can more easily monitor, process, and act upon findings by using other applications, services, and tools.

Event schema

The following example shows the schema of an EventBridge event for a Macie finding. For a detailed list of fields that can be included in a finding event, see the Finding object table in the Amazon Macie API Reference. The structure and fields of a finding event map closely to the Finding object of the Amazon Macie API.

{ "version": "0", "id": "event ID", "detail-type": "Macie Finding", "source": "aws.macie", "account": "AWS account ID (string)", "time": "event timestamp (string)", "region": "AWS Region (string)", "resources": [ <-- ARNs of the resources involved in the event --> ], "detail": { <-- Details for a policy or sensitive data finding --> }, "policyDetails": null, <-- Additional details for a policy finding or "null" for a sensitive data finding --> "sample": Boolean, "archived": Boolean }

Event example for a policy finding

The following example uses sample data to demonstrate the structure and nature of objects and fields in an EventBridge event for a policy finding.

In this example, the event reports a subsequent occurrence of an existing policy finding—default encryption was disabled for an S3 bucket. The following fields and values can you help you determine that this is the case:

  • The type field is set to Policy:IAMUser/S3BucketEncryptionDisabled.

  • The createdAt and updatedAt fields have different values. This is one indicator that the event reports a subsequent occurrence of an existing finding. The values for these fields would be the same if the event reported a new finding.

  • The count field is set to 3, which indicates that this is the third occurrence of the finding.

  • The category field is set to POLICY.

  • The value for the classificationDetails field is null, which helps differentiate this event for a policy finding from an event for a sensitive data finding. For a sensitive data finding, this value would be a set of objects and fields that provide information about how and what sensitive data was found.

Also note that the value for the sample field is true. This value emphasizes that this is an example event for use in the documentation.

{ "version": "0", "id": "0948ba87-d3b8-c6d4-f2da-732a1example", "detail-type": "Macie Finding", "source": "aws.macie", "account": "123456789012", "time": "2020-06-04T23:46:02Z", "region":"us-east-1", "resources": [ ], "detail": { "schemaVersion": "1.0", "id": "64b917aa-3843-014c-91d8-937ffexample", "accountId": "123456789012", "partition": "aws", "region": "us-east-1", "type": "Policy:IAMUser/S3BucketEncryptionDisabled", "title": "Encryption is disabled for the S3 bucket", "description": "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn’t encrypted using server-side encryption.", "severity": { "score": 1, "description": "Low" }, "createdAt": "2020-06-04T23:46:02Z", "updatedAt": "2020-06-06T15:12:15Z", "count": 3, "resourcesAffected": { "s3Bucket": { "arn": "arn:aws:s3:::macie-sample-finding-bucket2", "name": "macie-sample-finding-bucket2", "createdAt": "2020-04-03T20:46:56.000Z", "owner":{ "displayName": "johndoe", "id": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example" }, "tags": [ { "key": "Division", "value": "HR" }, { "key": "Team", "value": "Recruiting" } ], "defaultServerSideEncryption": { "encryptionType": "NONE", "kmsMasterKeyId": null }, "publicAccess": { "permissionConfiguration": { "bucketLevelPermissions": { "accessControlList": { "allowsPublicReadAccess": false, "allowsPublicWriteAccess": false }, "bucketPolicy": { "allowsPublicReadAccess": false, "allowsPublicWriteAccess": false }, "blockPublicAccess": { "ignorePublicAcls": true, "restrictPublicBuckets": true, "blockPublicAcls": true, "blockPublicPolicy": true } }, "accountLevelPermissions": { "blockPublicAccess": { "ignorePublicAcls": false, "restrictPublicBuckets": false, "blockPublicAcls": false, "blockPublicPolicy": false } } }, "effectivePermission": "NOT_PUBLIC" } }, "s3Object": null }, "category": "POLICY", "classificationDetails": null, "policyDetails": { "action": { "actionType": "AWS_API_CALL", "apiCallDetails": { "api": "DeleteBucketEncryption", "apiServiceName": "s3.amazonaws.com", "firstSeen": "2020-06-04T23:46:02.502Z", "lastSeen": "2020-06-06T15:12:15.401Z" } }, "actor": { "userIdentity": { "type": "AssumedRole", "assumedRole": { "principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": false, "creationDate": "2020-04-23T18:25:43.511Z" }, "sessionIssuer": { "type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed", "accountId": "123456789012", "userName": "RoleToBeAssumed" } } }, "root": null, "iamUser": null, "federatedUser": null, "awsAccount": null, "awsService": null }, "ipAddressDetails":{ "ipAddressV4": "192.0.2.0", "ipOwner": { "asn": "-1", "asnOrg": "ExampleFindingASNOrg", "isp": "ExampleFindingISP", "org": "ExampleFindingORG" }, "ipCountry": { "code": "US", "name": "United States" }, "ipCity": { "name": "Ashburn" }, "ipGeoLocation": { "lat": 39.0481, "lon": -77.4728 } }, "domainDetails": null } }, "sample": true, "archived": false } }

Event example for a sensitive data finding

The following example uses sample data to demonstrate the structure and nature of objects and fields in an EventBridge event for a sensitive data finding.

In this example, the event reports a new sensitive data finding—an S3 object contains more than one category of sensitive data. The following fields and values can you help you determine that this is the case:

  • The type field is set to SensitiveData:S3Object/Multiple.

  • The createdAt and updatedAt fields have the same values. Unlike policy findings, this is always the case for sensitive data findings. All sensitive data findings are considered new (unique) because they derive from individual jobs.

  • The count field is set to 1, which indicates that this is a new finding. Unlike policy findings, this is always the case for sensitive data findings. All sensitive data findings are considered new (unique) because they derive from individual jobs.

  • The category field is set to CLASSIFICATION.

  • The presence of the jobArn and jobId fields indicates that a sensitive data discovery job produced the finding. The values for these fields indicate which job produced the finding.

  • The value for the policyDetails field is null, which helps differentiate this event for a sensitive data finding from an event for a policy finding. For a policy finding, this value would be a set of objects and fields that provide information about a potential policy violation.

Also note that the value for the sample field is true. This value emphasizes that this is an example event for use in the documentation.

{ "version": "0", "id": "14ddd0b1-7c90-b9e3-8a68-6a408example", "detail-type": "Macie Finding", "source": "aws.macie", "account": "123456789012", "time": "2020-11-05T13:19:10Z", "region": "us-east-1", "resources": [ ], "detail": { "schemaVersion": "1.0", "id": "4ed45d06-c9b9-4506-ab7f-18a57example", "accountId": "123456789012", "partition": "aws", "region": "us-east-1", "type": "SensitiveData:S3Object/Multiple", "title": "The S3 object contains multiple types of sensitive information.", "description": "The object contains more than one type of sensitive information.", "severity": { "score": 3, "description": "High" }, "createdAt": "2020-11-05T13:19:10Z", "updatedAt": "2020-11-05T13:19:10Z", "count": 1, "resourcesAffected": { "s3Bucket": { "arn": "arn:aws:s3:::macie-sample-finding-bucket1", "name": "macie-sample-finding-bucket1", "createdAt": "2020-05-15T20:46:56.000Z", "owner": { "displayName": "johndoe", "id": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example" }, "tags":[ { "key":"Division", "value":"HR" }, { "key":"Team", "value":"Recruiting" } ], "defaultServerSideEncryption": { "encryptionType": "aws:kms", "kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/4dff8393-e225-4793-a9a0-608ecexample" }, "publicAccess": { "permissionConfiguration": { "bucketLevelPermissions": { "accessControlList": { "allowsPublicReadAccess": false, "allowsPublicWriteAccess": false }, "bucketPolicy":{ "allowsPublicReadAccess": false, "allowsPublicWriteAccess": false }, "blockPublicAccess": { "ignorePublicAcls": true, "restrictPublicBuckets": true, "blockPublicAcls": true, "blockPublicPolicy": true } }, "accountLevelPermissions": { "blockPublicAccess": { "ignorePublicAcls": false, "restrictPublicBuckets": false, "blockPublicAcls": false, "blockPublicPolicy": false } } }, "effectivePermission": "NOT_PUBLIC" } }, "s3Object":{ "bucketArn": "arn:aws:s3:::macie-sample-finding-bucket1", "key": "2020 Sourcing.csv", "path": "macie-sample-finding-bucket1/2020 Sourcing.csv", "extension": "csv", "lastModified": "2020-10-09T17:08:25.000Z", "versionId": "", "serverSideEncryption": { "encryptionType": "aws:kms", "kmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/4dff8393-e225-4793-a9a0-608ecexample" }, "size": 4750, "storageClass": "STANDARD", "tags":[ { "key":"Division", "value":"HR" }, { "key":"Team", "value":"Recruiting" } ], "publicAccess": false, "etag": "6bb7fd4fa9d36d6b8fb8882caexample" } }, "category": "CLASSIFICATION", "classificationDetails": { "jobArn": "arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample", "jobId": "3ce05dbb7ec5505def334104bexample", "result": { "status": { "code": "COMPLETE", "reason": null }, "sizeClassified": 4750, "mimeType": "text/csv", "additionalOccurrences": true, "sensitiveData": [ { "category": "PERSONAL_INFORMATION", "totalCount": 65, "detections": [ { "type": "USA_SOCIAL_SECURITY_NUMBER", "count": 30, "occurrences": { "lineRanges": null, "offsetRanges": null, "pages": null, "records": null, "cells": [ { "row": 2, "column": 1, "columnName": "SSN", "cellReference": null }, { "row": 3, "column": 1, "columnName": "SSN", "cellReference": null }, { "row": 4, "column": 1, "columnName": "SSN", "cellReference": null } ] } }, { "type": "NAME", "count": 35, "occurrences": { "lineRanges": null, "offsetRanges": null, "pages": null, "records": null, "cells": [ { "row": 2, "column": 3, "columnName": "Name", "cellReference": null }, { "row": 3, "column": 3, "columnName": "Name", "cellReference": null } ] } } ] }, { "category": "FINANCIAL_INFORMATION", "totalCount": 30, "detections": [ { "type": "CREDIT_CARD_NUMBER", "count": 30, "occurrences": { "lineRanges": null, "offsetRanges": null, "pages": null, "records": null, "cells": [ { "row": 2, "column": 14, "columnName": "CCN", "cellReference": null }, { "row": 3, "column": 14, "columnName": "CCN", "cellReference": null } ] } } ] } ], "customDataIdentifiers": { "totalCount": 0, "detections": [] } }, "detailedResultsLocation": "s3://macie-data-discovery-results/AWSLogs/123456789012/Macie/us-east-1/ 3ce05dbb7ec5505def334104bexample/d48bf16d-0deb-3e49-9d8c-d407cexample.jsonl.gz" }, "policyDetails": null, "sample": true, "archived": false } }