GuidesAPI ReferenceGitHub RepositoryPartner IntegrationsWhat's New
Guides
Product DocumentationSupport
Start typing to search…

Events API for Cyber Resilience

About Cyber Resilience Events API

Using the Events API, you can export events from Cyber Resilience (Accelerated Ransomware Recovery and Security Posture and Observability). This API capability helps organizations to:

  • Get all the Ransomware and Security Posture events in a single API call
  • Monitor the reported failures and take corrective actions
  • Integrate the exported events with the third-party SIEM tool

Workflow to export Cyber Resilience events

  1. Generate a token to access Event API. For more information, see Use EVENTAPI to export events from Cyber Resilience.
  2. Access Event API through any REST Client to receive a response in JSON format.

Access Events API

Make API requests. For more information, see the Events API reference

About Events API Response

  • Each Ransomware Recovery Events API response contains a maximum of 100 Cyber Resilience events
  • If there are more than 100 events in the Cyber Resilience database while returning an Events API response, the response contains the nextPageToken attribute. Use the token provided within the nextPageToken attribute as a query parameter for the Token field to get an additional set of Cyber Resilience events.
  • Events API response is in the UTC timezone.

Supported Cyber Resilience events

The following table lists the Cyber Resilience events that you can export by using the Events API:

Malicious File Scan (RWC) and Curated Snapshot (CS) events

Event Category

Event Types

Event State

Description

Event Details

Admin event

Addition of SHA
File Hash

Success
Failed

Event related to addition of SHA hash(s).

{"Added": 1, "Total": 1, "Invalid": 0, "Skipped": 0, "Duplicate": 0, "Successful": true}

Admin event

Deletion of SHA
File Hash

Success
Failed

Event related to addition of SHA hash(s).

{"Note": "Deletion note", "SHADetails": "{User Name} deleted the file hash with SHA value {hashvalue} Delete Reason: {Reason} Status: Successful", "Successful": true}

Admin event

Modification of Scan Settings

Scan Settings Updated

Success
Failed

Event for modification of scan settings. Updated settings are present in the response.

{"Successful": true, "AVScanEnabled": false, "FileHashScanEnabled": true, "SkipScanForDeviceReplace": true, "AllowAdminToSkipScanServers": true, "AllowUserToSkipScanEndpoints": true, "AllowAdminToSkipScanEndpoints": true}

Admin event

RWC Job Creation
Malicious File Scan

Success
Failed

Event for creation of RWC job.

{"JobType": "Malicious File Scan", "Activity": "Job Created", "ScanJobID": , "StartTime": "", "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "", "ResourceParent": ""}

Admin event

RWC Job Cancellation
Malicious File Scan

Success
Failed

Event for cancellation of RWC job.

{"EndTime": "", "JobType": "Malicious File Scan", "Activity": "Job Cancelled", "ScanJobID": ,"StartTime": "", "FilesBlocked": 0, "FilesScanned": 0, "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "VMware", "JobCancelledBy": "", "ResourceParent": "", "FilesScanSkipped": 0, "FilesSelectedForRestore": 0}

Admin event

RWC Job Finished
Malicious File Scan

Success

Event for completion of RWC job.

{"EndTime": "", "JobType": "Malicious File Scan", "Activity": "Job Completed", "ScanJobID": , "StartTime": "", "FilesBlocked": 8, "FilesScanned": 110791, "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "","ResourceParent": "", "FilesScanSkipped": , "FilesSelectedForRestore": }

Admin event

RWC Malicious Files Found
Malicious File Scan

Success

Event for when affected files count is > 0 for RWC job.

{"EndTime": "", "JobType": "Malicious File Scan", "Activity": "Job Completed", "ScanJobID": , "StartTime": "", "FilesBlocked": 8, "FilesScanned": 110791, "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "", "ResourceParent": "", "FilesScanSkipped": , "FilesSelectedForRestore":

Admin event

CS Job Creation

Success

Event for creation of Curated Snapshot (CS) job.

{"JobType": "Curated Snapshot", "Activity": "Curated snapshot creation started", "ScanJobID": , "StartTime": "","JobCreatedBy": "", "ResourceName": "", "ResourceType": "Endpoint", "ResourceParent": ""}

Admin event

CS Created

Success

Event for successful completion of creation of Curated Snapshot (CS).

{'area': 'Security', 'category': 'Admin Event', 'type': 'Curated Snapshot', 'syslogSeverity': , 'syslogFacility': , 'SSJobID': , 'Activity': 'Curated snapshot created', 'FilesBlocked': 0, 'ResourceName': "", 'ResourceType': '', 'FilesExcluded': 0, 'FilesIncluded': 0, 'ResourceParent': '', 'FilesScanSkipped': 0}

Admin event

CS Deleted

Success
Failed

Event for deletion of created Curated Snapshot (CS).

{"Activity": "Curated snapshot Deleted", "StartTime": "", "SnapshotID": "", "DeleteReason": "", "ResourceName": "", "ResourceType": "File Server", "ResourceParent": "", "SnapshotDeletedBy": ""}

Admin event

CS Job Cancelled

Success

Event for cancellation of Curated Snapshot (CS) creation job.

{"JobType": "Curated Snapshot", "Activity": "Curated snapshot creation cancelled", "ScanJobID": , "StartTime": "", "JobCreatedBy": "", "ResourceName": "", "ResourceType": "File Server", "JobCancelledBy": "", "ResourceParent": ""}

Quarantine Snapshots events

Event Category

Event Types

Event State

Description

Event Details

Ransomware Recovery

Quarantine Event - Create

Success
Failed

Event for creation of Quarantine Range.

{"mode": "Admin Portal", "note": "", "orgID": , "state": "Success", "action": "Create Range", "ipAddress": "", "resourceID": , "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "VMware", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": "NA"}

Ransomware Recovery

Quarantine Event - Update

Success
Failed

Event for updating the Quarantine Range.

{"mode": "Admin Portal", "note": "", "orgID": , "state": "Success", "action": "Update Range", "ipAddress": "", "resourceID": , "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "VMware", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": ""}

Ransomware Recovery

Quarantine Event - Delete

Success
Failed

Event for deleting a Quarantine Range

{"mode": "Admin Portal", "note": "", "orgID": , "state": "Success", "action": "Delete Range", "ipAddress": "", "resourceID": , "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "VMware", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": "NA"}

Ransomware Recovery

Admin Audit Trail -
Delete Snapshot

Snapshot deleted

Event for deletion snapshot from Quarantine Bay

{"mode": "Admin Portal", "note": "", "orgID": 0, "state": "Success", "action": "", "ipAddress": "", "resourceID": 0, "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": ""}

Security Dashboard events

Event Category

Event Types

Event State

Description

Event Details

Admin event

Admin Login

Success
Failed

Event related to Admin Login attempt.

{"location": "", "adminName": "", "adminEmail": "", "loginResult": "Success", "adminActivity": "Admin Login Event", "adminIPAddress": "", "adminLoginTime": ""}

Data Access

Data Access

Success
Failed

Event for Data Access.

{"size": 0, "files": 0, "status": "Successful", "endTime": "", "targetIP": "", "startTime": "", "resourceID": , "resourceName": "", "initiatorName": "", "targetLocation": ""}

Admin Event

Admin Login (New location and a different IP address. Alert is generated)

Success
Failed

Event for Admin Login (Only when admin has not logged in from the IP in the last 30 days).

{"location": "", "adminName": "", "adminEmail": "", "loginResult": "Success", "adminActivity": "Admin Login Event", "adminIPAddress": "", "adminLoginTime": ""}

Data Access

Data Access (New location and a different IP address. Alert is generated)

Success
Failed

Event for Data Access (Only when data is not accessed from the IP in the last 30 days).

{"size": 0, "files": 0, "status": "Successful", "endTime": "", "targetIP": "", "startTime": "", "resourceID": , "resourceName": "", "initiatorName": "", "targetLocation": ""}

Unusual Data Activity events

Event Category

Event Types

Event State

Description

Event Details

Unusual Data Activity

Admin Audit Trail

Success

Event related to UDA logs downloaded by the admin.

{"udaType": ["Modification"], "fileInfo": {"newFiles": 0, "deletedFiles": 0, "updatedFiles": 220, "encryptedFiles": 0}, "adminName": "", "alertTime": "", "resourceID": , "resourceName": "", "resourceType": "File Server", "adminActivity": "Unusual Data Activity - Download logs", "affectedSnapshot": "", "resourceParentID": , "resourceParentName": ""}

Unusual Data Activity

Alert

Creation
Deletion
Modification
Encryption

Event related to UDA alert generated because of an anomaly detected in either Creation, Deletion, Modification, or Encryption activity.

{"udaType": ["Modification"], "fileInfo": {"newFiles": 0, "deletedFiles": 0, "updatedFiles": 220, "encryptedFiles": 0}, "alertName": "Unusual Data Activity", "alertTime": "", "resourceID": , "resourceName": "", "resourceType": "File Server", "affectedSnapshot": "", "resourceParentID": , "resourceParentName": ""}

Unusual Data Activity

Admin Audit Trail

Success

Event for when an alert is marked as ignored.

{"udaType": ["Modification"], "fileInfo": {"newFiles": 0, "deletedFiles": 0, "updatedFiles": 220, "encryptedFiles": 0}, "adminName": "", "alertTime": "", "resourceID": , "resourceName": "", "resourceType": "File Server", "adminActivity": "Unusual Data Activity - Ignore Alert", "affectedSnapshot": "", "resourceParentID": , "resourceParentName": ""}

Unusual Data Activity

System Event

Warning Event

Warning event when UDA scan fails for VMware resources.

{ "id": 185966,
"globalCustomerId": "925ace73-6a00-4626-a13c-180890a72fc0",
"occurenceTime": 1702406872,
"area": "Security",
"category": "Unusual Data Activity",
"type": "System Event",
"syslogSeverity": 4,
"syslogFacility": 23,
"details": "{"alertTime": "2023-12-12T18:47:52Z", "resourceID": 95, "error_reason": "VMware Tools is not installed", "resourceName": "swapnil-FS-centos-7.1", "resourceType": "VMware", "affectedSnapshot": "Tue Dec 12 18:47:52 2023", "resourceParentID": 15, "resourceParentName": "realizevc.druva.org"}"
},

Unusual Data Activity

System Event

Information Event

Provides information about UDA scan events for VMware resources.

{ "id": 186711,
"globalCustomerId": "925ace73-6a00-4626-a13c-180890a72fc0",
"occurenceTime": 1702542593,
"area": "Security",
"category": "Unusual Data Activity",
"type": "System Event",
"syslogSeverity": 6,
"syslogFacility": 23,
"details": "{"alertTime": "2023-12-14T08:29:53Z", "resourceID": 122, "error_reason": "Snapshot not scanned for Unusual Data Activity as learning is in progress.", "resourceName": "DND_swapnil-FS-ubuntu", "resourceType": "VMware", "affectedSnapshot": "Thu Dec 14 08:29:53 2023", "resourceParentID": 15, "resourceParentName": "realizevc.druva.org"}"
}

Updated 2 days ago