Events API for Cyber Resilience
About Cyber Resilience Events API
Using the Events API, you can export events from Cyber Resilience (Accelerated Ransomware Recovery and Security Posture and Observability). This API capability helps organizations to:
- Get all the Ransomware and Security Posture events in a single API call
- Monitor the reported failures and take corrective actions
- Integrate the exported events with the third-party SIEM tool
Workflow to export Cyber Resilience events
- Generate a token to access Event API. For more information, see Use EVENTAPI to export events from Cyber Resilience.
- Access Event API through any REST Client to receive a response in JSON format.
Access Events API
Make API requests. For more information, see the Events API reference
About Events API Response
- Each Ransomware Recovery Events API response contains a maximum of 100 Cyber Resilience events
- If there are more than 100 events in the Cyber Resilience database while returning an Events API response, the response contains the nextPageToken attribute. Use the token provided within the nextPageToken attribute as a query parameter for the Token field to get an additional set of Cyber Resilience events.
- Events API response is in the UTC timezone.
Supported Cyber Resilience events
The following table lists the Cyber Resilience events that you can export by using the Events API:
Malicious File Scan (RWC) and Curated Snapshot (CS) events
| Event Category | Event Types | Event State | Description | Event Details |
|---|---|---|---|---|
| Admin event | Addition of SHA File Hash | Success Failed | Event related to addition of SHA hash(s). | {"Added": 1, "Total": 1, "Invalid": 0, "Skipped": 0, "Duplicate": 0, "Successful": true} |
| Admin event | Deletion of SHA File Hash | Success Failed | Event related to addition of SHA hash(s). | {"Note": "Deletion note", "SHADetails": "{User Name} deleted the file hash with SHA value {hashvalue} Delete Reason: {Reason} Status: Successful", "Successful": true} |
| Admin event | Modification of Scan Settings Scan Settings Updated | Success Failed | Event for modification of scan settings. Updated settings are present in the response. | {"Successful": true, "AVScanEnabled": false, "FileHashScanEnabled": true, "SkipScanForDeviceReplace": true, "AllowAdminToSkipScanServers": true, "AllowUserToSkipScanEndpoints": true, "AllowAdminToSkipScanEndpoints": true} |
| Admin event | RWC Job Creation Malicious File Scan | Success Failed | Event for creation of RWC job. | {"JobType": "Malicious File Scan", "Activity": "Job Created", "ScanJobID": , "StartTime": "", "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "", "ResourceParent": ""} |
| Admin event | RWC Job Cancellation Malicious File Scan | Success Failed | Event for cancellation of RWC job. | {"EndTime": "", "JobType": "Malicious File Scan", "Activity": "Job Cancelled", "ScanJobID": ,"StartTime": "", "FilesBlocked": 0, "FilesScanned": 0, "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "VMware", "JobCancelledBy": "", "ResourceParent": "", "FilesScanSkipped": 0, "FilesSelectedForRestore": 0} |
| Admin event | RWC Job Finished Malicious File Scan | Success | Event for completion of RWC job. | {"EndTime": "", "JobType": "Malicious File Scan", "Activity": "Job Completed", "ScanJobID": , "StartTime": "", "FilesBlocked": 8, "FilesScanned": 110791, "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "","ResourceParent": "", "FilesScanSkipped": , "FilesSelectedForRestore": } |
| Admin event | RWC Malicious Files Found Malicious File Scan | Success | Event for when affected files count is > 0 for RWC job. | {"EndTime": "", "JobType": "Malicious File Scan", "Activity": "Job Completed", "ScanJobID": , "StartTime": "", "FilesBlocked": 8, "FilesScanned": 110791, "JobCreatedBy": "InternalAdmin", "ProductJobID": , "ResourceName": "", "ResourceType": "", "ResourceParent": "", "FilesScanSkipped": , "FilesSelectedForRestore": |
| Admin event | CS Job Creation | Success | Event for creation of Curated Snapshot (CS) job. | {"JobType": "Curated Snapshot", "Activity": "Curated snapshot creation started", "ScanJobID": , "StartTime": "","JobCreatedBy": "", "ResourceName": "", "ResourceType": "Endpoint", "ResourceParent": ""} |
| Admin event | CS Created | Success | Event for successful completion of creation of Curated Snapshot (CS). | {'area': 'Security', 'category': 'Admin Event', 'type': 'Curated Snapshot', 'syslogSeverity': , 'syslogFacility': , 'SSJobID': , 'Activity': 'Curated snapshot created', 'FilesBlocked': 0, 'ResourceName': "", 'ResourceType': '', 'FilesExcluded': 0, 'FilesIncluded': 0, 'ResourceParent': '', 'FilesScanSkipped': 0} |
| Admin event | CS Deleted | Success Failed | Event for deletion of created Curated Snapshot (CS). | {"Activity": "Curated snapshot Deleted", "StartTime": "", "SnapshotID": "", "DeleteReason": "", "ResourceName": "", "ResourceType": "File Server", "ResourceParent": "", "SnapshotDeletedBy": ""} |
| Admin event | CS Job Cancelled | Success | Event for cancellation of Curated Snapshot (CS) creation job. | {"JobType": "Curated Snapshot", "Activity": "Curated snapshot creation cancelled", "ScanJobID": , "StartTime": "", "JobCreatedBy": "", "ResourceName": "", "ResourceType": "File Server", "JobCancelledBy": "", "ResourceParent": ""} |
Quarantine Snapshots events
| Event Category | Event Types | Event State | Description | Event Details |
|---|---|---|---|---|
| Ransomware Recovery | Quarantine Event - Create | Success Failed | Event for creation of Quarantine Range. | {"mode": "Admin Portal", "note": "", "orgID": , "state": "Success", "action": "Create Range", "ipAddress": "", "resourceID": , "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "VMware", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": "NA"} |
| Ransomware Recovery | Quarantine Event - Update | Success Failed | Event for updating the Quarantine Range. | {"mode": "Admin Portal", "note": "", "orgID": , "state": "Success", "action": "Update Range", "ipAddress": "", "resourceID": , "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "VMware", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": ""} |
| Ransomware Recovery | Quarantine Event - Delete | Success Failed | Event for deleting a Quarantine Range | {"mode": "Admin Portal", "note": "", "orgID": , "state": "Success", "action": "Delete Range", "ipAddress": "", "resourceID": , "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "VMware", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": "NA"} |
| Ransomware Recovery | Admin Audit Trail - Delete Snapshot | Snapshot deleted | Event for deletion snapshot from Quarantine Bay | {"mode": "Admin Portal", "note": "", "orgID": 0, "state": "Success", "action": "", "ipAddress": "", "resourceID": 0, "initiatorID": "", "rangeEndTime": "", "resourceName": "", "resourceType": "", "rangeStartTime": "", "resourceParent": "", "resourcePlatform": ""} |
Security Dashboard events
| Event Category | Event Types | Event State | Description | Event Details |
|---|---|---|---|---|
| Admin event | Admin Login | Success Failed | Event related to Admin Login attempt. | {"location": "", "adminName": "", "adminEmail": "", "loginResult": "Success", "adminActivity": "Admin Login Event", "adminIPAddress": "", "adminLoginTime": ""} |
| Data Access | Data Access | Success Failed | Event for Data Access. | {"size": 0, "files": 0, "status": "Successful", "endTime": "", "targetIP": "", "startTime": "", "resourceID": , "resourceName": "", "initiatorName": "", "targetLocation": ""} |
| Admin Event | Admin Login (New location and a different IP address. Alert is generated) | Success Failed | Event for Admin Login (Only when admin has not logged in from the IP in the last 30 days). | {"location": "", "adminName": "", "adminEmail": "", "loginResult": "Success", "adminActivity": "Admin Login Event", "adminIPAddress": "", "adminLoginTime": ""} |
| Data Access | Data Access (New location and a different IP address. Alert is generated) | Success Failed | Event for Data Access (Only when data is not accessed from the IP in the last 30 days). | {"size": 0, "files": 0, "status": "Successful", "endTime": "", "targetIP": "", "startTime": "", "resourceID": , "resourceName": "", "initiatorName": "", "targetLocation": ""} |
Unusual Data Activity events
| Event Category | Event Types | Event State | Description | Event Details |
|---|---|---|---|---|
| Unusual Data Activity | Admin Audit Trail | Success | Event related to UDA logs downloaded by the admin. | {"udaType": ["Modification"], "fileInfo": {"newFiles": 0, "deletedFiles": 0, "updatedFiles": 220, "encryptedFiles": 0}, "adminName": "", "alertTime": "", "resourceID": , "resourceName": "", "resourceType": "File Server", "adminActivity": "Unusual Data Activity - Download logs", "affectedSnapshot": "", "resourceParentID": , "resourceParentName": ""} |
| Unusual Data Activity | Alert | Creation Deletion Modification Encryption | Event related to UDA alert generated because of an anomaly detected in either Creation, Deletion, Modification, or Encryption activity. | {"udaType": ["Modification"], "fileInfo": {"newFiles": 0, "deletedFiles": 0, "updatedFiles": 220, "encryptedFiles": 0}, "alertName": "Unusual Data Activity", "alertTime": "", "resourceID": , "resourceName": "", "resourceType": "File Server", "affectedSnapshot": "", "resourceParentID": , "resourceParentName": ""} |
| Unusual Data Activity | Admin Audit Trail | Success | Event for when an alert is marked as ignored. | {"udaType": ["Modification"], "fileInfo": {"newFiles": 0, "deletedFiles": 0, "updatedFiles": 220, "encryptedFiles": 0}, "adminName": "", "alertTime": "", "resourceID": , "resourceName": "", "resourceType": "File Server", "adminActivity": "Unusual Data Activity - Ignore Alert", "affectedSnapshot": "", "resourceParentID": , "resourceParentName": ""} |
| Unusual Data Activity | System Event | Warning Event | Warning event when UDA scan fails for VMware resources. | { "id": 185966, "globalCustomerId": "925ace73-6a00-4626-a13c-180890a72fc0", "occurenceTime": 1702406872, "area": "Security", "category": "Unusual Data Activity", "type": "System Event", "syslogSeverity": 4, "syslogFacility": 23, "details": "{"alertTime": "2023-12-12T18:47:52Z", "resourceID": 95, "error_reason": "VMware Tools is not installed", "resourceName": "swapnil-FS-centos-7.1", "resourceType": "VMware", "affectedSnapshot": "Tue Dec 12 18:47:52 2023", "resourceParentID": 15, "resourceParentName": "realizevc.druva.org"}" }, |
| Unusual Data Activity | System Event | Information Event | Provides information about UDA scan events for VMware resources. | { "id": 186711, "globalCustomerId": "925ace73-6a00-4626-a13c-180890a72fc0", "occurenceTime": 1702542593, "area": "Security", "category": "Unusual Data Activity", "type": "System Event", "syslogSeverity": 6, "syslogFacility": 23, "details": "{"alertTime": "2023-12-14T08:29:53Z", "resourceID": 122, "error_reason": "Snapshot not scanned for Unusual Data Activity as learning is in progress.", "resourceName": "DND_swapnil-FS-ubuntu", "resourceType": "VMware", "affectedSnapshot": "Thu Dec 14 08:29:53 2023", "resourceParentID": 15, "resourceParentName": "realizevc.druva.org"}" } |
Updated 11 months ago