Event Formats

To properly write triggers you need to know the format of the log sources that your functions receive. Each source has a different format by nature of each vendor creating their own audit logging system. We are saving those events in the structure they send them and will provide have a specific and predictable format so that you can write triggers that run in a predictable way.
Additionally, each log format is normalized in a way that makes writing general triggers possible that can apply across multiple log sources.
The raw log format, and a normalized format are both forwarded to your triggers
When writing a trigger, the event your trigger function receives will contain both the normalized format and the raw log format.
Accessing the normalized format
Use the get function and pass it the argument normalized to return the normalized event format.
def trigger(event):
    normalized = event.get("normalized")
Accessing the raw event
Retrieve the raw event, in the formats described in these docs, by passing event
def trigger(event):
    e = event.get("log")
Additional event objects
The event dict will also contain a few helpful pieces of metadata.
event.SourceName - The name of your source
event.SourceID - The unique identifier of your source
event.SourceType - When type of source this logs came from, example: cloudtrail
event.WorkspaceID - The workspace ID associated with the source.
​
​

Python Utility Module

Raw Log Formats

Last modified 4mo ago