Comment on page
To properly write triggers you need to know the format of the log sources that your functions receive. Each source has a different format by nature of each vendor creating their own audit logging system. We are saving those events in the structure they send them and will provide have a specific and predictable format so that you can write triggers that run in a predictable way.
Additionally, each log format is normalized in a way that makes writing general triggers possible that can apply across multiple log sources.
The raw log format, and a normalized format are both forwarded to your triggers
When writing a trigger, the event your trigger function receives will contain both the normalized format and the raw log format.
getfunction and pass it the argument
normalizedto return the normalized event format.
normalized = event.get("normalized")
e = event.get("log")
The event dict will also contain a few helpful pieces of metadata.
event.SourceName- The name of your source
event.SourceID- The unique identifier of your source
event.SourceType- When type of source this logs came from, example: cloudtrail
event.WorkspaceID- The workspace ID associated with the source.