AWS SNS Payload Structure

Schema of CSPM Findings Message Payload

"cloud_provider": "aws"|"gcp"|"azr"|"ali"|"hwa",
"action_group_name": string,
"target_name": string,
"rules": [
"rule": string,
"default_severity": "informational"|"low"|"medium"|"high"|"critical",
"resources": [
"is_service": boolean,
"region": string,
"service": string,
"severity": "informational"|"low"|"medium"|"high"|"critical",
"gid": string,
"note": null|string
"tags": [

CSPM Findings Message Payload Description

Key Description
cloud_provider The cloud provider of the account associated with the Scan Group
action_group_name The Action Group Name
target_name The friendly name of the Scan Target
Rules An aggregated list of failed Checks grouped by Rule
Rules[].rule The Rule Title
Rules[].default_severity The Rule’s default severity
Rules[].resources A list of Resources associated with a Rule
Rules[].resources[].tags A list of Tags associated with a Rule (like Compliance tags)
Rules[].resources[].is_service Whether or not the Check is a Service-level check
Rules[].resources[].region The Region the Resource belongs in
Rules[].resources[].service The Service associated with the Check
Rules[].resources[].severity The Check’s severity (can be modified through Vulnerability management)
Rules[].resources[].gid The unique GID for the resource (ex. AWS ARN)
Rules[].resources[].note Any notes associated with the Rule

Schema of TD Alert Message Payload

"alert": {
"id": string,
"monitoring_groups": [string],
"severity": "informational"|"low"|"medium"|"high"|"critical",
"title": string,
"type": string,
"warden_url": string
"cloud": {
"account": {
"id": string,
"name": string
"provider": "aws"|"gcp"|"azr"|"ali"|"hwa",
"region": string
"event": {
"action": string
"identity": {
"id": string,
"is_service": boolean,
"name": string,
"type": string,
"user_agent": string,
"metadata": object
"resource": {
"category": string,
"id": string,
"type": string,
"metadata": object
"rule": {
"name": string,
"description": string
"source": {
"geo": {
"city": string,
"continent": string,
"country": string
"ip": string
"timestamp": string

TD Alert Message Payload Description

Key Description Unique identifier for the alert generated.
alert.monitoring_groups[] List of monitoring group UIDs.
alert.severity Severity level of the alert generated.
alert.title Short summary of the alert, usually generated by the rule and contains contextual information.
alert.type Type of the alert generated: creation, modification, deletion, suspicious ip, etc.
alert.warden_url Link to more alert details on the Warden platform. Unique identifier of the cloud account. Name of the cloud account.
cloud.provider Name of the cloud provider.
cloud.region Region in which the host is running.
event.action Action captured by the event. Unique identifier of the user.
identity.is_service Boolean to indicate whether the user is a service. Short name or login of the user.
identity.type Type of the user: Role / User / Service.
identity.user_agent Name of the user agent.
identity.metadata Additional metadata about the user from Warden's Asset Inventory.
resource.category Category of the resource: security_identity_management, compute, storage, etc. Unique identifier of the resource.
resource.type Type of the resource: ec2_instance, s3_bucket, etc.
resource.metadata Additional metadata about the resource from Warden's Asset Inventory. Display name of the rule triggered.
rule.description Description of the rule triggered. City name derived from the source IP address.
source.geo.continent Continent name derived from the source IP address. Country name derived from the source IP address.
source.ip IP address of the source.
timestamp Date/time when the event originated.