GCP Pub/Sub Payload Structure
Schema of CSPM Findings Message Payload
{
"cloud_provider": "aws"|"gcp"|"azr"|"ali"|"hwa",
"action_group_name": string,
"target_name": string,
"rules": [
{
"rule": string,
"default_severity": "informational"|"low"|"medium"|"high"|"critical",
"resources": [
{
"is_service": boolean,
"region": string,
"service": string,
"severity": "informational"|"low"|"medium"|"high"|"critical",
"gid": string,
"note": null|string
}
],
"tags": [
|"compliance:cis-aws"
|"compliance:mas-trm"
|"compliance:mas-trm-2021"
|"compliance:mas-cyber-hygiene"
|"compliance:pci-dss"
|"compliance:nist"
|"compliance:gdpr"
|"compliance:aws-waf"
|"compliance:bnm-rmit"
|"compliance:iso-27001"
|"compliance:apra"
|"compliance:cis-gcp"
|"compliance:cis-gke"
|"compliance:pojk-38"
|"compliance:seojk-21"
|"compliance:cis-aws-1-4"
|"compliance:thai-pdpa-2562-2019"
|"compliance:hwa-cloud-scg-3-2"
]
}
]
}
CSPM Findings Message Payload Description
Key |
Description |
cloud_provider |
The cloud provider of the account associated with the Scan Group |
action_group_name |
The Action Group Name |
target_name |
The friendly name of the Scan Target |
Rules |
An aggregated list of failed Checks grouped by Rule |
Rules[].rule |
The Rule Title |
Rules[].default_severity |
The Rule’s default severity |
Rules[].resources |
A list of Resources associated with a Rule |
Rules[].resources[].tags |
A list of Tags associated with a Rule (like Compliance tags) |
Rules[].resources[].is_service |
Whether or not the Check is a Service-level check |
Rules[].resources[].region |
The Region the Resource belongs in |
Rules[].resources[].service |
The Service associated with the Check |
Rules[].resources[].severity |
The Check’s severity (can be modified through Vulnerability management) |
Rules[].resources[].gid |
The unique GID for the resource |
Rules[].resources[].note |
Any notes associated with the Rule |
Schema of TD Alert Message Payload
{
"alert": {
"id": string,
"monitoring_groups": [string],
"severity": "informational"|"low"|"medium"|"high"|"critical",
"title": string,
"type": string,
"warden_url": string
},
"cloud": {
"account": {
"id": string,
"name": string
},
"provider": "aws"|"gcp"|"azr"|"ali"|"hwa",
"region": string
},
"event": {
"action": string
},
"identity": {
"id": string,
"is_service": boolean,
"name": string,
"type": string,
"user_agent": string,
"metadata": object
},
"resource": {
"category": string,
"id": string,
"type": string,
"metadata": object
},
"rule": {
"name": string,
"description": string
},
"source": {
"geo": {
"city": string,
"continent": string,
"country": string
},
"ip": string
},
"timestamp": string
}
TD Alert Message Payload Description
Key |
Description |
alert.id |
Unique identifier for the alert generated. |
alert.monitoring_groups[] |
List of monitoring group UIDs. |
alert.severity |
Severity level of the alert generated. |
alert.title |
Short summary of the alert, usually generated by the rule and contains contextual information. |
alert.type |
Type of the alert generated: creation, modification, deletion, suspicious ip, etc. |
alert.warden_url |
Link to more alert details on the Warden platform. |
cloud.account.id |
Unique identifier of the cloud account. |
cloud.account.name |
Name of the cloud account. |
cloud.provider |
Name of the cloud provider. |
cloud.region |
Region in which the host is running. |
event.action |
Action captured by the event. |
identity.id |
Unique identifier of the user. |
identity.is_service |
Boolean to indicate whether the user is a service. |
identity.name |
Short name or login of the user. |
identity.type |
Type of the user: Role / User / Service. |
identity.user_agent |
Name of the user agent. |
identity.metadata |
Additional metadata about the user from Warden's Asset Inventory. |
resource.category |
Category of the resource: security_identity_management, compute, storage, etc. |
resource.id |
Unique identifier of the resource. |
resource.type |
Type of the resource: ec2_instance, s3_bucket, etc. |
resource.metadata |
Additional metadata about the resource from Warden's Asset Inventory. |
rule.name |
Display name of the rule triggered. |
rule.description |
Description of the rule triggered. |
source.geo.city |
City name derived from the source IP address. |
source.geo.continent |
Continent name derived from the source IP address. |
source.geo.country |
Country name derived from the source IP address. |
source.ip |
IP address of the source. |
timestamp |
Date/time when the event originated. |