home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Streaming Events

Streaming Mobile Risk Device, Threat, and Audit events

The streaming format for mobile risk device, issue, and audit events is straightforward. The /Events endpoint streams mobile risk device, threat and audit events from the endpoint.

The protocol uses the text/event-stream Content-Type and messages of the form:

< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 26 Jul 2024 22:19:31 GMT
< Content-Type: text/event-stream
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: no-cache
< X-Accel-Buffering: no
< Strict-Transport-Security: max-age=31536000
<
event:heartbeat
data:{}

event:heartbeat
data:{}

event:heartbeat
data:{}

id:0190ec04-a5f0-731e-bb68-a9b89d37669f
event:events
data:{"events":[{"id":"0190cd04-9520-7120-8a5e-a8866b8eca40","enterprise_guid":"680d9d84-ad0e-4706-b008-09e358df72b4","created_time":"2024-07-19T22:02:28.539+00:00","type":"AUDIT","change_type":"CREATED","audit":{"type":"CLASSIFICATION_POLICY","attribute_changes":[{"name":"agent_outdated"},{"name":"severity","from":"medium","to":"high"},{"name":"override_properties","to":"[\"minimumCompliantVersion\"]"},{"name":"policy_group_name"} ...

Each event is separated by two empty lines (\n) and can include various optional fields.

The event field specifies event types:

Event Type Description
event The event type signals a data field follows containing one or more events.
reconnect A reconnect event type signals that the channel is shutting down. Clients should reconnect.
heartbeat The server sends a heartbeat event every 5 seconds. Clients that determine the heartbeat event has stopped should disconnect and then reconnect using the last id processed to get events from that id onwards.
end This event type indicates the server has shut down the stream (for example, to switch to a different server). Clients receiving this event can open a new connection (using the same URL).

The data field contains an array of events in the payload. Each event has an UUIDv7 format id field that uniquely identifies and incorporates a time component, making them sortable.

The data field events:

Data Field Elements Description
Event ID The id field in a message contains the id of the last event in the array in data. If the client needs to reconnect, it can use the last id it processed as the id parameter in the request, or the last-event-id header to start the event fetch after the last processed id. If the server closes or drops the connection, the client can reconnect with the last id processed to get events from that id and forward.
Event

An event descriptor as defined in the swagger models section. For example:

AttributeChange {
from    string
name    string
to    string

}

Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.