events is an array of event blocks. links is RESTful boilerplate. requestId is a unique ID assigned by the API to the client request. moreEvents indicates whether more events follow in the stream. streamPosition is the value the client application should use on subsequent requests to retrieve the next events. count is the number of events returned in the events array.

Individual events in the events array contain a type ( THREAT for threat events, DEVICE for device events, or AUDIT for audit events), id, eventTime, a details block, and a target block. Device and audit events include an actor block identifying the source of an event.

The details block has a type based on the event type. Threat events, for example, have a details block with type=APPLICATION, CONFIGURATION, FILE, NETWORK, or OS. The contents of the details block provide additional information based on the event type and the details type.

The target block has a type based on the event type. For threat and device events, the target is of type DEVICE, and describes the device where the event occurred. For audit events, the target may be ADMIN, ENTERPRISE, or DEVICE, depending on whether the action taken affected an MES Console Administrator, an enterprise MES tenant, or a specific device.