YossiC

Unfortunately we don't send Trigger Event through syslog. These events can be quite large (for example if the triggering event is a Script event). The supported way of doing this is to fetch additional data through REST API after you receive the syslog message, I believe the "event" field is present in the latest version in
GET /api/v1/detections/{id}   even though it is missing in the documentation.

Seems the rule is depednant on "Audit Security Group Management". Events are being recorded only after this is enabled.