Webhook
Webhook integration allows threat notifications to be automatically sent to an external system over HTTPS.
Notification format
Note that the threat details follow a particular format in JSON detailed below. This payload is submitted in an HTTP PUT or POST request.
Steps to setup the Webhook integration:
-
Log in to Verosint and navigate to the workspace settings page.
-
Click Add next to the Webhook logo on the Threat Notifications card
Adding Custom Webhook SIEM integration on the Settings page
-
Fill out the required details
- URL: The URL of the Webhook
- Authorization Token: The contents of the Authorization header if authorization is needed to invoke the Webhook. Leave it blank otherwise. Note that the value should include the entire header value. For example, if bearer tokens are used, then the value will be likely in the form of
Bearer tokenvalue. - Method: The HTTP method to use when invoking the Webhook (
POSTorPUT) - Verify SSL: Uncheck the setting if the Webhook would not pass normal SSL certificate validation. This is usually the case for self-signed certificates.
Configuration Panel of the Custom Webhook SIEM Integration
Connection Validation
Note that Verosint will only test if the host and port can be reached over a TCP connection when saving the configuration. To test that the notifications via the configured Webhook is working, click the send test notification button.
Threat Notification Information
Threat notifications are submitted as the body of the Webhook notification following the JSON format. The description of the properties in the JSON document are provided below.
| Property Name | Description |
|---|---|
| timestamp | RFC3339 formatted timestamp in the Coordinated Universal Time |
| url | The URL where the details of the threat are available in the Verosint application |
| host | Set to api.verosint.com to indicate the source of the threat |
| threat | The description of the threat (see below) |
Threat Description
| Property Name | Description |
|---|---|
| timestamp | The timestamp of the threat |
| clientUUID | The unique identifier of the Verosint workspace where the threat was detected |
| threat | Additional details (see below) |
Threat Specifics
| Property Name | Description |
|---|---|
| id | The unique identifier of the threat |
| startedAt | The time the threat started |
| endedAt | The time the threat ended (may be missing if the threat is still ongoing or the end date is not applicable) |
| type | The type of the threat: - ACCOUNT_TAKEOVER- MFA_FATIGUE- MFA_LOCATION_MISMATCH- LOGIN_BRUTE_FORCE- SESSION_SHARING- STUFFING_ATTACK |
| status | The status of the threat: STARTED or ENDED |
| details | The details of the threat. This is a JSON object where the payload depends on the type of threat. |
Example Threat Notification Message
{
"host": "api.verosint.com",
"threat": {
"details": {
"accountId": "auth0|70931ebabcd42b1111cdef9c",
"email": "[email protected]",
"sessionId": "J9NTABC8TbXrWTEyhyGiMob7VLR6Lkmz"
},
"endedAt": "2025-02-10T13:15:40.664338-06:00",
"id": "4ae61183-a630-4852-a3a8-93dfd6eda598",
"startedAt": "2025-02-10T12:15:40.664338-06:00",
"status": "ENDED",
"type": "SESSION_SHARING"
},
"timestamp": "2025-02-10T19:15:40Z",
"url": "https://app.verosint.com/4ab223f0-07e0-435c-96a9-ec74b47088ac/ai-insights?id=4ae61183-a630-4852-a3a8-93dfd6eda789"
}
Updated about 1 month ago