Webhook

Webhook integration allows threat notifications to be automatically sent to an external system over HTTPS.

📘

Notification format

Note that the threat details follow a particular format in JSON detailed below. This payload is submitted in an HTTP PUT or POST request.

Steps to setup the Webhook integration:

  1. Log in to Verosint and navigate to the workspace settings page.

  2. Click Add next to the Webhook logo on the Threat Notifications card

    Adding Custom Webhook SIEM integration on the Settings page

    Adding Custom Webhook SIEM integration on the Settings page

  3. Fill out the required details

    • URL: The URL of the Webhook
    • Authorization Token: The contents of the Authorization header if authorization is needed to invoke the Webhook. Leave it blank otherwise. Note that the value should include the entire header value. For example, if bearer tokens are used, then the value will be likely in the form of Bearer tokenvalue.
    • Method: The HTTP method to use when invoking the Webhook (POST or PUT)
    • Verify SSL: Uncheck the setting if the Webhook would not pass normal SSL certificate validation. This is usually the case for self-signed certificates.

Configuration Panel of the Custom Webhook SIEM Integration

Configuration Panel of the Custom Webhook SIEM Integration

📘

Connection Validation

Note that Verosint will only test if the host and port can be reached over a TCP connection when saving the configuration. To test that the notifications via the configured Webhook is working, click the send test notification button.

Threat Notification Information

Threat notifications are submitted as the body of the Webhook notification following the JSON format. The description of the properties in the JSON document are provided below.

Property NameDescription
timestampRFC3339 formatted timestamp in the Coordinated Universal Time
urlThe URL where the details of the threat are available in the Verosint application
hostSet to api.verosint.com to indicate the source of the threat
threatThe description of the threat (see below)

Threat Description

Property NameDescription
timestampThe timestamp of the threat
clientUUIDThe unique identifier of the Verosint workspace where the threat was detected
threatAdditional details (see below)

Threat Specifics

Property NameDescription
idThe unique identifier of the threat
startedAtThe time the threat started
endedAtThe time the threat ended (may be missing if the threat is still ongoing or the end date is not applicable)
typeThe type of the threat:

- ACCOUNT_TAKEOVER
- MFA_FATIGUE
- MFA_LOCATION_MISMATCH
- LOGIN_BRUTE_FORCE
- SESSION_SHARING
- STUFFING_ATTACK
statusThe status of the threat: STARTED or ENDED
detailsThe details of the threat. This is a JSON object where the payload depends on the type of threat.

Example Threat Notification Message

{
  "host": "api.verosint.com",
  "threat": {
    "details": {
      "accountId": "auth0|70931ebabcd42b1111cdef9c",
      "email": "[email protected]",
      "sessionId": "J9NTABC8TbXrWTEyhyGiMob7VLR6Lkmz"
    },
    "endedAt": "2025-02-10T13:15:40.664338-06:00",
    "id": "4ae61183-a630-4852-a3a8-93dfd6eda598",
    "startedAt": "2025-02-10T12:15:40.664338-06:00",
    "status": "ENDED",
    "type": "SESSION_SHARING"
  },
  "timestamp": "2025-02-10T19:15:40Z",
  "url": "https://app.verosint.com/4ab223f0-07e0-435c-96a9-ec74b47088ac/ai-insights?id=4ae61183-a630-4852-a3a8-93dfd6eda789"
}