Detection Event Webhooks

You can receive and react to events from SlashID's detection engine via synchronous webhooks.

What's a webhook?

If you are not familiar with webhooks, please read the extended guide to SlashID webhooks.

There are two type of Identity Protection events, covering different detection types:

a threat_detection occurs when the detection engine discovers an indicator of attack (IOA), such as a credential stuffing attempt;
a posture_detection occurs when the detection engine discovers a security posture issue, which usually indicates a misconfiguration, such as multi-factor authentication (MFA) being disabled for a specific entity.

Detection Event Payload

Both threat_detection and posture_detection events have a DetectionDetails payload with the following shape:

id

Unique identifier for the detection.

type

The type of detection, such as CredentialStuffingAttempt, MislabeledNHI, FederationBypass or MissingMFA.

status

It can have one of these three values:

detected: the security issue has been detected;
ongoing: the security issue is ongoing;
resolved: the security issue, previously ongoing, is now resolved.

Some types of detections will be marked as detected as they can only happen at one point in time (e.g., a credential stuffing attempt), while others are marked as ongoing until they are manually fixed (e.g., lack of MFA configured for an identity).

timestamp

When the detection was first triggered.

metadata

Information specific to a given detection; different detection types will have different metadata fields.

entity_id

The unique identifier of the entity which triggered the detection.

entity_type

The type of entity which triggered the detection. These are platform specific; for example: snowflake_user, okta_role or aws_iam_user.

source_type

The data source of the entity that triggered the detection, such as aws_account, azure_tenant or okta_org.

connection_id

The unique identifier of the data source of the entity that triggered the detection.

confidence_score

A value between 0 and 1 indicating the likelihood that the detection is a true positive.

tracking_status

A customer-managed tag used to indicate if an action has been taken to resolve this issue.

It can take the value of new or done.

detection_mitre_tactic

The MITRE ATT&CK framework tactic the detection maps to.

detection_mitre_technique

The MITRE ATT&CK framework technique the detection maps to.

detection_risk_category

Specifies whether the detection was an indicator of attack (threat) or a security posture/configuration issue (posture).

related_compliance_controls

Compliance frameworks related to the detection.

Detection Event Payload​

id​

type​

status​

timestamp​

metadata​

entity_id​

entity_type​

source_type​

connection_id​

confidence_score​

tracking_status​

detection_mitre_tactic​

detection_mitre_technique​

detection_risk_category​

related_compliance_controls​