Notice events payload

Edit online

You can use the following notification event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.

Table 1. Notice attributes
Name	Data type	Description
data.action	String	The action performed by a user for the resource.
data.api_grant_type	String	The grant-type in the JWT.
data.cause	String	The message describing the action.
data.devicetype	String	The browser user agent.
data.intraservice	String	Indicates whether the event was performed by the system or by tier action.
data.origin	String	IP address of system that caused event to be generated.
data.performedby	String	Cloud directory userid or the UUID of the API Client.
data.performedby_realm	String	The realm of the person who performed the action.
data.performedby_type	String	API, Device, System, or User.
data.performedby_username	String	The User username of the person who performed the action.
data.realm	String	Identity source of user. Examples Cloud Directory - CloudIdentityRealm, IBMid - www.ibm.com SAML Enterprise - AzureRealm LDAP pass-through - www.cloudsecurity.com OIDC - www.yahoo.com
data.resource	String	`fido2_metadata` - FIDO2 device metadata: created, deleted, modified `mfa_device`: created, deleted, modified `external_mfa`: initiate, lookup, attempted
data.result	String	The result of the event. For example, Success or Failure.
data.self	String	Specifies whether the request target is the same as the request performed by value. For example, Scott updates Scott's MFA configuration.
data.subject	String	The entity whose resources are being affected.
data.targetid	String	Supplemental information to define the target of the action. Used by resources: user, group
data.username	String	The unique identifier for logging into Verify. It can be the same as the email address of the user.
data.webhook_id	String	The unique identifier of the webhook. Note: Webhook fields are added when using external MFA providers This field is present on a notice event only if it's emitted during an MFAP flow.
data.webhook_request_id	String	The unique identifier of the webhook request itself, that is returned from the webhook. Note: Webhook fields are added when using external MFA providers This field is present on a notice event only if it's emitted during an MFAP flow.
geoip.city_name geoio.continent_name geoip.country_iso_code geoip.country_name geoip.location geoip.region_name	String	Augmented by Event service by using `data.origin`.

Example

The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.

{
  "_index": "event-notice-2024.10-000001",
  "_type": "_doc",
  "_id": "1a1111a1-aa1a-111a-a11a-aa111a11a111",
  "_version": 1,
  "_score": 1,
  "_source": {
    "data": {
      "result": "failure",
      "performedby": "system",
      "targetid": "22222b22-2b2b-2222-bb22-22b222bb2222",
      "resource": "fido2_metadata",
      "action": "attempted",
      "devicetype": "system"
    },
    "year": 2024,
    "@metadata": {
      "source_dc": "ic-classic-dev-us02a"
    },
    "event_type": "notice",
    "month": 10,
    "indexed_at": 1727870534252,
    "@processing_time": 1503,
    "tenantid": "default",
    "tenantname": "c33c3ccc-c3c3-333c-3ccc-3c3333333333",
    "servicename": "factors",
    "id": "1a1111a1-aa1a-111a-a11a-aa111a11a111",
    "time": 1727870532749,
    "day": 2
  },
  "fields": {
    "data.performedby.lowercase": [
      "system"
    ],
    "year": [
      2024
    ],
    "data.devicetype.lowercase": [
      "system"
    ],
    "data.result": [
      "failure"
    ],
    "event_type.keyword": [
      "notice"
    ],
    "data.resource.lowercase": [
      "fido2_metadata"
    ],
    "data.result.lowercase": [
      "failure"
    ],
    "event_type": [
      "notice"
    ],
    "id.keyword": [
      "1a1111a1-aa1a-111a-a11a-aa111a11a111"
    ],
    "indexed_at": [
      "2024-10-02T12:02:14.252Z"
    ],
    "@processing_time": [
      1503
    ],
    "tenantid.keyword": [
      "default"
    ],
    "data.targetid": [
      "22222b22-2b2b-2222-bb22-22b222bb2222"
    ],
    "tenantid": [
      "default"
    ],
    "event_type.lowercase": [
      "notice"
    ],
    "@metadata.source_dc.lowercase": [
      "ic-classic-dev-us02a"
    ],
    "servicename": [
      "factors"
    ],
    "id": [
      "1a1111a1-aa1a-111a-a11a-aa111a11a111"
    ],
    "tenantid.lowercase": [
      "default"
    ],
    "day": [
      2
    ],
    "data.action.keyword": [
      "attempted"
    ],
    "data.performedby": [
      "system"
    ],
    "servicename.keyword": [
      "factors"
    ],
    "id.lowercase": [
      "1a1111a1-aa1a-111a-a11a-aa111a11a111"
    ],
    "servicename.lowercase": [
      "factors"
    ],
    "data.resource.keyword": [
      "fido2_metadata"
    ],
    "data.targetid.lowercase": [
      "22222b22-2b2b-2222-bb22-22b222bb2222"
    ],
    "data.targetid.keyword": [
      "22222b22-2b2b-2222-bb22-22b222bb2222"
    ],
    "data.performedby.keyword": [
      "system"
    ],
    "@metadata.source_dc.keyword": [
      "ic-classic-dev-us02a"
    ],
    "data.result.keyword": [
      "failure"
    ],
    "data.devicetype.keyword": [
      "system"
    ],
    "data.devicetype": [
      "system"
    ],
    "tenantname.lowercase": [
      "c33c3ccc-c3c3-333c-3ccc-3c3333333333"
    ],
    "month": [
      10
    ],
    "data.action": [
      "attempted"
    ],
    "data.resource": [
      "fido2_metadata"
    ],
    "tenantname.keyword": [
      "c33c3ccc-c3c3-333c-3ccc-3c3333333333"
    ],
    "tenantname": [
      "c33c3ccc-c3c3-333c-3ccc-3c3333333333"
    ],
    "time": [
      "2024-10-02T12:02:12.749Z"
    ],
    "@metadata.source_dc": [
      "ic-classic-dev-us02a"
    ],
    "data.action.lowercase": [
      "attempted"
    ]
  }
}