Adaptive risk events payload

You can use the following adaptive risk event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.

Table 1. Adaptive risk attributes
Name Data type Description
data.applicationid String The identifier of the application that was targeted by the event.
data.applicationname String The application name of the target for the resources: application, entitlement.
data.applicationtype String The application type of the target for the resources: application, entitlement.
data.behavioral_anomaly String Specifies whether the user has a deviation from the user's or the organization’s usual behavioral patterns. For example, false.
data.behavioral_score String Indicates the level of behavioral typing anomalies that occur during traditional username and password authentication. For example, -1.
Note: To use this attribute, the feature must be enabled and configured on the Verify login page.
data.browser String The Adaptive Access reported browser. For example, Mobile Safari.
Note: Might differ from the Browser or User-Agent in the base event.
data.city String The Adaptive Access reported city. For example Cincinnati.
Note: Might differ from the Geo-City in the base event.
data.country String The Adaptive Access reported country. For example, USA.
Note: Might differ from the Geo-Country in the base event.
data.csid String The Adaptive Access Session ID. For example, abcde1f2-gh33-44ii-5jjbk-666l77m888nn.
data.decision_decisionCode String The final access policy condition element in the access policy rule that was matched. For example, TRUSTEER_OK.
data.decision_reason String The final reason description of the matching access policy rule and condition. For example, Access from a known and trusted device.
data.device_authentication_status String Device’s authentication status within the scope of the account, based on information received in the current and previous logins. For example, authenticated.
data.devicetype String The browser user agent.
data.gd_id String The Adaptive Access Global Device ID. For example, 1111ABCD2E33F44GHI55J6K777777777777777L88888888MN999P1Q2RS3333T4-12345678.
data.isp String The Adaptive Access reported internet service provider. For example, Spectrum.
data.new_device String Specifies whether the device is new in the account. For example, false.
data.new_location String Specifies whether the user's location is new in the account. For example, false.
data.origin String IP address of system that caused event to be generated.
data.os String The Adaptive Access reported operating system. For example iOS.
data.pdxid_a2Pdx String The access policy condition ID that was matched during the access policy evaluation. For example, a2Pdx.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxid_DefaultRule String The default rule values are present only if no access policy condition ID was matched during the access policy evaluation.
data.pdxname_a2Pdx String The access policy condition name that was matched during the access policy evaluation. For example, com.ibm.security.access.risk.rt.pdx.trusteer.A2PdxModuleImpl.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxname_DefaultRule String The default rule values are present only if no access policy condition name was matched during the access policy evaluation.
data.pdxreason_a2Pdx String The reason description of a matching access policy rule and condition. For example, XXXXX1234I The information for user [ 123456A5BB ], session index [ aaaaa0b2-ccc33-44dd-5eee-666f77g888hh ] and tenant [ mycoid.verify.myco.com ] is trusted.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxreason_DefaultRule String The default rule values are present only if no access policy condition reason was matched during the access policy evaluation.
data.pdxreasoncode_a2Pdx String The access policy condition element in the access policy rule that was matched. For example, TRUSTEER_OK.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxreasoncode_DefaultRule String The default rule values are present only if no access policy condition reason code was matched during the access policy evaluation.
data.policy_action String The final highest order precedence action from all matching access policy rules during the access policy evaluation. For example, ACTION_ALLOW.
data.policy_id String The access policy ID. For example, 12345.
data.policy_name String The access policy name. For example, Adaptive Access.
data.previous_successful_mfa String The UTC time of the previous successful MFA that was completed on the device. For example, 2023-01-27 01:36:21.
data.realm String

Identity source of user. Examples

Cloud Directory - CloudIdentityRealm,

IBMid - www.ibm.com

SAML Enterprise - AzureRealm

LDAP pass-through - www.cloudsecurity.com

OIDC - www.yahoo.com

data.reason String The Adaptive Access reason for the access policy decision. For example, Access from a known and trusted device.
data.reason_id String The Adaptive Access reason ID for the access policy decision. For example, 1001.
data.recommendation String The Adaptive Access recommended access policy action. For example, allow_login.
data.region String Specifies the region where the request was made.
data.remote_access_tool_indication String Specifies whether the presence of a remote access tool (RAT) exists in the current session. For example,false.
data.remote_ip String The Adaptive Access reported IP address. For example, 111.11.111.11.
Note: The address might differ from Origin in the base event.
data.requestid String The access policy request ID that was matched during the access policy evaluation.
data.risk_level String The Adaptive Access evaluated risk level based on the correlation between the values and behavior that is seen in the current session and the user’s history. For example, LOW.
data.risk_score String The Adaptive Access evaluated risk score. For example, 100.
data.risky_connection String Specifies whether the session connection is finished with the hosting service. For example, false.
data.risky_device String Specifies whether the browser version that is used in the session is risky. For example, false.
data.rule_id String The access policy rule ID that was matched during the access policy evaluation. For example, 2222222222222.
data.rule_name String The access policy rule name that was matched during the access policy evaluation. For example, Adaptive access.
data.snippet_id String The Adaptive Access application ID. For example, 123456.
data.useragent String The Adaptive Access reported User-Agent (browser). For example, Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1.
Note: The User-Agent might differ from the devicetype in the base event.
data.userid String The Verify user ID that caused event to be generated.
data.username String The unique identifier for logging into Verify. It can be the same as the email address of the user.
geoip.city_name

geoio.continent_name

geoip.country_iso_code

geoip.country_name

geoip.location

geoip.region_name

String Augmented by Event service by using data.origin.

Example

The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.

{
    "geoip": {
      "continent_name": "North America",
      "city_name": "Venice",
      "country_iso_code": "USA",
      "ip": "11.11.111.111",
      "country_name": "United States",
      "region_name": "California",
      "location": {
        "lon": "-118.4644",
        "lat": "33.9955"
      }
    },
    "data": {
      "new_device": "newdevice",
      "country": "USA",
      "risky_connection": "false",
      "policy_id": "riskpolicyid",
      "city": "Austin",
      "origin": "11.11.111.111",
      "isp": "isp",
      "userid": "userid",
      "devicetype": "devicetype",
      "new_location": "newlocale",
      "browser": "testbrowser",
      "policy_action": "testpolicy",
      "applicationid": "riskappid",
      "behavioral_anomaly": "riskbehavior",
      "risky_device": "false",
      "os": "testos",
      "risk_score": "100",
      "csid": "testcsid",
      "rule_name": "riskrule",
      "policy_name": "riskpolicy",
      "applicationname": "riskapp",
      "rule_id": "riskruleid",
      "risk_level": "LOW",
      "realm": "www.ibm.com",
      "decision_reason": "testreason",
      "region": "south",
      "username": "username"
    },
    "year": 2023,
    "event_type": "adaptive_risk",
    "month": 2,
    "indexed_at": 1675247929170,
    "tenantid": "22222222-2222-2222-2222-222222222222",
    "tenantname": "tenant name.verify.ibmcloudsecurity.com",
    "correlationid": "CORR_ID-3333333333-3333-3333-3333-333333333333",
    "id": "44444444-4444-4444-4444-444444444444",
    "time": 1675247929164,
    "day": 1
}