Adaptive risk events payload
You can use the following adaptive risk event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.
Name | Data type | Description |
---|---|---|
data.applicationid | String | The identifier of the application that was targeted by the event. |
data.applicationname | String | The application name of the target for the resources: application, entitlement. |
data.applicationtype | String | The application type of the target for the resources: application, entitlement. |
data.behavioral_anomaly | String | Specifies whether the user has a deviation from the user's or the organization’s usual behavioral patterns. For example, false. |
data.behavioral_score | String | Indicates the level of behavioral typing anomalies that occur during traditional username and
password authentication. For example, -1 .Note: To use this attribute, the feature
must be enabled and configured on the Verify login page.
|
data.browser | String | The Adaptive Access reported browser. For example, Mobile Safari. Note: Might differ from the
Browser or User-Agent in the base event.
|
data.city | String | The Adaptive Access reported city. For example Cincinnati. Note: Might differ from the
Geo-City in the base event.
|
data.country | String | The Adaptive Access reported country. For example, USA. Note: Might differ from the
Geo-Country in the base event.
|
data.csid | String | The Adaptive Access Session ID. For example,
abcde1f2-gh33-44ii-5jjbk-666l77m888nn . |
data.decision_decisionCode | String | The final access policy condition element in the access policy rule that was matched. For
example, TRUSTEER_OK . |
data.decision_reason | String | The final reason description of the matching access policy rule and condition. For example,
Access from a known and trusted device . |
data.device_authentication_status | String | Device’s authentication status within the scope of the account, based on information received
in the current and previous logins. For example, authenticated . |
data.devicetype | String | The browser user agent. |
data.gd_id | String | The Adaptive Access Global Device ID. For example,
1111ABCD2E33F44GHI55J6K777777777777777L88888888MN999P1Q2RS3333T4-12345678 . |
data.isp | String | The Adaptive Access reported internet service provider. For example, Spectrum. |
data.new_device | String | Specifies whether the device is new in the account. For example,
false . |
data.new_location | String | Specifies whether the user's location is new in the account. For example,
false . |
data.origin | String | IP address of system that caused event to be generated. |
data.os | String | The Adaptive Access reported operating system. For example iOS. |
data.pdxid_a2Pdx | String | The access policy condition ID that was matched during the access policy evaluation. For
example, a2Pdx .Note: Multiple matches might be present for each matching condition,
or policy, or always run rules.
|
data.pdxid_DefaultRule | String | The default rule values are present only if no access policy condition ID was matched during the access policy evaluation. |
data.pdxname_a2Pdx | String | The access policy condition name that was matched during the access policy evaluation. For
example,
com.ibm.security.access.risk.rt.pdx.trusteer.A2PdxModuleImpl .Note: Multiple matches
might be present for each matching condition, or policy, or always run rules.
|
data.pdxname_DefaultRule | String | The default rule values are present only if no access policy condition name was matched during the access policy evaluation. |
data.pdxreason_a2Pdx | String | The reason description of a matching access policy rule and condition. For example,
XXXXX1234I The information for user [ 123456A5BB ], session index [
aaaaa0b2-ccc33-44dd-5eee-666f77g888hh ] and tenant [ mycoid.verify.myco.com ] is
trusted. Note: Multiple matches might be present for each matching condition, or policy, or always
run rules.
|
data.pdxreason_DefaultRule | String | The default rule values are present only if no access policy condition reason was matched during the access policy evaluation. |
data.pdxreasoncode_a2Pdx | String | The access policy condition element in the access policy rule that was matched. For example,
TRUSTEER_OK .Note: Multiple matches might be present for each matching condition, or
policy, or always run rules.
|
data.pdxreasoncode_DefaultRule | String | The default rule values are present only if no access policy condition reason code was matched during the access policy evaluation. |
data.policy_action | String | The final highest order precedence action from all matching access policy rules during the
access policy evaluation. For example, ACTION_ALLOW . |
data.policy_id | String | The access policy ID. For example, 12345 . |
data.policy_name | String | The access policy name. For example, Adaptive Access . |
data.previous_successful_mfa | String | The UTC time of the previous successful MFA that was completed on the device. For example,
2023-01-27 01:36:21 . |
data.realm | String |
Identity source of user. Examples Cloud Directory - CloudIdentityRealm, IBMid - www.ibm.com SAML Enterprise - AzureRealm LDAP pass-through - www.cloudsecurity.com OIDC - www.yahoo.com |
data.reason | String | The Adaptive Access reason for the access policy decision. For example, Access from a
known and trusted device . |
data.reason_id | String | The Adaptive Access reason ID for the access policy decision. For example,
1001 . |
data.recommendation | String | The Adaptive Access recommended access policy action. For example,
allow_login . |
data.region | String | Specifies the region where the request was made. |
data.remote_access_tool_indication | String | Specifies whether the presence of a remote access tool (RAT) exists in the current session.
For example,false . |
data.remote_ip | String | The Adaptive Access reported IP address. For example, 111.11.111.11 .
Note: The address might differ from Origin in the base event.
|
data.requestid | String | The access policy request ID that was matched during the access policy evaluation. |
data.risk_level | String | The Adaptive Access evaluated risk level based on the correlation between the values and
behavior that is seen in the current session and the user’s history. For example,
LOW . |
data.risk_score | String | The Adaptive Access evaluated risk score. For example, 100 . |
data.risky_connection | String | Specifies whether the session connection is finished with the hosting service. For example,
false . |
data.risky_device | String | Specifies whether the browser version that is used in the session is risky. For example,
false . |
data.rule_id | String | The access policy rule ID that was matched during the access policy evaluation. For example,
2222222222222 . |
data.rule_name | String | The access policy rule name that was matched during the access policy evaluation. For
example, Adaptive access . |
data.snippet_id | String | The Adaptive Access application ID. For example, 123456 . |
data.useragent | String | The Adaptive Access reported User-Agent (browser). For example, Mozilla/5.0 (iPhone;
CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2
Mobile/15E148 Safari/604.1 .Note: The User-Agent might differ from the
devicetype in the base event. |
data.userid | String | The Verify user ID that caused event to be generated. |
data.username | String | The unique identifier for logging into Verify. It can be the same as the email address of the user. |
geoip.city_name geoio.continent_name geoip.country_iso_code geoip.country_name geoip.location geoip.region_name |
String | Augmented by Event service by using data.origin . |
Example
The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.
{
"geoip": {
"continent_name": "North America",
"city_name": "Venice",
"country_iso_code": "USA",
"ip": "11.11.111.111",
"country_name": "United States",
"region_name": "California",
"location": {
"lon": "-118.4644",
"lat": "33.9955"
}
},
"data": {
"new_device": "newdevice",
"country": "USA",
"risky_connection": "false",
"policy_id": "riskpolicyid",
"city": "Austin",
"origin": "11.11.111.111",
"isp": "isp",
"userid": "userid",
"devicetype": "devicetype",
"new_location": "newlocale",
"browser": "testbrowser",
"policy_action": "testpolicy",
"applicationid": "riskappid",
"behavioral_anomaly": "riskbehavior",
"risky_device": "false",
"os": "testos",
"risk_score": "100",
"csid": "testcsid",
"rule_name": "riskrule",
"policy_name": "riskpolicy",
"applicationname": "riskapp",
"rule_id": "riskruleid",
"risk_level": "LOW",
"realm": "www.ibm.com",
"decision_reason": "testreason",
"region": "south",
"username": "username"
},
"year": 2023,
"event_type": "adaptive_risk",
"month": 2,
"indexed_at": 1675247929170,
"tenantid": "22222222-2222-2222-2222-222222222222",
"tenantname": "tenant name.verify.ibmcloudsecurity.com",
"correlationid": "CORR_ID-3333333333-3333-3333-3333-333333333333",
"id": "44444444-4444-4444-4444-444444444444",
"time": 1675247929164,
"day": 1
}