Risk events payload

You can use the following risk event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.

Risk events do not have a report, but the outcome of a risk event determines the success or failure of an SAML or OIDC SSO event. It also triggers an MFA authentication event.
Table 1. Risk attributes
Name Data type Description
data.applicationid String The identifier of the application that was targeted by the event.
data.applicationname String The application name of the target for the resources. For example, application or entitlement.
data.applicationtype String The application type of the target for the resources. For example, application or entitlement.
data.decision_decisionCode String The final access policy condition element in the access policy rule that was matched. For example, TRUSTEER_OK.
data.decision_reason String The final reason description of the matching access policy rule and condition.
data.devicetype String The browser user agent.
data.origin String IP address of system that caused event to be generated.
data.pdxid_<matching_rule_condition> String The access policy condition ID that was matched during the access policy evaluation.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxid_DefaultRule String The default rule values are present only if no access policy condition ID was matched during the access policy evaluation.
data.pdxidname_<matching_rule_condition> String The access policy condition name that was matched during the access policy evaluation. For example, com.ibm.security.access.risk.rt.pdx.trusteer.A2PdxModuleImpl.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxname_DefaultRule String The default rule values are present only if no access policy condition name was matched during the access policy evaluation.
data.pdxreason_<matching_rule_condition> String The reason description of a matching access policy rule and condition. For example, XXXXX1234I The information for user [ 123456A5BB ], session index [ aaaaa0b2-ccc33-44dd-5eee-666f77g888hh ] and tenant [ mycoid.verify.myco.com ] is trusted.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxreason_DefaultRule String The default rule values are present only if no access policy condition reason was matched during the access policy evaluation.
data.pdxreasoncode_<matching_rule_condition> String The access policy condition reason code that was matched during the access policy evaluation.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
data.pdxreasoncode_DefaultRule String The default rule values are present only if no access policy condition reason code was matched during the access policy evaluation.
data.policy_action String The final highest order precedence action from all matching access policy rules during the access policy evaluation. For example, ACTION_ALLOW.
data.policy_id String The access policy ID. For example, 12345.
data.policy_name String The access policy name. For example, Access Policy.
data.realm String

Identity source of user. Examples

Cloud Directory - CloudIdentityRealm,

IBMid - www.ibm.com

SAML Enterprise - AzureRealm

LDAP pass-through - www.cloudsecurity.com

OIDC - www.yahoo.com

data.requestid String The access policy request ID that was matched during the access policy evaluation.
data.rule_id String The access policy rule ID that was matched during the access policy evaluation.
data.rule_name String The access policy rule name that was matched during the access policy evaluation.
data.userid String The Verify user ID that caused event to be generated.
data.username String The unique identifier for logging in to Verify. It can be the same as the email address of the user.
geoip.city_name

geoio.continent_name

geoip.country_iso_code

geoip.country_name

geoip.location

geoip.region_name

String Augmented by Event service by using data.origin.

Example

The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.

{
    "geoip": {
      "continent_name": "North America",
      "city_name": "Austin",
      "country_iso_code": "USA",
      "ip": "111.11.11.1",
      "country_name": "United States",
      "region_name": "Texas",
      "location": {
        "lon": "-97.7207",
        "lat": "30.4293"
      }
    },
    "data": {
      "policy_id": "2222222",
      "decision_decisionCode": "DEFAULT_RULE",
      "rule_name": "Default rule",
      "origin": "111.11.11.1",
      "pdxid_DefaultRule": "DefaultRule",
      "policy_name": "Allow access (Custom)",
      "userid": "3333333333",
      "devicetype": "Saturn/5",
      "pdxname_DefaultRule": "DefaultRuleProcessor PDX",
      "rule_id": "4444444444444",
      "pdxreasoncode_DefaultRule": "DEFAULT_RULE",
      "pdxreason_DefaultRule": "CSIBI0031I The policy's default rules for user [ 3333333333 ] and tenant [ tenant name.verify.ibmcloudsecurity.com ] triggered action [ ACTION_ALLOW ]",
      "requestid": "55555555-5555-5555-5555-555555555555",
      "decision_reason": "CSIBI0031I The policy's default rules for user [ 3333333333 ] and tenant [ tenant name.verify.ibmcloudsecurity.com ] triggered action [ ACTION_ALLOW ]",
      "realm": "cloudIdentityRealm",
      "policy_action": "ACTION_ALLOW",
      "username": "email address"
    },
    "year": 2023,
    "event_type": "risk",
    "month": 1,
    "indexed_at": 1674820363305,
    "tenantid": "66666666-6666-6666-6666-666666666666",
    "tenantname": "tenant name.verify.ibmcloudsecurity.com",
    "correlationid": "CORR_ID-7777777777-7777-7777-7777-777777777777",
    "id": "88888888-8888-8888-8888-888888888888",
    "time": 1674820362822,
    "day": 27
}