Risk events payload
You can use the following risk event payloads to trigger asynchronous workflows and synchronizations for event notification webhooks and APIs.
Risk events do not have a report, but the outcome of a risk event determines the success or
failure of an SAML or OIDC SSO event. It also triggers an MFA authentication event.
Name | Data type | Description |
---|---|---|
data.applicationid | String | The identifier of the application that was targeted by the event. |
data.applicationname | String | The application name of the target for the resources. For example, application or entitlement. |
data.applicationtype | String | The application type of the target for the resources. For example, application or entitlement. |
data.decision_decisionCode | String | The final access policy condition element in the access policy rule that was matched. For
example, TRUSTEER_OK . |
data.decision_reason | String | The final reason description of the matching access policy rule and condition. |
data.devicetype | String | The browser user agent. |
data.origin | String | IP address of system that caused event to be generated. |
data.pdxid_<matching_rule_condition> | String | The access policy condition ID that was matched during the access policy evaluation.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
|
data.pdxid_DefaultRule | String | The default rule values are present only if no access policy condition ID was matched during the access policy evaluation. |
data.pdxidname_<matching_rule_condition> | String | The access policy condition name that was matched during the access policy evaluation. For
example,
com.ibm.security.access.risk.rt.pdx.trusteer.A2PdxModuleImpl .Note: Multiple matches
might be present for each matching condition, or policy, or always run rules.
|
data.pdxname_DefaultRule | String | The default rule values are present only if no access policy condition name was matched during the access policy evaluation. |
data.pdxreason_<matching_rule_condition> | String | The reason description of a matching access policy rule and condition. For example,
XXXXX1234I The information for user [ 123456A5BB ], session index [
aaaaa0b2-ccc33-44dd-5eee-666f77g888hh ] and tenant [ mycoid.verify.myco.com ] is
trusted. Note: Multiple matches might be present for each matching condition, or policy, or always
run rules.
|
data.pdxreason_DefaultRule | String | The default rule values are present only if no access policy condition reason was matched during the access policy evaluation. |
data.pdxreasoncode_<matching_rule_condition> | String | The access policy condition reason code that was matched during the access policy evaluation.
Note: Multiple matches might be present for each matching condition, or policy, or always run rules.
|
data.pdxreasoncode_DefaultRule | String | The default rule values are present only if no access policy condition reason code was matched during the access policy evaluation. |
data.policy_action | String | The final highest order precedence action from all matching access policy rules during the
access policy evaluation. For example, ACTION_ALLOW . |
data.policy_id | String | The access policy ID. For example, 12345 . |
data.policy_name | String | The access policy name. For example, Access Policy . |
data.realm | String |
Identity source of user. Examples Cloud Directory - CloudIdentityRealm, IBMid - www.ibm.com SAML Enterprise - AzureRealm LDAP pass-through - www.cloudsecurity.com OIDC - www.yahoo.com |
data.requestid | String | The access policy request ID that was matched during the access policy evaluation. |
data.rule_id | String | The access policy rule ID that was matched during the access policy evaluation. |
data.rule_name | String | The access policy rule name that was matched during the access policy evaluation. |
data.userid | String | The Verify user ID that caused event to be generated. |
data.username | String | The unique identifier for logging in to Verify. It can be the same as the email address of the user. |
geoip.city_name geoio.continent_name geoip.country_iso_code geoip.country_name geoip.location geoip.region_name |
String | Augmented by Event service by using data.origin . |
Example
The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.
{
"geoip": {
"continent_name": "North America",
"city_name": "Austin",
"country_iso_code": "USA",
"ip": "111.11.11.1",
"country_name": "United States",
"region_name": "Texas",
"location": {
"lon": "-97.7207",
"lat": "30.4293"
}
},
"data": {
"policy_id": "2222222",
"decision_decisionCode": "DEFAULT_RULE",
"rule_name": "Default rule",
"origin": "111.11.11.1",
"pdxid_DefaultRule": "DefaultRule",
"policy_name": "Allow access (Custom)",
"userid": "3333333333",
"devicetype": "Saturn/5",
"pdxname_DefaultRule": "DefaultRuleProcessor PDX",
"rule_id": "4444444444444",
"pdxreasoncode_DefaultRule": "DEFAULT_RULE",
"pdxreason_DefaultRule": "CSIBI0031I The policy's default rules for user [ 3333333333 ] and tenant [ tenant name.verify.ibmcloudsecurity.com ] triggered action [ ACTION_ALLOW ]",
"requestid": "55555555-5555-5555-5555-555555555555",
"decision_reason": "CSIBI0031I The policy's default rules for user [ 3333333333 ] and tenant [ tenant name.verify.ibmcloudsecurity.com ] triggered action [ ACTION_ALLOW ]",
"realm": "cloudIdentityRealm",
"policy_action": "ACTION_ALLOW",
"username": "email address"
},
"year": 2023,
"event_type": "risk",
"month": 1,
"indexed_at": 1674820363305,
"tenantid": "66666666-6666-6666-6666-666666666666",
"tenantname": "tenant name.verify.ibmcloudsecurity.com",
"correlationid": "CORR_ID-7777777777-7777-7777-7777-777777777777",
"id": "88888888-8888-8888-8888-888888888888",
"time": 1674820362822,
"day": 27
}