The available notification rules in Workbench Settings map to events and models that appear in the data
key on the webhook payload.
For more information about events and webhook data models, see Managing Webhook Requests.
Events
The following table contains the mapping of rules to events, and the models used for each event.
Event | Model | Rule Name |
---|---|---|
announcement_created |
Announcement is created |
|
assembler_connected |
Assembler has a health status change |
|
assembler_disconnected |
Assembler has a health status change |
|
custom_rule_created |
Custom rule is created |
|
expel_alert_assigned |
Expel alert is assigned to my org |
|
expel_alert_closed |
Expel alert is closed |
|
expel_alert_created |
Expel alert is created |
|
expel_alert_reopened |
Expel alert is reopened |
|
incident_assigned |
Incident is assigned to my org |
|
incident_closed |
Incident is closed |
|
incident_created |
Incident is created |
|
incident_downgraded |
Incident is downgraded |
|
incident_promoted |
|
Incident is promoted |
incident_reopened |
Incident is reopened |
|
investigation_alert_added |
Investigation has an alert added |
|
investigation_assigned |
Investigation is assigned to my org |
|
investigation_manual_remediations_completed |
Investigation is assigned to my org |
|
investigation_closed |
Investigation is closed |
|
investigation_created |
Investigation is created |
|
investigation_manual_remediations_completed |
Investigation manual remediations completed |
|
investigative_action_manual_action |
Investigative action has manual action |
|
investigative_action_assigned |
Investigative action is assigned |
|
investigative_action_analysis_assigned |
Investigative action is assigned to me |
|
investigative_action_assigned |
Investigative action is assigned to me |
|
investigative_action_analysis_assigned |
Investigative action is assigned to my org |
|
investigative_action_assigned |
Investigative action is assigned to my org |
|
investigative_action_analysis_assigned |
Investigative action analysis is assigned |
|
notify_action_assigned |
Notify action is assigned to my org |
|
remediation_action_assigned |
Remediation action is assigned to me |
|
remediation_action_automation_failed |
Remediation action is assigned to me |
|
remediation_action_assigned |
Remediation action is assigned to my org |
|
remediation_action_automation_failed |
Remediation action is assigned to my org |
|
remediation_action_automated |
Remediation action is automated |
|
security_device_first_healthy |
Security device has a health status change |
|
security_device_healthy |
Security device has a health status change |
|
security_device_unhealthy |
Security device has a health status change |
|
security_device_first_healthy |
Security device is first healthy |
|
verify_action_approved |
Verify action has outcome |
|
verify_action_denied |
Verify action has outcome |
|
verify_action_approved |
Verify action is assigned to me |
|
verify_action_assigned |
Verify action is assigned to me |
|
verify_action_denied |
Verify action is assigned to me |
|
verify_action_acknowledged |
Verify action is assigned to my org |
|
verify_action_approved |
Verify action is assigned to my org |
|
verify_action_assigned |
Verify action is assigned to my org |
|
verify_action_denied |
Verify action is assigned to my org |
|
verify_action_unacknowledged |
Verify action is assigned to my org |
Data Models
The following tables contain key-value models for specific webhook events:
Announcement Event
Key | Value |
---|---|
announcement_id |
string |
change_action |
string |
current |
array of: { id: string, created_at: timestamp, updated_at: timestamp, created_by_id: string, updated_by_id: string, announcement_type: one of [ANNOUNCEMENT_TYPE_HOLIDAY, ANNOUNCEMENT_TYPE_THREAT_BULLETIN, ANNOUNCEMENT_TYPE_TESTING, ANNOUNCEMENT_TYPE_GENERAL], message: string } |
previous |
array of: { id: string, created_at: timestamp, updated_at: timestamp, created_by_id: string, updated_by_id: string, announcement_type: one of [ANNOUNCEMENT_TYPE_HOLIDAY, ANNOUNCEMENT_TYPE_THREAT_BULLETIN, ANNOUNCEMENT_TYPE_TESTING, ANNOUNCEMENT_TYPE_GENERAL], message: string } |
Assembler Event
Context Label Event
Key | Value |
---|---|
context_label_id |
string |
change_action |
string |
current |
|
previous |
|
organization |
|
created_by_actor |
array of ContextLabelAction |
updated_by_actor |
array of Investigation |
Expel Alert Event
Key | Value |
---|---|
expel_alert_id |
string |
change_action |
string |
current |
|
previous |
|
organization |
|
vendor |
|
investigation |
|
updated_by_user_account |
Investigation Event
Key | Value |
---|---|
investigation_id |
string |
change_action |
string |
current |
|
previous |
|
organization |
|
created_by_organization |
|
update_by_organization |
|
created_by_user_account |
|
updated_by_user_account |
|
lead_expel_alert |
|
investigation_findings |
array of InvestigationFinding |
previous_assigned_to_org |
|
current_assigned_to_org |
|
remediation_action_asset_groups |
array of: { remediation_action: RemediationAction, remediation_action_assets: array of RemediationActionAsset } |
organization_resilience_actions |
array of OrganizationResilienceAction |
is_detect_only |
boolean |
engagement_manager |
Investigative Action Event
Key | Value |
---|---|
investigative_action_id |
string |
change_action |
string |
current |
|
previous |
|
created_by_actor |
|
vendor |
|
organization |
|
previous_assigned_to_actor |
|
current_assigned_to_actor |
|
previous_analysis_assigned_to_actor |
|
current_analysis_assigned_to_actor |
|
investigation |
|
completed_by_organization |
|
file |
|
uploaded_by_actor |
|
completed_by_actor |
|
updated_by_actor |
|
lead_expel_alert |
Remediation Action Event
Key | Value |
---|---|
remediation_action_id |
string |
change_action |
string |
current |
|
previous |
|
created_by_actor |
|
created_by_organization |
|
updated_by_actor |
|
updated_by_organization |
|
completed_by_actor |
|
completed_by_organization |
|
organization |
|
previous_assigned_to_actor |
|
current_assigned_to_actor |
|
previous_assigned_to_org |
|
current_assigned_to_org |
|
investigation |
|
remediation_action_assets |
array of RemediationActionAsset |
remediation_asset_context_label_tags |
array of: { remediation_action_asset_id: string, context_label_tag_descriptions: array of string } |
remediation_action_assets_by_device_names |
array of: { <device name 1>: array of RemediationActionAsset, <device name 2>: array of RemediationActionAsset, … } |
lead_expel_alert |
|
is_awaiting_checks |
boolean |
previous_is_awaiting_checks |
boolean |
Remediation Action Asset Event
Key | Value |
---|---|
remediation_action_asset_id |
string |
change_action |
string |
current |
|
previous |
|
remediation_action |
|
remediation_action_assigned_to_actor |
|
remediation_action_assigned_to_org |
|
created_by_actor |
|
created_by_organization |
|
updated_by_actor |
|
updated_by_organization |
|
completed_by_actor |
|
completed_by_organization |
|
organization |
|
investigation |
|
remediation_asset_context_label_tags |
array of { remediation_action_asset_id: string, context_label_tag_descriptions: array of string } |
remediation_action_assets |
array of RemediationActionAsset |
remediation_action_assets_by_device_names |
array of: { <device name 1>: array of RemediationActionAsset, <device name 2>: array of RemediationActionAsset, … } |
lead_expel_alert |
Security Device Event
Key | Value |
---|---|
security_device_id |
string |
change_action |
string |
current |
|
previous |
|
organization |