The available notification rules in Workbench Settings map to events and models that appear in the data key on the webhook payload.

For more information about events and webhook data models, see Managing Webhook Requests.

Events

The following table contains the mapping of rules to events, and the models used for each event.

Event Model Rule Name

announcement_created

Announcement event

Announcement is created

assembler_connected

Assembler event

Assembler has a health status change

assembler_disconnected

Assembler event

Assembler has a health status change

custom_rule_created

Context label event

Custom rule is created

expel_alert_assigned

Expel alert event

Expel alert is assigned to my org

expel_alert_closed

Expel alert event

Expel alert is closed

expel_alert_created

Expel alert event

Expel alert is created

expel_alert_reopened

Expel alert event

Expel alert is reopened

incident_assigned

Investigation event

Incident is assigned to my org

incident_closed

Investigation event

Incident is closed

incident_created

Investigation event

Incident is created

incident_downgraded

Investigative action event

Incident is downgraded

incident_promoted

Investigation event

 

Incident is promoted

incident_reopened

Investigation event

Incident is reopened

investigation_alert_added

Expel alert event

Investigation has an alert added

investigation_assigned

Investigation event

Investigation is assigned to my org

investigation_manual_remediations_completed

Investigation event

Investigation is assigned to my org

investigation_closed

Investigation event

Investigation is closed

investigation_created

Investigation event

Investigation is created

investigation_manual_remediations_completed

Investigation event

Investigation manual remediations completed

investigative_action_manual_action

Investigative action event

Investigative action has manual action

investigative_action_assigned

Investigative action event

Investigative action is assigned

investigative_action_analysis_assigned

Investigative action event

Investigative action is assigned to me

investigative_action_assigned

Investigative action event

Investigative action is assigned to me

investigative_action_analysis_assigned

Investigative action event

Investigative action is assigned to my org

investigative_action_assigned

Investigative action event

Investigative action is assigned to my org

investigative_action_analysis_assigned

Investigative action event

Investigative action analysis is assigned

notify_action_assigned

Investigative action event

Notify action is assigned to my org

remediation_action_assigned

Remediation action event

Remediation action is assigned to me

remediation_action_automation_failed

Remediation action asset event

Remediation action is assigned to me

remediation_action_assigned

Remediation action event

Remediation action is assigned to my org

remediation_action_automation_failed

Remediation action asset event

Remediation action is assigned to my org

remediation_action_automated

Remediation action event

Remediation action is automated

security_device_first_healthy

Security device event

Security device has a health status change

security_device_healthy

Security device event

Security device has a health status change

security_device_unhealthy

Security device event

Security device has a health status change

security_device_first_healthy

Security device event

Security device is first healthy

verify_action_approved

Investigative action event

Verify action has outcome

verify_action_denied

Investigative action event

Verify action has outcome

verify_action_approved

Investigative action event

Verify action is assigned to me

verify_action_assigned

Investigative action event

Verify action is assigned to me

verify_action_denied

Investigative action event

Verify action is assigned to me

verify_action_acknowledged

Investigative action event

Verify action is assigned to my org

verify_action_approved

Investigative action event

Verify action is assigned to my org

verify_action_assigned

Investigative action event

Verify action is assigned to my org

verify_action_denied

Investigative action event

Verify action is assigned to my org

verify_action_unacknowledged

Investigative action event

Verify action is assigned to my org

Data Models

The following tables contain key-value models for specific webhook events:

Announcement Event

Key Value

announcement_id

string

change_action

string

current

array of:

{
id: string,
created_at: timestamp,
updated_at: timestamp,
created_by_id: string,
updated_by_id: string,
announcement_type: one of [ANNOUNCEMENT_TYPE_HOLIDAY, 
ANNOUNCEMENT_TYPE_THREAT_BULLETIN, 
ANNOUNCEMENT_TYPE_TESTING, 
ANNOUNCEMENT_TYPE_GENERAL], 
message: string
}

previous

array of:

{
id: string,
created_at: timestamp,
updated_at: timestamp,
created_by_id: string,
updated_by_id: string,
announcement_type: one of [ANNOUNCEMENT_TYPE_HOLIDAY, 
ANNOUNCEMENT_TYPE_THREAT_BULLETIN, 
ANNOUNCEMENT_TYPE_TESTING, 
ANNOUNCEMENT_TYPE_GENERAL], 
message: string
}

Assembler Event

Key Value

assembler_id

string

change_action

string

current

Assembler

previous

Assembler

organization

Organization

created_by_actor

Actor

updated_by_actor

Actor

deleted_by_actor

Actor

Context Label Event

Key Value

context_label_id

string

change_action

string

current

ContextLabel

previous

ContextLabel

organization

Organization

created_by_actor

array of ContextLabelAction

updated_by_actor

array of Investigation

Expel Alert Event

Key Value

expel_alert_id

string

change_action

string

current

ExpelAlert

previous

ExpelAlert

organization

Organization

vendor

Vendor

investigation

Investigation

updated_by_user_account

UserAccount

Investigation Event

Key Value

investigation_id

string

change_action

string

current

Investigation

previous

Investigation

organization

Organization

created_by_organization

Organization

update_by_organization

Organization

created_by_user_account

UserAccount

updated_by_user_account

UserAccount

lead_expel_alert

ExpelAlert

investigation_findings

array of InvestigationFinding

previous_assigned_to_org

Organization

current_assigned_to_org

Organization

remediation_action_asset_groups

array of:

{
remediation_action: RemediationAction, 
remediation_action_assets: array of RemediationActionAsset
}

organization_resilience_actions

array of OrganizationResilienceAction

is_detect_only

boolean

engagement_manager

EngagementManager

Investigative Action Event

Key Value

investigative_action_id

string

change_action

string

current

InvestigativeAction

previous

InvestigativeAction

created_by_actor

Actor

vendor

Vendor

organization

Organization

previous_assigned_to_actor

Actor

current_assigned_to_actor

Actor

previous_analysis_assigned_to_actor

Actor

current_analysis_assigned_to_actor

Actor

investigation

Investigation

completed_by_organization

Organization

file

File

uploaded_by_actor

Actor

completed_by_actor

Actor

updated_by_actor

Actor

lead_expel_alert

ExpelAlert

Remediation Action Event

Key Value

remediation_action_id

string

change_action

string

current

RemediationAction

previous

RemediationAction

created_by_actor

Actor

created_by_organization

Organization

updated_by_actor

Actor

updated_by_organization

Organization

completed_by_actor

Actor

completed_by_organization

Organization

organization

Organization

previous_assigned_to_actor

Actor

current_assigned_to_actor

Actor

previous_assigned_to_org

Organization

current_assigned_to_org

Organization

investigation

Investigation

remediation_action_assets

array of RemediationActionAsset

remediation_asset_context_label_tags

array of:

{
remediation_action_asset_id: string,
context_label_tag_descriptions: array of string
}

remediation_action_assets_by_device_names

array of:

{
<device name 1>: array of RemediationActionAsset,
<device name 2>: array of RemediationActionAsset,
…
}

lead_expel_alert

ExpelAlert

is_awaiting_checks

boolean

previous_is_awaiting_checks

boolean

Remediation Action Asset Event

Key Value

remediation_action_asset_id

string

change_action

string

current

RemediationActionAsset

previous

RemediationActionAsset

remediation_action

RemediationAction

remediation_action_assigned_to_actor

Actor

remediation_action_assigned_to_org

Organization

created_by_actor

Actor

created_by_organization

Organization

updated_by_actor

Actor

updated_by_organization

Organization

completed_by_actor

Actor

completed_by_organization

Organization

organization

Organization

investigation

Investigation

remediation_asset_context_label_tags

array of

{
remediation_action_asset_id: string,
context_label_tag_descriptions: array of string
}

remediation_action_assets

array of RemediationActionAsset

remediation_action_assets_by_device_names

array of:

{
<device name 1>: array of RemediationActionAsset,
<device name 2>: array of RemediationActionAsset,
…
}

lead_expel_alert

ExpelAlert

Security Device Event

Key Value

security_device_id

string

change_action

string

current

SecurityDevice

previous

SecurityDevice

organization

Organization