# Set up Outgoing Webhooks
In this guide, you will configure a webhook in Radiant Security to receive real-time updates on alerts, including enrichment results, analysis, and conclusions.
### Originating IP addresses
Every webhook request that Radiant Security originates comes from one of our static IP addresses. You may need to allow list these IP addresses so that they can reach your system. Here are Radiant Security’s static IP addresses:
| **Radiant Security static IP addresses** |
| ---------------------------------------- |
| 100.21.80.201 |
| 52.11.97.167 |
| 35.164.70.154 |
### Manage webhooks through Radiant Security
To access Radiant Security’s webhook management:
1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Outgoing Webhooks.**
3. To create a new Webhook, click **+ Add Webhook**.
4. Add the **Webhook Name**, the **Destination URL** and select the **alert triggers** you're interested in.
5. Click **Next**.
6. Under **Custom Header Authentication**, enter the **Header Name** and **Header Value**.
6. Click **Test Connection** to validate that the connection is successful.
7. Click **Save Webhook**.
{% hint style="info" %}
**Note:** If you experience any issue while setting up Outgoing Webhooks, please reach out to your Customer Success Manager for assistance.
{% endhint %}
### Webhook payload
The webhook payload has the following schema:
| **Property** | **Description** | **Type** | One of |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | --------------------------------------------------------------------------------------------------- |
| rawAlert | The alert as ingested from vendor | `object` | — |
| rs\_alertId | The unique ID of the Radiant alert | `string` | — |
| rs\_alertVendor | The vendor that originated the alert | `string` | — |
| rs\_alertNumber | The number code that uniquely identifies that alert in your Radiant environment, e.g. `ALERT-1234` | `string` | — |
| rs\_tenantDisplayName | The name of your tenant within Radiant which originated the webhook | `string` | — |
| rs\_alertUrl | The URL that points to that alert in Radiant’s UI | `string` | — |
| rs\_conclusion | A summary of Radiant AI conclusion | `string` | — |
| rs\_keyFindings | The key findings of the alert triage by Radiant AI | `array of strings` | — |
| rs\_alertBrief | A brief of what happened | `object` | — |
| rs\_alertBrief.summary | A summary of what happened | `string` | — |
| rs\_alertBrief.intent | A summary of the attacker’s intent | `string` | — |
| rs\_webhookTriggerTimestamp | The timestamp is in ISO 8601 format (e.g., 2025-05-14T21:37:56.840Z) and represents the time in UTC for when the webhook’s trigger event happened | `string` | — |
| rs\_webhookTriggerType | The type of event that triggered this specific webhook | `string` | `Recommended Benign`, `Recommended Malicious`, `Likely Benign`, `Marked Benign`, `Marked Malicious` |
| rs\_alertArtifacts | The entities involved, structured in categories by type of artifact (e.g. users, IPs, sensors, etc.) | `array of objects` | — |
| rs\_alertArtifacts\[].type | The type of that alert artifact | `string` | `URL`, `File_Hash`, `User`, `IP`, `Sensor`, `Cloud_Resource`, `CVE`, `Unknown` |
| rs\_alertArtifacts\[].value | The value of that alert artifact | `string` | — |
| rs\_alertArtifacts\[].enrichments | The enrichments that Radiant produced over that alert artifact | `array of objects` | — |
| rs\_alertArtifacts\[].enrichments.sentiment | The sentiment that Radiant AI has about that particular alert artifact enrichment | `string` | `good`, `bad`, `informational`, `unknown` |
| rs\_alertArtifacts\[].enrichments.description | Radiant AI’s description for that particular alert artifact enrichment | `string` | — |
### **Payload Examples**
The examples below demonstrate webhook payloads from Radiant Security. These payloads deliver detailed alerts including summaries, analysis, conclusions, and enriched context. We have provided two variants: one where an alert is marked as Benign and one where it is marked as Malicious.
#### **Marked Benign Payload**
This payload is generated when an alert is investigated and marked as Benign by the user.
{% code overflow="wrap" %}
```json
{
"rawAlert": {
"id": "09f3XXXX-XXXX-XXXX-XXXX-XXXXXXXX3e01",
"createdDateTime": "2025-12-27T04:06:58Z",
"userDisplayName": "John Doe",
"userPrincipalName": "john.doe@blastradiuslabs.com",
"userId": "4e9bXXXX-XXXX-XXXX-XXXX-XXXXXXXXa234",
"appId": "00000002-0000-0ff1-ce00-000000000000",
"appDisplayName": "Office 365 Exchange Online",
"ipAddress": "192.168.0.1",
"clientAppUsed": "Browser",
"correlationId": "25dcXXXX-XXXX-XXXX-XXXX-XXXXXXXXa456",
"conditionalAccessStatus": "success",
"isInteractive": true,
"riskDetail": "none",
"riskLevelAggregated": "low",
"riskLevelDuringSignIn": "medium",
"riskState": "atRisk",
"riskEventTypes": ["unfamiliarFeatures"],
"riskEventTypes_v2": ["unfamiliarFeatures"],
"resourceDisplayName": "Office 365 Exchange Online",
"resourceId": "0000XXXX-XXXX-XXXX-XXXX-XXXXXXXX0000",
"status": {
"errorCode": 0,
"failureReason": "Other.",
"additionalDetails": null
},
"deviceDetail": {
"deviceId": "",
"displayName": "",
"operatingSystem": "Linux",
"browser": "Chrome 115.0.0",
"isCompliant": false,
"isManaged": false,
"trustType": ""
},
"location": {
"city": "Surabaya",
"state": "Jawa Timur",
"countryOrRegion": "ID",
"geoCoordinates": {
"altitude": null,
"latitude": -7.331,
"longitude": 112.7688
}
},
"appliedConditionalAccessPolicies": [
{
"id": "7701XXXX-XXXX-XXXX-XXXX-XXXXXXXX677b",
"displayName": "Require MFA for Kyle",
"enforcedGrantControls": ["Mfa"],
"enforcedSessionControls": [],
"result": "notApplied"
},
{
"id": "eeadXXXX-XXXX-XXXX-XXXX-XXXXXXXXa653",
"displayName": "radiantsecurity_blocked_ips",
"enforcedGrantControls": ["Block"],
"enforcedSessionControls": [],
"result": "notApplied"
},
{
"id": "33adXXXX-XXXX-XXXX-XXXX-XXXXXXXXf18a",
"displayName": "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals",
"enforcedGrantControls": ["Mfa"],
"enforcedSessionControls": [],
"result": "notApplied"
},
{
"id": "3f6eXXXX-XXXX-XXXX-XXXX-XXXXXXXX106e",
"displayName": "Microsoft-managed: Multifactor authentication and reauthentication for risky sign-ins",
"enforcedGrantControls": ["Mfa"],
"enforcedSessionControls": ["SignInFrequency"],
"result": "notApplied"
},
{
"id": "bf19XXXX-XXXX-XXXX-XXXX-XXXXXXXXc83e",
"displayName": "Shahar turn risky sign-ins into defender alerts",
"enforcedGrantControls": [],
"enforcedSessionControls": ["SignInFrequency"],
"result": "reportOnlyNotApplied"
},
{
"id": "9fbeXXXX-XXXX-XXXX-XXXX-XXXXXXXX8fa7",
"displayName": "n8n-shahar - no refrsh needed",
"enforcedGrantControls": [],
"enforcedSessionControls": ["SignInFrequency"],
"result": "reportOnlyNotApplied"
}
]
},
"rs_alertId": "9379f474XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXf2667b7a",
"rs_alertVendor": "Microsoft Office 365",
"rs_alertNumber": "ALERT-65912",
"rs_webhookTriggerTimestamp": "2026-01-16T19:24:14.001Z",
"rs_alertUrl": "https://app.radiantsecurity.ai/alerts/tenant-uuid/alert-uuid/details",
"rs_tenantDisplayName": "Acme Corp",
"rs_webhookTriggerType": "Marked Benign",
"rs_alertBrief": {
"summary": "A sign-in attempt was detected for user 'John Doe' (john.doe@blastradiuslabs.com) from an unfamiliar location in Surabaya, Jawa Timur, Indonesia, using a browser on a Linux device. The sign-in was marked as 'at risk' due to unfamiliar features, and the risk level during sign-in was medium. Conditional access policies requiring MFA were not applied.",
"intent": "Access user account in Office 365 Exchange Online using compromised credentials."
},
"rs_conclusion": "The investigation reveals clear indicators of malicious activity: the user account was confirmed compromised twice with no remediation, exhibited 1,329 medium-risk sign-ins in 30 days, and the sign-in originated from a public proxy service. Despite some normal device usage patterns, the overwhelming evidence of account compromise, persistent risk state, and lack of adequate security measures strongly indicate ongoing malicious activity requiring immediate escalation and remediation.",
"rs_keyFindings": [
"User account confirmed compromised twice in 30 days with no remediation actions",
"1,329 medium-risk sign-ins detected in the last 30 days indicating persistent suspicious activity",
"Sign-in originated from public proxy IP service commonly used in malicious activities",
"Device and browser usage (Linux/Chrome) consistent with user's normal behavior patterns",
"Risk state remains 'confirmedCompromised' despite some risk remediation indicators",
"No evidence of password reset or adequate risk remediation measures"
],
"rs_alertArtifacts": [
{
"type": "User",
"value": "john.doe@blastradiuslabs.com",
"enrichments": [
{
"sentiment": "informational",
"description": "User \"john.doe@blastradiuslabs.com\" was matched to \"John Doe\" using identity and access management (IAM) data."
}
]
},
{
"type": "User",
"value": "John Doe",
"enrichments": [
{
"sentiment": "informational",
"description": "User \"John Doe\" was matched to multiple users using identity and access management (IAM) data."
}
]
},
{
"type": "User",
"value": "4e9bXXXX-XXXX-XXXX-XXXX-XXXXXXXXa234",
"enrichments": [
{
"sentiment": "unknown",
"description": "User was NOT found in the identity and access management (IAM) data. It may be a local user or IAM data was not available for this user."
}
]
},
{
"type": "IP",
"value": "192.168.0.1",
"enrichments": [
{
"sentiment": "unknown",
"description": "IP address was NOT found on your organization's allow or block lists."
},
{
"sentiment": "unknown",
"description": "IP address was NOT identified by our threat intelligence services."
},
{
"sentiment": "informational",
"description": "IP address was associated with a known public proxy service."
},
{
"sentiment": "informational",
"description": "IP address was located in Bali, Indonesia, Asia."
}
]
}
]
}
```
{% endcode %}
#### **Marked Malicious Payload**
This payload is generated when an alert is investigated and marked as Malicious by the user.
```json
{
"rawAlert": {
"id": "ae2eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXf298",
"requestId": "f1cbXXXX-XXXX-XXXX-XXXX-XXXXXXXX2b01",
"correlationId": "25dcXXXX-XXXX-XXXX-XXXX-XXXXXXXXa456",
"riskEventType": "unlikelyTravel",
"riskState": "atRisk",
"riskLevel": "medium",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "offline",
"activity": "signin",
"tokenIssuerType": "AzureAD",
"ipAddress": "192.168.0.1",
"activityDateTime": "2025-12-27T04:06:55.595379Z",
"detectedDateTime": "2025-12-27T09:39:31.154748Z",
"lastUpdatedDateTime": "2025-12-27T10:29:56.7676983Z",
"userId": "4e9bXXXX-XXXX-XXXX-XXXX-XXXXXXXXa234",
"userDisplayName": "John Doe",
"userPrincipalName": "john.doe@blastradiuslabs.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\"},{\"Key\":\"relatedEventTimeInUtc\",\"Value\":\"2025-12-27T02:18:57.652875Z\"},{\"Key\":\"relatedUserAgent\",\"Value\":\"\"},{\"Key\":\"deviceInformation\",\"Value\":\"\"},{\"Key\":\"relatedLocation\",\"Value\":{\"clientIP\":\"::1\",\"latitude\":null,\"longitude\":null,\"asn\":null,\"countryCode\":\"CH\",\"countryName\":null,\"state\":null,\"city\":null}},{\"Key\":\"requestId\",\"Value\":\"f1cbXXXX-XXXX-XXXX-XXXX-XXXXXXXX2b01\"},{\"Key\":\"correlationId\",\"Value\":\"25dcXXXX-XXXX-XXXX-XXXX-XXXXXXXXa456\"},{\"Key\":\"mitreTechniques\",\"Value\":\"T1078\"}]",
"location": {
"city": "Surabaya",
"state": "Jawa Timur",
"countryOrRegion": "ID",
"geoCoordinates": { "latitude": -7.331, "longitude": 112.7688 }
}
},
"rs_alertId": "f474XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXf266",
"rs_alertVendor": "Microsoft Office 365",
"rs_alertNumber": "ALERT-65919",
"rs_webhookTriggerTimestamp": "2026-01-16T19:24:00.433Z",
"rs_alertUrl": "https://app.radiantsecurity.ai/alerts/tenant-uuid/alert-uuid/details",
"rs_tenantDisplayName": "Acme Corp",
"rs_webhookTriggerType": "Marked Malicious",
"rs_conclusion": "Despite the user's previous familiarity with the source IP, the sign-in was flagged as medium-risk and classified as 'atRisk' by identity protection systems, indicating potential account compromise. The critical security gap lies in the absence of MFA enforcement and lack of remediation actions (password reset) following the risk detection. This combination of risk indicators without proper security controls suggests malicious activity that requires immediate attention and remediation.",
"rs_keyFindings": [
"User has previously signed in from the same IP address (192.168.0.1) on two occasions, indicating established usage pattern",
"Sign-in was marked as medium-risk and classified as 'atRisk' by Microsoft Entra ID Protection, suggesting potential identity compromise",
"MFA was not enforced during the authentication attempt despite the medium-risk classification",
"No password reset was implemented following the risk detection, leaving potential vulnerability unaddressed",
"IP address originates from a datacenter in Indonesia but is not flagged by threat intelligence or organizational security lists"
],
"rs_alertArtifacts": [
{
"type": "User",
"value": "john.doe@blastradiuslabs.com",
"enrichments": [
{
"sentiment": "informational",
"description": "User \"john.doe@blastradiuslabs.com\" was matched to \"John Doe\" using identity and access management (IAM) data."
}
]
},
{
"type": "User",
"value": "4e9bXXXX-XXXX-XXXX-XXXX-XXXXXXXXa234",
"enrichments": [
{
"sentiment": "unknown",
"description": "User was NOT found in the identity and access management (IAM) data. It may be a local user or IAM data was not available for this user."
}
]
},
{
"type": "IP",
"value": "192.168.0.1",
"enrichments": [
{
"sentiment": "unknown",
"description": "IP address was NOT found on your organization's allow or block lists."
},
{
"sentiment": "unknown",
"description": "IP address was NOT identified by our threat intelligence services."
},
{
"sentiment": "informational",
"description": "IP address was associated with a cloud provider, hosting service, or colocation facility rather than a traditional ISP serving residential or business users."
},
{
"sentiment": "informational",
"description": "IP address was located in Bali, Indonesia, Asia."
}
]
},
{
"type": "User",
"value": "John Doe",
"enrichments": [
{
"sentiment": "informational",
"description": "User \"John Doe\" was matched to multiple users using identity and access management (IAM) data."
}
]
},
{
"type": "IP",
"value": "::1",
"enrichments": [
{
"sentiment": "unknown",
"description": "IP address was NOT found on your organization's allow or block lists."
},
{
"sentiment": "unknown",
"description": "IP address was NOT identified by our threat intelligence services."
},
{
"sentiment": "informational",
"description": "IP address was associated with a cloud provider, hosting service, or colocation facility rather than a traditional ISP serving residential or business users."
},
{
"sentiment": "informational",
"description": "IP address was located in Switzerland, Europe."
}
]
}
],
"rs_alertBrief": {
"summary": "An unlikely travel event was detected for user 'John Doe' (john.doe@blastradiuslabs.com) with a sign-in attempt from IP '192.168.0.1' in Surabaya, Indonesia, while a related location was identified in Switzerland with IP '::1'. The activity was flagged as medium risk by Microsoft Entra ID Protection.",
"intent": "Access user account using compromised credentials from an unusual location."
}
}
```
