Set up Outgoing Webhooks
Integrate with Radiant Security to receive real time updates on your alerts.
In this guide, you will configure a webhook in Radiant Security to receive real-time updates on alerts, including enrichment results, analysis, and conclusions.
Originating IP addresses
Every webhook request that Radiant Security originates comes from one of our static IP addresses. You may need to allow list these IP addresses so that they can reach your system. Here are Radiant Security’s static IP addresses:
Radiant Security static IP addresses
100.21.80.201
52.11.97.167
35.164.70.154
Manage webhooks through Radiant Security
To access Radiant Security’s webhook management:
Log in to Radiant Security.
From the navigation menu, click Settings > Outgoing Webhooks.
To create a new Webhook, click + Add Webhook.
Add the Webhook Name, the Destination URL and select the alert triggers you're interested in.
Click Next.
Under Custom Header Authentication, enter the Header Name and Header Value.
Click Test Connection to validate that the connection is successful.
Click Save Webhook.
Webhook payload
The webhook payload has the following schema:
Property
Description
Type
One of
rawAlert
The alert as ingested from vendor
object
—
rs_alertId
The unique ID of the Radiant alert
string
—
rs_alertUrl
The URL that points to that alert in Radiant’s UI
string
—
rs_conclusion
A summary of Radiant AI conclusion
string
—
rs_keyFindings
The key findings of the alert triage by Radiant AI
array of strings
—
rs_alertBrief
A brief of what happened
object
—
rs_alertBrief.summary
A summary of what happened
string
—
rs_alertBrief.intent
A summary of the attacker’s intent
string
—
rs_triggerTimestamp
The timestamp is in ISO 8601 format (e.g., 2025-05-14T21:37:56.840Z) and represents the time in UTC for when the webhook’s trigger event happened
string
—
rs_webhookTriggerType
The event that triggered this specific webhook
string
alert.recommended_benign, alert.recommended_malicious, alert.recommended_likely_benign, alert.marked_benign, alert.marked_malicious
rs_alertArtifacts
The entities involved, structured in categories by type of artifact (e.g. users, IPs, sensors, etc.)
array of objects
—
rs_alertArtifacts[].type
The type of that alert artifact
string
URL, File_Hash, User, IP, Sensor, Cloud_Resource, CVE, Unknown
rs_alertArtifacts[].value
The value of that alert artifact
string
—
rs_alertArtifacts[].enrichments
The enrichments that Radiant produced over that alert artifact
array of objects
—
rs_alertArtifacts[].enrichments.sentiment
The sentiment that Radiant AI has about that particular alert artifact enrichment
string
good, bad, informational, unknown
rs_alertArtifacts[].enrichments.description
Radiant AI’s description for that particular alert artifact enrichment
string
—
Payload example
The example below shows a webhook payload from Radiant Security that delivers a detailed alert, including summary, analysis, conclusions, and enriched context about related users, IPs, files, and devices.
{
"payload": {
"rawAlert": {...},
"rs_alertId": "alert-id",
"rs_webhookTriggerTimestamp": "2025-05-13T16:15:31.239Z",
"rs_alertUrl": "https://app.radiantsecurity.ai/alerts/tenant-id/alert-id/details",
"rs_webhookTriggerType": "Recommended Malicious",
"rs_alertBrief": {
"summary": "A process on host 'PIL-EP10-1' executed 'mimikatz.exe', a known password dumping utility, indicating an attempt to steal credentials. The process was detected by CrowdStrike Falcon EDR. Immediate action is recommended to change passwords and investigate further.",
"intent": "The intent of the attack is to gain unauthorized access to credentials, potentially leading to further compromise of accounts and systems."
},
"rs_conclusion": "The execution of mimikatz.exe by user 'john' without role-based justification and the lack of common execution across devices suggest potential misuse. These indicators align with characteristics of malicious activity, warranting further investigation.",
"rs_keyFindings": [
"Execution of mimikatz.exe by user 'john' without role-based justification suggests potential misuse.",
"No subsequent suspicious activities or network connections were detected post-execution.",
"No containment actions were recorded, and the execution context remains partially unclear."
],
"rs_alertArtifacts": [
{
"type": "User",
"value": "[email protected]",
"enrichments": [
{
"sentiment": "informational",
"description": "User \"[email protected]\" was matched to \"John\" using identity and access management (IAM) data."
},
{
"sentiment": "informational",
"description": "User was NOT associated with other incidents in the last 30 days."
}
]
},
{
"type": "IP",
"value": "44.224.152.78",
"enrichments": [
{
"sentiment": "unknown",
"description": "IP address was NOT found on your organization's allow or block lists."
},
{
"sentiment": "informational",
"description": "IP address was identified as associated with a common service provider. Therefore, the threat intelligence for this IP address is likely to be unreliable. This means this IP requires further triage for the behaviors and cannot be cleared or convicted by threat intelligence alone."
},
{
"sentiment": "informational",
"description": "IP address was associated with a cloud provider, hosting service, or colocation facility rather than a traditional ISP serving residential or business users."
},
{
"sentiment": "informational",
"description": "IP address was located in Oregon, United States, North America."
},
{
"sentiment": "informational",
"description": "IP was NOT associated with other incidents in the last 30 days."
}
]
},
{
"type": "Sensor",
"value": "d6799766d866410ab1194349a4bb86b3",
"enrichments": [
{
"sentiment": "informational",
"description": "Device is managed by the organization via Crowdstrike FDR."
}
]
},
{
"type": "File_Hash",
"value": "e923cff13105acbcf5156292d9d175f0",
"enrichments": [
{
"sentiment": "informational",
"description": "File hash was NOT found on your organization's allow or block lists."
},
{
"sentiment": "unknown",
"description": "File hash was NOT known by the threat intelligence service."
},
{
"sentiment": "informational",
"description": "File hash was NOT associated with other incidents in the last 30 days."
}
]
},
{
"type": "URL",
"value": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/b0fc07d3a160496c86e9c2f0e5141e41:ind:d6799766d866410ab1194349a4bb86b3:1619036034116-10146-6375440?_cid=g04000xax5me5qijb2rmfgtqrpg4654e",
"enrichments": [
{
"sentiment": "informational",
"description": "URL's domain was NOT found on your organization's allow or block lists."
},
{
"sentiment": "informational",
"description": "URL's domain was a found to be a well-known and popular domain that is commonly accessed by users around the world."
},
{
"sentiment": "unknown",
"description": "URL was NOT known by the threat intelligence service."
},
{
"sentiment": "informational",
"description": "URL was NOT associated with other incidents in the last 30 days."
}
]
}
]
}
}
Last updated