Custom Alerts Webhook

Send alerts from unsupported data sources to Radiant Security for AI triage

The Custom Alerts Webhook ingests alerts from data sources that do not have a dedicated Radiant connector. You send alerts as JSON payloads via HTTP POST, and Radiant processes them through the full AI alert triage pipeline. Ingested alerts are searchable in Log Management under the connector type custom_alerts_webhook.

Note: Where a dedicated connector exists for your data source, use it instead. Dedicated connectors provide richer context and more precise AI triage processing.

Responsible use

The Custom Alerts Webhook accepts any valid JSON payload and routes it into the alert triage pipeline. Every alert you send is queued and processed, including low-fidelity or noisy alerts. Sending high-volume, low-quality data through this connector - such as informational logs, benign system events, or raw telemetry - consumes pipeline capacity that would otherwise be used to triage genuine threats for your organization.

Send only alerts that represent meaningful security signals: alerts your team would want a trained analyst to investigate. Apply appropriate severity filtering in your source system before forwarding alerts to this endpoint.

Tip: To ingest informational or telemetry logs into Log Management without alert triage processing, use the Custom Events Webhook instead. To suppress low-fidelity alerts from reaching the triage pipeline, configure Alert Filters.

Content requirements for effective custom alerts

The quality of alert triage depends directly on the content you include in each alert payload. Radiant's AI produces the most accurate verdicts when the raw_alert field contains the following information:

Rule configuration and description: A clear explanation of the rule's purpose, including the threat, behavior, or anomaly it detects, the conditions under which it triggers, and its intended scope (for example, applicable assets, user groups, or environments).
Detection logic: The underlying logic of the rule, including the log sources queried, the fields and operators used, any correlation or aggregation logic, and the thresholds or time windows applied.
Result set: The output produced when the rule triggers, containing the matched events or records that satisfied the rule's criteria. This serves as the primary evidence base for alert triage. The result set must contain artifact identifiers such as specific users, hostnames, IP addresses, file hashes, or other observables involved in the alert.

Prerequisites

Before you configure the Custom Alerts Webhook, confirm you have:

Access to the data source or system that will send alerts to the webhook endpoint
The ability to make outbound HTTP POST requests from that source to the Radiant API endpoint

Add the connector in Radiant

Log in to Radiant Security.
From the navigation menu, select Settings > Data Connector and click + Add Connector.
Select Custom Alerts Webhook from the list and click Data Feeds.
Under Select your data feeds, select Custom Events Webhook and click Credentials.
In the Credential Name field, enter an identifiable name for this credential (for example, Custom Alerts Webhook Credentials).
Under Required Credentials, enter a value in the Connector tag field. This can be any string. Radiant uses this value as salt when generating the authentication token for your connector.
Click Add Connector.
Open the newly created connector. Under Vendor Configuration, copy and save the Webhook URL and Token values. You will need both in the next section.
Click Add Connector to save your changes.

Send alerts to the webhook

Once the connector is configured, send alerts from your data source to the Radiant webhook endpoint using the specification below.

Important Note: Treat the Token value as a secret. Anyone with access to this token can post alerts to your connector. Do not expose it in client-side code, version control, or shared logs.

Request details

Component

Value

Method

POST

URL

https://api.app.blastradius.ai/connectors/custom_alerts_webhook/webhook

Header

Key: authorization Value: The token copied from the Data Connectors configuration screen in step 8 of the Add the connector in Radiant section

Request body

The request body must be valid JSON. Nested objects and lists are supported.

timestamp is a required field with the value in epoch seconds (seconds since 1970-01-01 00:00:00 UTC)
alert_ID (required) — the name or identifier of the alert
raw_alert (required) — the full message body of the alert
Additional fields are allowed that conform to JSON syntax

Example request body

{
  "timestamp": 1773270998,
  "alert_ID": "User with Infected Host",
  "raw_alert": "<content of raw alert>",
  "ip_address": "192.168.1.1",
  "port": 12345,
  "correlation_rule_id":"0123456789c197686b9e07d8dabcde"
}

Verify ingestion

After sending a test event, confirm the data is flowing into Radiant correctly:

In Radiant, navigate to Log Management.
Search for events with connector type custom_events_webhook (rs_connectorType:"custom_alerts_webhook")
Confirm your test event appears in the parsed index.

Note: Successfully parsed alerts appear in the Log Management parsed index and alert index. Alerts that fail parsing appear in the unparsed index, which typically indicates the request body was not valid JSON. Allow several minutes for alerts to be parsed, indexed, and available for search.

Rate limiting

This API is rate limited if congestion becomes a problem. The connector can be enabled upon request to your Customer Success rep.

Verify ingestion

After your Custom Alerts Webhook begins forwarding, confirm alerts are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"custom_alerts_webhook".
Confirm recent alerts appear.

Allow several minutes for alerts to be parsed, indexed, and available for search.

PreviousCrowdStrike Falcon Next-Gen SIEM Events NextCustom Events Webhook

Last updated 1 day ago

Was this helpful?