# Custom Alerts Webhook

The Custom Alerts Webhook ingests alerts from data sources that do not have a dedicated Radiant connector. You send alerts as JSON payloads via HTTP POST, and Radiant processes them through the full AI alert triage pipeline. Ingested alerts are searchable in Log Management under the connector type `custom_alerts_webhook`.

{% hint style="info" %}
**Note:** Where a dedicated connector exists for your data source, use it instead. Dedicated connectors provide richer context and more precise AI triage processing.
{% endhint %}

### Responsible use

The **Custom Alerts Webhook** accepts any valid JSON payload and routes it into the alert triage pipeline. Every alert you send is queued and processed, including low-fidelity or noisy alerts. Sending high-volume, low-quality data through this connector - such as informational logs, benign system events, or raw telemetry - consumes pipeline capacity that would otherwise be used to triage genuine threats for your organization.

Send only alerts that represent meaningful security signals: alerts your team would want a trained analyst to investigate. Apply appropriate severity filtering in your source system before forwarding alerts to this endpoint.

{% hint style="success" %}
**Tip:** To ingest informational or telemetry logs into Log Management without alert triage processing, use the [Custom Events Webhook](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/custom-events-webhook) instead. To suppress low-fidelity alerts from reaching the triage pipeline, configure [Alert Filters](https://help.radiantsecurity.ai/manage-radiant/alert-filters).
{% endhint %}

### Content requirements for effective custom alerts

The quality of alert triage depends directly on the content you include in each alert payload. Radiant's AI produces the most accurate verdicts when the `raw_alert` field contains the following information:

* **Rule configuration and description:** A clear explanation of the rule's purpose, including the threat, behavior, or anomaly it detects, the conditions under which it triggers, and its intended scope (for example, applicable assets, user groups, or environments).
* **Detection logic:** The underlying logic of the rule, including the log sources queried, the fields and operators used, any correlation or aggregation logic, and the thresholds or time windows applied.
* **Result set:** The output produced when the rule triggers, containing the matched events or records that satisfied the rule's criteria. This serves as the primary evidence base for alert triage. The result set must contain artifact identifiers such as specific users, hostnames, IP addresses, file hashes, or other observables involved in the alert.

### Prerequisites

Before you configure the Custom Alerts Webhook, confirm you have:

* [ ] Administrator access to Radiant
* [ ] Access to the data source or system that will send alerts to the webhook endpoint
* [ ] The ability to make outbound HTTP POST requests from that source to the Radiant API endpoint

### Add the connector in Radiant

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connector** and click **+ Add Connector**.
3. Select **Custom Alerts Webhook** from the list and click **Data Feeds**.
4. Under **Select your data feeds**, select **Custom Events Webhook** and click **Credentials**.
5. In the **Credential Name** field, enter an identifiable name for this credential (for example, `Custom Alerts Webhook Credentials`).
6. Under **Required Credentials**, enter a value in the **Connector tag** field. This can be any string. Radiant uses this value as salt when generating the authentication token for your connector.
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor Configuration**, copy and save the `Webhook URL` and `Token` values. You will need both in the next section.
9. Click **Add Connector** to save your changes.

### Send alerts to the webhook

Once the connector is configured, send alerts from your data source to the Radiant webhook endpoint using the specification below.

{% hint style="warning" %}
**Important Note:** Treat the `Token` value as a secret. Anyone with access to this token can post alerts to your connector. Do not expose it in client-side code, version control, or shared logs.
{% endhint %}

### Request details

<table><thead><tr><th width="181.45416259765625">Component</th><th>Value</th></tr></thead><tbody><tr><td>Method</td><td><code>POST</code></td></tr><tr><td>URL</td><td><code>https://api.app.blastradius.ai/connectors/custom_alerts_webhook/webhook</code> </td></tr><tr><td>Authorization</td><td>None</td></tr><tr><td>Header</td><td>The token copied from the <strong>Data Connectors</strong> configuration screen in step 8 of the <a href="#add-the-connector-in-radiant">Add the connector in Radiant</a> section</td></tr><tr><td>Request body</td><td><p>The request body must be valid <code>JSON</code>. Nested objects and lists are supported. </p><p></p><ul><li><code>timestamp</code> is a required field with the value in epoch seconds (seconds since 1970-01-01 00:00:00 UTC)</li><li><code>alert_ID</code> (required) — the name or identifier of the alert</li><li><code>raw_alert</code> (required) — the full message body of the alert</li><li>Additional fields are allowed that conform to JSON syntax</li></ul></td></tr></tbody></table>

#### Example request body

{% code overflow="wrap" %}

```json
{
  "timestamp": 1773270998,
  "alert_ID": "User with Infected Host",
  "raw_alert": "<content of raw alert>",
  "ip_address": "192.168.1.1",
  "port": 12345,
  "correlation_rule_id":"0123456789c197686b9e07d8dabcde"
}
```

{% endcode %}

### Verify ingestion

After sending a test event, confirm the data is flowing into Radiant correctly:

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Search for events with connector type custom\_events\_webhook (`rs_connectorType:"custom_alerts_webhook"`)
3. Confirm your test event appears in the parsed index.

{% hint style="info" %}
**Note:** Successfully parsed alerts appear in the [Log Management](https://help.radiantsecurity.ai/log-management) parsed index and alert index. Alerts that fail parsing appear in the unparsed index, which typically indicates the request body was not valid JSON. Allow several minutes for alerts to be parsed, indexed, and available for search.
{% endhint %}

### Rate limiting

This API is rate limited if congestion becomes a problem. The connector can be enabled upon request to your Customer Success rep.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/custom-alerts-webhook.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.