Set up Outgoing Webhooks

Integrate with Radiant Security to receive real time updates on your alerts.

Overview

Radiant Security offers a webhook feature that allows you to receive updates on your alerts, including enrichments, analysis, and conclusions.

Originating IP addresses

Every webhook request that Radiant originates comes from one of our static IPs, since depending on your use case you may need to allow-list the IPs to reach your system. Here are Radiant’s static IPs:

Every webhook request that Radiant Security originates comes from one of our static IP addresses. You may need to allow list these IP addresses so that they can reach your system. Here are Radiant Security’s static IP addresses:

Radiant Security static IP addresses

100.21.80.201

52.11.97.167

35.164.70.154

Manage webhooks through Radiant Security

To access Radiant Security’s webhook management, navigate to Settings > Outgoing Webhooks.

Webhook payload

The webhook payload has the following schema:

Property	Description	Type	One of
rawAlert	The alert as ingested from vendor	`object`	—
rs_alertId	The unique ID of the Radiant alert	`string`	—
rs_alertUrl	The URL that points to that alert in Radiant’s UI	`string`	—
rs_conclusion	A summary of Radiant AI conclusion	`string`	—
rs_keyFindings	The key findings of the alert triage by Radiant AI	`array of strings`	—
rs_alertBrief	A brief of what happened	`object`	—
rs_alertBrief.summary	A summary of what happened	`string`	—
rs_alertBrief.intent	A summary of the attacker’s intent	`string`	—
rs_triggerTimestamp	The timestamp is in ISO 8601 format (e.g., 2025-05-14T21:37:56.840Z) and represents the time in UTC for when the webhook’s trigger event happened	`string`	—
rs_webhookTriggerType	The event that triggered this specific webhook	`string`	`alert.recommended_benign`, `alert.recommended_malicious`, `alert.recommended_likely_benign`, `alert.marked_benign`, `alert.marked_malicious`
rs_alertArtifacts	The entities involved, structured in categories by type of artifact (e.g. users, IPs, sensors, etc.)	`array of objects`	—
rs_alertArtifacts[].type	The type of that alert artifact	`string`	`URL`, `File_Hash`, `User`, `IP`, `Sensor`, `Cloud_Resource`, `CVE`, `Unknown`
rs_alertArtifacts[].value	The value of that alert artifact	`string`	—
rs_alertArtifacts[].enrichments	The enrichments that Radiant produced over that alert artifact	`array of objects`	—
rs_alertArtifacts[].enrichments.sentiment	The sentiment that Radiant AI has about that particular alert artifact enrichment	`string`	`good`, `bad`, `informational`, `unknown`
rs_alertArtifacts[].enrichments.description	Radiant AI’s description for that particular alert artifact enrichment	`string`	—

Payload example

The example below shows a webhook payload from Radiant Security that delivers a detailed alert, including summary, analysis, conclusions, and enriched context about related users, IPs, files, and devices.

{
  "payload": {
    "rawAlert": {...},
    "rs_alertId": "alert-id",
    "rs_webhookTriggerTimestamp": "2025-05-13T16:15:31.239Z",
    "rs_alertUrl": "https://app.radiantsecurity.ai/alerts/tenant-id/alert-id/details",
    "rs_webhookTriggerType": "Recommended Malicious",
    "rs_alertBrief": {
      "summary": "A process on host 'PIL-EP10-1' executed 'mimikatz.exe', a known password dumping utility, indicating an attempt to steal credentials. The process was detected by CrowdStrike Falcon EDR. Immediate action is recommended to change passwords and investigate further.",
      "intent": "The intent of the attack is to gain unauthorized access to credentials, potentially leading to further compromise of accounts and systems."
    },
    "rs_conclusion": "The execution of mimikatz.exe by user 'john' without role-based justification and the lack of common execution across devices suggest potential misuse. These indicators align with characteristics of malicious activity, warranting further investigation.",
    "rs_keyFindings": [
      "Execution of mimikatz.exe by user 'john' without role-based justification suggests potential misuse.",
      "No subsequent suspicious activities or network connections were detected post-execution.",
      "No containment actions were recorded, and the execution context remains partially unclear."
    ],
    "rs_alertArtifacts": [
      {
        "type": "User",
        "value": "John@test.com",
        "enrichments": [
          {
            "sentiment": "informational",
            "description": "User \"John@test.com\" was matched to \"John\" using identity and access management (IAM) data."
          },
          {
            "sentiment": "informational",
            "description": "User was NOT associated with other incidents in the last 30 days."
          }
        ]
      },
      {
        "type": "IP",
        "value": "44.224.152.78",
        "enrichments": [
          {
            "sentiment": "unknown",
            "description": "IP address was NOT found on your organization's allow or block lists."
          },
          {
            "sentiment": "informational",
            "description": "IP address was identified as associated with a common service provider. Therefore, the threat intelligence for this IP address is likely to be unreliable. This means this IP requires further triage for the behaviors and cannot be cleared or convicted by threat intelligence alone."
          },
          {
            "sentiment": "informational",
            "description": "IP address was associated with a cloud provider, hosting service, or colocation facility rather than a traditional ISP serving residential or business users."
          },
          {
            "sentiment": "informational",
            "description": "IP address was located in Oregon, United States, North America."
          },
          {
            "sentiment": "informational",
            "description": "IP was NOT associated with other incidents in the last 30 days."
          }
        ]
      },
      {
        "type": "Sensor",
        "value": "d6799766d866410ab1194349a4bb86b3",
        "enrichments": [
          {
            "sentiment": "informational",
            "description": "Device is managed by the organization via Crowdstrike FDR."
          }
        ]
      },
      {
        "type": "File_Hash",
        "value": "e923cff13105acbcf5156292d9d175f0",
        "enrichments": [
          {
            "sentiment": "informational",
            "description": "File hash was NOT found on your organization's allow or block lists."
          },
          {
            "sentiment": "unknown",
            "description": "File hash was NOT known by the threat intelligence service."
          },
          {
            "sentiment": "informational",
            "description": "File hash was NOT associated with other incidents in the last 30 days."
          }
        ]
      },
      {
        "type": "URL",
        "value": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/b0fc07d3a160496c86e9c2f0e5141e41:ind:d6799766d866410ab1194349a4bb86b3:1619036034116-10146-6375440?_cid=g04000xax5me5qijb2rmfgtqrpg4654e",
        "enrichments": [
          {
            "sentiment": "informational",
            "description": "URL's domain was NOT found on your organization's allow or block lists."
          },
          {
            "sentiment": "informational",
            "description": "URL's domain was a found to be a well-known and popular domain that is commonly accessed by users around the world."
          },
          {
            "sentiment": "unknown",
            "description": "URL was NOT known by the threat intelligence service."
          },
          {
            "sentiment": "informational",
            "description": "URL was NOT associated with other incidents in the last 30 days."
          }
        ]
      }
    ]
  }
}

We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai

Last updated: 2025-05-20