Configure an event hook

Event hooks (or webhooks) are automated outbound calls that Identity Security Posture Management (ISPM) makes to your external systems when it detects new issues in your org. Use event hooks to send notifications to your security systems, create service management tickets, or share data across apps. You can also use them to trigger incident remediation actions by integrating with Security Orchestration, Automation, and Response (SOAR) workflows.

Before you begin

  1. Create an inline webhook URL in the external system that ISPM should send events to.
  2. Copy the webhook endpoint's URL. This is the endpoint that you want ISPM to make outbound calls to.
  3. Generate an API key and copy it. This key is used to authenticate your webhook requests.

Start this task

  1. In the Identity Security Posture Management console, go to SettingsOutbound integrations.

  2. On the Webhook tile, click Connect.
  3. In the Webhook Address (URL) field, enter the webhook endpoint URL that you copied from your external system.
  4. Select Query Parameters or HTTP Headers based on the webhook setup in your external system. This setting determines where the API key is in the webhook messages that ISPM sends.
  5. In the Key field, enter the query parameter or header name that you got from your external system.
  6. In the Value field, enter the API key.
  7. Optional. Click + to add more parameters that your external system requires, and then repeat steps 5 and 6.
  8. Optional. Click Test connection to test the event hook.
  9. Optional. Check that your external system received the test JSON message. The test message is similar to the following sample message.
    Copy
    {
    "id": "f73a7741-6980-4d44-b0bf-13a2fa7ac556",
    "timestamp": "2024-06-09T14:56:58Z",
    "source": "Okta ISPM",
    "type": "issue.created",
    "eventData": {
        "id": "Alert_V32uL3CHijlQYHq-uqTkqWOXSJ8~",
        "category": "Least Privilege",
        "severity": "High",
        "title": "Unused Admin Account",
        "fullDescription": "Admin Accounts not logged in interactively for 91 days.",
        "shortDescription": "Admin Accounts not logged in interactively for 91 days.",
        "detectedAt": "2024-06-18",
        "suggestedRemediation": "Assess the essentiality of listed accounts; disable or suspend as necessary.",
        "riskAndImpact": "Unused, unmonitored accounts attract threat actors for gaining initial access or elevated permissions.",
        "frameworks": [
        "SOX",
        "PCI-DSS v4.0"
        ],
        "link": "https://{your-ISPM-url}/issues/Alert_V32uL3CHijlQYHq-uqTkqWOXSJ8~",
        "affectedEntity": {
            "id": "Account_Q1SMRm3vfzomaZwevHIoL9kVhWU~",
            "type": "Account",
            "displayName": "john.smith@okta.com",
            "sourceProductName": "Okta",
            "sourceProductTenant": "example.okta.com",
        "additionalData": {
            "types": [
            "Admin"
            ],
            "lastLogin": "03/28/2024"
            }
        }
    }
    }
  10. Click Save.

Enable automation

After you create the event hook, select the issue types for which ISPM should notify your external system, and then enable the hook.

ISPM only notifies your external system when it detects new issues.

  1. In the Identity Security Posture Management console, go to SettingsOutbound integrations.

  2. On the Webhook tile, click Automate webhook.
  3. Enable the Auto-send notification setting.
  4. From the Send notifications when the issue type is dropdown menu, select the issues for which ISPM should notify your external system.
  5. Click Apply Automation.