Event hook field reference

ISPM event hooks deliver different payload structures depending on whether the detected issue relates to an Account (human or service), a User (person), or an OAuth grant (agent). This is intentional.

  • Account issues: An account (human or service) belongs to exactly one source product. The sourceProductName and sourceProductTenant appear directly inside affectedEntity.

  • User (person) issues: A person is a correlated identity that can have accounts across multiple products (for example, Okta, Azure, and AWS). The source information appears inside additionalData.activeAccounts[], where each entry represents one account that the person holds.

  • OAuth grant issues: A user's authorization for a client app to access a resource app on their behalf. After the user approves an OAuth consent screen, the client app receives an access token that it uses to call the resource app's APIs as that user. The clientApp and resourceApp appears inside additionalData.

Your payload always contains the additionalData object, but only the fields relevant to the specific issue type are populated.

Account issues

Example payload

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "type": "Account",
  "displayName": "Ali Lesch",
  "identifierInService": "ali.lesch@example.com",
  "sourceProductName": "Okta",
  "sourceProductTenant": "Example Corp",
  "additionalData": {
    "username": "ali.lesch@example.com",
    "types": [{ "type": "Admin", "reasons": ["Member of Org Admins group"] }],
    "lastLogin": "2025-05-04T18:22:00Z",
    "unrotatedTokens": [{
      "type": "API Token",
      "methodName": "ali_api_key",
      "createdAt": "2025-05-05T09:03:03Z",
      "lastUsed": "2025-05-05T10:06:46Z",
      "lastRotated": "2025-05-05T09:03:03Z",
      "nextRotation": null,
      "expires": "2026-05-04T00:00:00Z"
    }]
  }
}

For issues detected on a human or service account (for example, unrotated keys and tokens, unused admin accounts), the payload includes identity and credential details in additionalData. Each account belongs to exactly one source product.

Field

Description
username The display name or login of the affected account
types Role types assigned to the account (for example, "Admin" or "User")
lastLogin Date of the account's last login (format: MM/DD/YYYY)
unrotatedTokens Credentials that triggered the alert

Account type options

  • Super Admin
  • Admin
  • Service
  • External
  • PIM
  • Emergency Admin
  • Inaccessible
  • AI Agent
  • Keys or tokens
  • Unknown

UnrotatedTokenType options

  • API Key
  • API Token
  • Access Key
  • Certificate
  • Service Principal
  • Personal Access Token
  • Username-Key-Pair
  • OAuth Access Token
  • Personal Access Token (Classic)
  • Personal Access Token (Fine Grained)
  • SSH Key

UnrotatedTokenType properties

The unrotatedTokens array contains the credentials that triggered the alert. Each token object has the following properties.

Field

Description
type Credential type
createdAt When the credential was created
methodName Name or identifier given to the credential by its owner
lastUsed Last time the credential was used
lastRotated Last rotation timestamp
nextRotation Scheduled next rotation, if applicable
expires Expiration date, if applicable

Payload structure

{
  "id":                        "string",
  "type":                      "Account",
  "displayName":               "string",
  "identifierInService":       "string (optional)",
  "sourceProductName":         "string (see sourceProductName list)",
  "sourceProductTenant":       "string — tenant/directory name as shown in the Issues page",
  "sourceProductParentTenant": "string (optional) — AWS Account only: parent AWS org display name",
  "additionalData": {
    "username": "string",
    "types": [
      { "type": "<AccountType>", "reasons": ["string"] }
    ],
    "lastLogin": "ISO 8601 (optional)",
    "unrotatedTokens": [
      {
        "type":         "<UnrotatedTokenType>",
        "methodName":   "string (optional)",
        "createdAt":    "ISO 8601 (optional)",
        "lastUsed":     "ISO 8601 (optional)",
        "lastRotated":  "ISO 8601 (optional)",
        "nextRotation": "ISO 8601 (optional)",
        "expires":      "ISO 8601 (optional)"
      }
    ]
  }
}

User (person) issues

Example payload

{
  "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
  "type": "Person",
  "displayName": "Ali Lesch",
  "sourceProductName": "Okta",
  "sourceProductTenant": "Example Corp",
  "additionalData": {
    "activeAccounts": [
      {
        "id": "a1b2c3d4",
        "displayName": "Ali Lesch",
        "sourceProductName": "Okta",
        "sourceProductTenant": "Example Corp"
      }
    ]
  }
}

For issues tied to a person (for example, a partially offboarded user), the payload lists all accounts that belong to this person across connected products.

Field

Description
activeAccounts All accounts belonging to this user across connected products
activeAccounts[].id Unique identifier for the account in its source product
activeAccounts[].displayName Human-readable name for the account
activeAccounts[].sourceProductName The source this account belongs to
activeAccounts[].sourceProductTenant The tenant name as it appears in ISPM

OAuth grants

For issues related to the Aggregated OAuth grant account, the additionalData fields clientApp and resourceApp are required. 
{
  "id":          "string",
  "type":        "AggregatedOAuthGrantAccount",
  "displayName": "string",
  "additionalData": {
    "clientApp":   { "id": "string", "type": "<UnifiedRefType>", "title": "string", "subtitle": "string (optional)", "image": "string (optional)", "deletedAt": "ISO 8601 (optional)" },
    "resourceApp": { "id": "string", "type": "<UnifiedRefType>", "title": "string", "subtitle": "string (optional)", "image": "string (optional)", "deletedAt": "ISO 8601 (optional)" }
  }
}

Source product reference

The following table maps each connected platform to its sourceProductName value as it appears in event hook payloads.

Source sourceProductName value
Okta Okta
AAD AAD
Google Workspace Google Workspace
AWS (AWS-account-level) AWS Account
Salesforce Salesforce.com
Snowflake Snowflake Account
GitHub (EMU) GitHub EMU
GitHub (organization) GitHub Organization
GitLab GitLab
GitLab (Self-Managed) GitLab Self Managed
Google Cloud Platform Google Cloud Platform
Microsoft Azure Azure Cloud
Jira Jira
Box Box
Workday Workday
Active Directory (on-prem) Active Directory

The sourceProductParentTenant is populated only when ISPM detects an issue for an AWS org. It's located in the affectedEntity section and provides the name of the AWS org.