Webhooks

Updated on 28 Apr 2024
5 Minutes to read

Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Overview

Acante supports Webhooks to PUSH dynamic events (aka notifications) triggered by Acante’s analytical data processing. The receiving application on the customer side can implement custom workflows to process the events received depending on their use-case and runbooks.

Types of events to subscribe to: These will be listed in the Acante WebApp configurations page for the user to make a selection
Webhook URL i.e. endpoint of receiving application (in customer environment): This will be listed in the Acante WebApp configurations page

Acante support two user selectable integration models for Webhooks

Slack Integration

Slack Workflow Automation is increasingly becoming the tool of choice for customers’ security workflows. Acante supports native integration to Slack by posting events to a dedicated Slack channel in the customer’s Slack workspace.

Connect Acante WebApp to your Slack workspace in 2 clicks. It uses Slack’s incoming webhooks as described in https://api.slack.com/messaging/webhooks

Authentication for Slack

Uses OAuth as described in https://api.slack.com/authentication/oauth-v2

Customer Provided Webhook

Customers may want to use a different workflow automation tool than Slack, e.g. pipedream, ifttt or their own custom application .

On the Configuration pages in the Acante UI, add the endpoint webhook URL (e.g. the customer SIEM) to which Acante will send JSON messages using /POST. This is similar to how Github webhooks or Stripe webhooks work. See event payload below for testing requirements.

Authentication for Customer Webhook

Acante supports 2 approaches:

When configuring the webhook on the Configuration pages in the Acante UI, add the secret token along with the webhook URL. Acante creates a hash signature using this secret token to include in the header, similar to how Github works: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries
Similar to the first approach, but instead of a customer-provided secret token, Acante will generate the API Key on the Configurations page on the AcanteUI.

Event Payload (i.e. POST by Acante)

In order to test the event payload being sent by Acante, if you don’t have a webhook URL ready yet, you can choose a lightweight option like requestbin (see example) or smee (see Github testing example)

Content-Type: application/json

{
  "type":"...",    // Event type subscribed to by the user
  "id":"...",      // Unique identifier for the event generated
  "generated_at":"...", // UTC timestamp at which event was generated
  "details": { // NOTE: The following details pertain ONLY to the event generated
    "description":"...", // Description of the event analysis
    "severity_level":"...", // Critical, High, Medium
    "data_resource_arn":"...",
    "datastore_name":"...",
    "resource_type":"...",
    "datasets":"[ // OPTIONAL
        "dataset_name":"...",
        "fields": [...]
      ]",
    "highest_sensitivity_level_priority":"...", // OPTIONAL
    "data_classes": [...], // OPTIONAL
    "enterprise_users_count":"...", // OPTIONAL
    "roles_count":"...", // OPTIONAL
    "source_identities": [...], // OPTIONAL
    "read_request_count_label":"...", // OPTIONAL: Low, Medium, High
    "write_request_count_label":"...", // OPTIONAL: Low, Medium, High
    "read_volume_label":"...", // OPTIONAL: Low, Medium, High
    "write_volume_label":"...", // OPTIONAL: Low, Medium, High
    "additional_info": {...} // OPTIONAL: Used to provide more context for the event analysis
  }
}

Response Examples

 {
    "type":"drift - data access",
    "id":"0123456789",
    "generated_at":"...",
    "details": {
      "description":"New DB User is accessing sensitive data",
      "severity_level":"High",
      "data_resource_arn":"arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance-1",
      "datastore_name":"ABC",
      "resource_type":"AWS_RDS",
      "datasets": [
        {
          "dataset_name":"XYZ",
        },
      ],
      "highest_sensitivity_level_priority":"P1-Restricted",
      "data_classes": ["PII", "PCI"],
      "roles_count":"1",
      "read_request_count_label":"Low",
      "read_volume_label":"Medium"
    }
  },
  {
    "type":"drift - data access",
    "id":"9876543210",
    "generated_at":"...",
    "details": {
      "description":"Potential exfiltration: User is accessing high volume of sensitive data",
      "severity_level":"Critical",
      "data_resource_arn":"arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance-1",
      "datastore_name":"ABC",
      "resource_type":"AWS_RDS",
      "datasets": [
        {
          "dataset_name":"XYZ",
        },
        {
          "dataset_name":"PQR",
        }
      ],
      "highest_sensitivity_level_priority":"P1-Restricted",
      "data_classes": ["PII", "PCI"],
      "roles_count":"1",
      "source_identities": ["1.1.1.1"],
      "read_request_count_label":"Medium",
      "read_volume_label":"High"
    }
  }

Response Field Descriptions

Response is an array of Events and their details. For each event, following fields are provided:

Response Field	Description
type	Event type as described in the section below
id	Unique identifier is associated with each event generated
generated_at	Timestamp at which the event was generated
details.	This section captures specifics about the event generated. The fields are optional depending on the specific of the event
details.description	Description of the event based on Acante analysis. Will provide context such as data exfiltration, ransomware etc.
details.severity_level	Severity of the event to prioritize action. Values can be {Critical, High, Medium, Low, Info}
details.data_resource_arn	AWS ARN for the data resource (e.g. RDS instance ARN)
details.datastore_name	Datastore name (e.g. database name in the RDS instance)
details.resource_type	Datastore type. Values can be {SQL-RDS-mysql, SQL-RDS-postgres, SQL-RDS-other}
details.datasets	Specific datasets (e.g. Tables / View in RDS) for which the event was detected. This is a list
details.datasets.dataset_name	Name of the dataset
details.datasets.fields	List of Fields (column names) in this dataset for which the event was detected. Helps the user pinpoint what data was involved
details.highest_sensitivity_level_priority	Highest Sensitivity Level of the data present in the datastore. Values may be {P1-Restricted, P2-Confidential, P3-Internal, P4-Public}. These values can be customized by the user in the Acante UI
details.data_classes	Data Classes for the data present in the data store. Values may be {PCI, PII, GDPR, …}. Customer can define custom data classes
details.enterprise_users_count	Populated when event is triggered by large count of unique users accessing the datastore
details.roles_count	Populated when event is triggered by large count of unique roles accessing the datastore
details.source_identities	List of source identities accessing the datastore in the event analysis time range. This may be the actual user name or IP address depending on available information
details.read_request_count_label	Populated when the event is triggered by a large count of read requests to the datastore. This will be typical in data exfiltration or ransomware events
details.write_request_count_label	Populated when the event is triggered by a large count of write requests to the datastore. This will be typical in ransomware events
details.read_volume_label	Populated when the event is triggered by a large volume of data read from the datastore. This will be typical in data exfiltration or ransomware events
details.write_volume_label	Populated when the event is triggered by a large volume of data written to the datastore. This will be typical in ransomware events
details.additional_info	Used to provide additional context for the event

Types of Events Generated by Acante

Acante analyzes changes in the data, data access patterns, privileges etc. and highlights noteworthy changes in the form of events. These changes could represent drifts, high baselines, potentials threats and so on. They are bucketed using the “type” field in the events API.
Users can subscribe to select event “types”:

Event Type Value	Description
drift - data discovery	New sensitive data discovered
drift - access privilege	New identities/roles granted access privileges to sensitive data
drift - data access	New identities/roles accessing sensitive data or anomalous data access patterns
recommendation - least privilege	Recommendations to reduce access privileges to sensitive data

Payload Example

Using customer provided OAuth secret token

curl -i -X POST https://<endpoint-url> \
  -H "Authorization: Bearer <secret-token>" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d <TBD>

Using Acante provided API key

curl -i -X POST https://<endpoint-url> \
  -H "x-api-key: <api-key>" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
 -d <TBD>

What's Next

Okta SSO

Table of contents

Overview