Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

List of template variables available for webhooks

This is a complete list of the supported template variables for webhook configuration.

Case created:

  • event.case.acl_uuid (string). 
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.case_creator.acl_uuid (UUID string)
  • event.case_creator.email (string)
  • event.case_creator.family_name (string)
  • event.case_creator.given_name (string)
  • event.case_creator.is_deleted (boolean)
  • event.case_creator.is_human (boolean)
  • event.case_creator.org_uuid (UUID string)
  • event.case_creator.phone (string)
  • event.case_creator.username (string)
  • event.case_creator.uuid (UUID string)

Case updated:

  • event.case_updater.acl_uuid (UUID string)
  • event.case_updater.email (string)
  • event.case_updater.family_name (string)
  • event.case_updater.given_name (string)
  • event.case_updater.is_deleted (boolean)
  • event.case_updater.is_human (boolean)
  • event.case_updater.org_uuid (UUID string)
  • event.case_updater.phone (string)
  • event.case_updater.username (string)
  • event.case_updater.uuid (UUID string)
  • event.current_case.acl_uuid (string)
  • event.current_case.description (string)
  • event.current_case.locator (string)
  • event.current_case.member_uuids (array)
  • event.current_case.severity_name (string)
  • event.current_case.status_name (string)
  • event.current_case.tag_values (array)
  • event.current_case.uuid (UUID string)
  • event.previous_case.acl_uuid (string)
  • event.previous_case.description (string)
  • event.previous_case.locator (string)
  • event.previous_case.member_uuids (array)
  • event.previous_case.severity_name (string)
  • event.previous_case.status_name (string)
  • event.previous_case.tag_values (array)
  • event.previous_case.uuid (UUID string)

Case assignee updated:

  • event.case.acl_uuid (string)
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.case_updater.acl_uuid (UUID string)
  • event.case_updater.email (string)
  • event.case_updater.family_name (string)
  • event.case_updater.given_name (string)
  • event.case_updater.is_deleted (boolean)
  • event.case_updater.is_human (boolean)
  • event.case_updater.org_uuid (UUID string)
  • event.case_updater.phone (string)
  • event.case_updater.username (string)
  • event.case_updater.uuid (UUID string)
  • event.current_assignee.acl_uuid (UUID string)
  • event.current_assignee.email (string)
  • event.current_assignee.family_name (string)
  • event.current_assignee.given_name (string)
  • event.current_assignee.is_deleted (boolean)
  • event.current_assignee.is_human (boolean)
  • event.current_assignee.org_uuid (UUID string)
  • event.current_assignee.phone (string)
  • event.current_assignee.username (string)
  • event.current_assignee.uuid (UUID string)
  • event.previous_assignee.acl_uuid (UUID string)
  • event.previous_assignee.email (string)
  • event.previous_assignee.family_name (string)
  • event.previous_assignee.given_name (string)
  • event.previous_assignee.is_deleted (boolean)
  • event.previous_assignee.is_human (boolean)
  • event.previous_assignee.org_uuid (UUID string)
  • event.previous_assignee.phone (string)
  • event.previous_assignee.username (string)
  • event.previous_assignee.uuid (UUID string)

Case status updated:

  • event.case.acl_uuid (string)
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.case_updater.acl_uuid (UUID string)
  • event.case_updater.email (string)
  • event.case_updater.family_name (string)
  • event.case_updater.given_name (string)
  • event.case_updater.is_deleted (boolean)
  • event.case_updater.is_human (boolean)
  • event.case_updater.org_uuid (UUID string)
  • event.case_updater.phone (string)
  • event.case_updater.username (string)
  • event.case_updater.uuid (UUID string)
  • event.current_status.description (string)
  • event.current_status.is_end (boolean)
  • event.current_status.is_start (boolean)
  • event.current_status.name (string)
  • event.current_status.ordinality (number)
  • event.previous_status.description (string)
  • event.previous_status.is_end (boolean)
  • event.previous_status.is_start (boolean)
  • event.previous_status.name (string)
  • event.previous_status.next_statuses (array)
  • event.previous_status.ordinality (number)
  • event.previous_status.transition_acl_uuids.<key> (UUID string)

Case tag added:

  • event.case.acl_uuid (string)
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.tag.acl_uuid (UUID string)
  • event.tag.description (string)
  • event.tag.is_deprecated (boolean)
  • event.tag.uuid (UUID string)
  • event.tag.value (string)
  • event.tagging_user.acl_uuid (UUID string)
  • event.tagging_user.email (string)
  • event.tagging_user.family_name (string)
  • event.tagging_user.given_name (string)
  • event.tagging_user.is_deleted (boolean)
  • event.tagging_user.is_human (boolean)
  • event.tagging_user.org_uuid (UUID string)
  • event.tagging_user.phone (string)
  • event.tagging_user.username (string)
  • event.tagging_user.uuid (UUID string)

Case data created:

  • event.case.acl_uuid (string)
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.case_data.acl_uuid (string)
  • event.case_data.created_datetime (string)
  • event.case_data.data_stub_uuid (UUID string)
  • event.case_data.file_last_mod_datetime (string)
  • event.case_data.file_name (string)
  • event.case_data.is_hidden (boolean)
  • event.case_data.mime_type (string)
  • event.case_data.significance (string)
  • event.case_data.uuid (UUID string)
  • event.case_data_creator.acl_uuid (UUID string)
  • event.case_data_creator.email (string)
  • event.case_data_creator.family_name (string)
  • event.case_data_creator.given_name (string)
  • event.case_data_creator.is_deleted (boolean)
  • event.case_data_creator.is_human (boolean)
  • event.case_data_creator.org_uuid (UUID string)
  • event.case_data_creator.phone (string)
  • event.case_data_creator.username (string)
  • event.case_data_creator.uuid (UUID string)
  • event.case_data_stub.acl_uuid (UUID string)
  • event.case_data_stub.case_uuid (UUID string)
  • event.case_data_stub.created_datetime (string)
  • event.case_data_stub.creator_uuid (UUID string)
  • event.case_data_stub.data_location (string)
  • event.case_data_stub.data_location_type (string)
  • event.case_data_stub.data_size (number)
  • event.case_data_stub.data_source (string)
  • event.case_data_stub.editor_uuid (UUID string)
  • event.case_data_stub.file_name (string)
  • event.case_data_stub.is_audit (boolean)
  • event.case_data_stub.is_deleted (boolean)
  • event.case_data_stub.is_edited (boolean)
  • event.case_data_stub.is_hidden (boolean)
  • event.case_data_stub.last_modified_datetime (string)
  • event.case_data_stub.location (string)
  • event.case_data_stub.mime_type (string)
  • event.case_data_stub.parent_uuid (UUID string)
  • event.case_data_stub.significance (string)
  • event.case_data_stub.uuid (UUID string)
  • event.case_data_stub.version (number)

Case STIX data created:

  • event.case.acl_uuid (string)
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.case_data_creator.acl_uuid (UUID string)
  • event.case_data_creator.email (string)
  • event.case_data_creator.family_name (string)
  • event.case_data_creator.given_name (string)
  • event.case_data_creator.is_deleted (boolean)
  • event.case_data_creator.is_human (boolean)
  • event.case_data_creator.org_uuid (UUID string)
  • event.case_data_creator.phone (string)
  • event.case_data_creator.username (string)
  • event.case_data_creator.uuid (UUID string)
  • event.case_data_stub.acl_uuid (UUID string)
  • event.case_data_stub.case_uuid (UUID string)
  • event.case_data_stub.created_datetime (string)
  • event.case_data_stub.creator_uuid (UUID string)
  • event.case_data_stub.data_location (string)
  • event.case_data_stub.data_location_type (string)
  • event.case_data_stub.data_size (number)
  • event.case_data_stub.data_source (string)
  • event.case_data_stub.editor_uuid (UUID string)
  • event.case_data_stub.file_name (string)
  • event.case_data_stub.is_audit (boolean)
  • event.case_data_stub.is_deleted (boolean)
  • event.case_data_stub.is_edited (boolean)
  • event.case_data_stub.is_hidden (boolean)
  • event.case_data_stub.last_modified_datetime (string)
  • event.case_data_stub.location (string)
  • event.case_data_stub.mime_type (string)
  • event.case_data_stub.parent_uuid (UUID string)
  • event.case_data_stub.significance (string)
  • event.case_data_stub.uuid (UUID string)
  • event.case_data_stub.version (number)
  • event.observable.extensions.<key> (string)
  • event.observable.granular_markings (array)
  • event.observable.id (string)
  • event.observable.is_defanged (boolean)
  • event.observable.object_marking_refs (array)
  • event.observable.spec_version (string)
  • event.observable.type (string)

Type-dependent variables:

These are only present based on the value of event.observable.type.

Artifact

  • event.observable.artifact.decryption_key (string)
  • event.observable.artifact.encryption_algorithm (string)
  • event.observable.artifact.hashes.<key> (string)
  • event.observable.artifact.mime_type (string)
  • event.observable.artifact.payload_bin (string)
  • event.observable.artifact.url (string)

Autonomous System

  • event.observable.autonomous_system.name (string)
  • event.observable.autonomous_system.number (number)
  • event.observable.autonomous_system.rir (string)

Directory

  • event.observable.directory.accessed_datetime (RFC3339 datetime string)
  • event.observable.directory.contains_refs (array)
  • event.observable.directory.created_datetime (RFC3339 datetime string)
  • event.observable.directory.modified_datetime (RFC3339 datetime string)
  • event.observable.directory.path (string)
  • event.observable.directory.path_enc (string)

Domain Name

  • event.observable.domain_name.resolves_to_refs (array)
  • event.observable.domain_name.value (string)

Email Address

  • event.observable.email_address.belongs_to_ref (string)
  •  event.observable.email_address.display_name (string)
  • event.observable.email_address.value (string)

Email Message

  • event.observable.email_message.additional_header_fields.<key> (string)
  • event.observable.email_message.bcc_refs (array)
  • event.observable.email_message.body (string)
  • event.observable.email_message.body_multipart (array)
  • event.observable.email_message.cc_refs (array)
  • event.observable.email_message.content_type (string)
  • event.observable.email_message.from_ref (string)
  • event.observable.email_message.is_multipart (boolean)
  • event.observable.email_message.message_id (string)
  • event.observable.email_message.raw_email_ref (string)
  • event.observable.email_message.received_lines (array)
  • event.observable.email_message.sender_refs (array)
  • event.observable.email_message.sent_datetime (RFC3339 datetime string)
  • event.observable.email_message.subject (string)
  • event.observable.email_message.to_refs (array)

File

  • event.observable.file.accessed_datetime (RFC3339 datetime string)
  • event.observable.file.contains_refs (array)
  • event.observable.file.content_ref (string)
  • event.observable.file.created_datetime (RFC3339 datetime string)
  • event.observable.file.hashes.<key> (string)
  • event.observable.file.magic_number_hex (string)
  • event.observable.file.mime_type (string)
  • event.observable.file.modified_datetime (RFC3339 datetime string)
  • event.observable.file.name (string)
  • event.observable.file.name_enc (string)
  • event.observable.file.parent_directory_ref (string)
  • event.observable.file.size (number)

IPv4 Address

  • event.observable.ipv4_address.belongs_to_refs (array)
  • event.observable.ipv4_address.resolves_to_refs (array)
  • event.observable.ipv4_address.value (string)

IPv6 Address

  • event.observable.ipv6_address.belongs_to_refs (array)
  • event.observable.ipv6_address.resolves_to_refs (array)
  • event.observable.ipv6_address.value (string)

MAC Address

  • event.observable.mac_address.value (string)

Mutex

  • event.observable.mutex.name (string)

Network Traffic

  • event.observable.network_traffic.dst_byte_count (number)
  • event.observable.network_traffic.dst_packets (number)
  • event.observable.network_traffic.dst_payload_ref (string)
  • event.observable.network_traffic.dst_port (number)
  • event.observable.network_traffic.dst_ref (string)
  • event.observable.network_traffic.encapsulated_by_ref (string)
  • event.observable.network_traffic.encapsulates_refs (array)
  • event.observable.network_traffic.end_datetime (RFC3339 datetime string)
  • event.observable.network_traffic.ipfix.<key> (string)
  • event.observable.network_traffic.is_active (boolean)
  • event.observable.network_traffic.protocols (array)
  • event.observable.network_traffic.src_byte_count (number)
  • event.observable.network_traffic.src_packets (number)
  • event.observable.network_traffic.src_payload_ref (string)
  • event.observable.network_traffic.src_port (number)
  • event.observable.network_traffic.src_ref (string)
  • event.observable.network_traffic.start_datetime (RFC3339 datetime string)

Process

  • event.observable.process.child_refs (array)
  • event.observable.process.command_line (string)
  • event.observable.process.created_datetime (RFC3339 datetime string)
  • event.observable.process.creator_user_ref (string)
  • event.observable.process.cwd (string)
  • event.observable.process.environment_variables.<key> (string)
  • event.observable.process.image_ref (string)
  • event.observable.process.is_hidden (boolean)
  • event.observable.process.opened_connection_refs (array)
  • event.observable.process.parent_ref (string)
  • event.observable.process.pid (number)

Software

  • event.observable.software.cpe (string)
  • event.observable.software.languages (array)
  • event.observable.software.name (string)
  • event.observable.software.vendor (string)
  • event.observable.software.version (string)

URL

  • event.observable.url.value (string)

User Account

  • event.observable.user_account.account_created_datetime (RFC3339 datetime string)
  • event.observable.user_account.account_expires (RFC3339 datetime string)
  • event.observable.user_account.account_first_login_datetime (RFC3339 datetime string)
  • event.observable.user_account.account_last_login_datetime (RFC3339 datetime string)
  • event.observable.user_account.account_login (string)
  • event.observable.user_account.account_type (string)
  • event.observable.user_account.can_escalate_privileges (boolean)
  • event.observable.user_account.credential (string)
  • event.observable.user_account.credential_last_changed_datetime (RFC3339 datetime string)
  • event.observable.user_account.display_name (string)
  • event.observable.user_account.is_disabled (boolean)
  • event.observable.user_account.is_priveleged (boolean)
  • event.observable.user_account.is_service_account (boolean)
  • event.observable.user_account.user_id (string)

Windows Registry Key

  • event.observable.windows_registry_key.data (string)
  • event.observable.windows_registry_key.data_type (string)
  • event.observable.windows_registry_key.name (string)

X509 Certificate

  • event.observable.x509_certificate.hashes (string)
  • event.observable.x509_certificate.is_self_signed (boolean)
  • event.observable.x509_certificate.issuer (string)
  • event.observable.x509_certificate.serial_number (string)
  • event.observable.x509_certificate.signature_algorithm (string)
  • event.observable.x509_certificate.subject (string)
  • event.observable.x509_certificate.subject_public_key_algorithm (string)
  • event.observable.x509_certificate.subject_public_key_exponent (number)
  • event.observable.x509_certificate.subject_public_key_modulus (string)
  • event.observable.x509_certificate.validity_not_after_datetime (string)
  • event.observable.x509_certificate.validity_not_before_datetime (string)
  • event.observable.x509_certificate.version (number)
  • event.observable.x509_certificate.x509_v3_extensions.<key> (string)

Case form submission created:

  • event.case.acl_uuid (string)
  • event.case.description (string)
  • event.case.locator (string)
  • event.case.member_uuids (array)
  • event.case.severity_name (string)
  • event.case.status_name (string)
  • event.case.tag_values (array)
  • event.case.uuid (UUID string)
  • event.case_data_creator.acl_uuid (UUID string)
  • event.case_data_creator.email (string)
  • event.case_data_creator.family_name (string)
  • event.case_data_creator.given_name (string)
  • event.case_data_creator.is_deleted (boolean)
  • event.case_data_creator.is_human (boolean)
  • event.case_data_creator.org_uuid (UUID string)
  • event.case_data_creator.phone (string)
  • event.case_data_creator.username (string)
  • event.case_data_creator.uuid (UUID string)
  • event.case_data_stub.acl_uuid (UUID string)
  • event.case_data_stub.case_uuid (UUID string)
  • event.case_data_stub.created_datetime (string)
  • event.case_data_stub.creator_uuid (UUID string)
  • event.case_data_stub.data_location (string)
  • event.case_data_stub.data_location_type (string)
  • event.case_data_stub.data_size (number)
  • event.case_data_stub.data_source (string)
  • event.case_data_stub.editor_uuid (UUID string)
  • event.case_data_stub.file_name (string)
  • event.case_data_stub.is_audit (boolean)
  • event.case_data_stub.is_deleted (boolean)
  • event.case_data_stub.is_edited (boolean)
  • event.case_data_stub.is_hidden (boolean)
  • event.case_data_stub.last_modified_datetime (string)
  • event.case_data_stub.location (string)
  • event.case_data_stub.mime_type (string)
  • event.case_data_stub.parent_uuid (UUID string)
  • event.case_data_stub.significance (string)
  • event.case_data_stub.uuid (UUID string)
  • event.case_data_stub.version (number)
  • event.form_data.fields.<key> (string)
  • event.form_data.name (string)
  • event.form_data.uuid (UUID string)

Related articles

Cydarm API documentation

API examples