When a notification rule is triggered in Traceable, structured events are sent to external systems, including SIEMs (Splunk), log collectors (Syslog, S3), security platforms (CrowdStrike), and messaging channels (Slack, Teams, email). Each event follows a consistent schema, providing detailed fields and context to monitor API activity, detect security issues, and integrate seamlessly with your operational workflows.
What will you learn in this topic?
By the end of this topic, you will be able to:
Understand the different types of notification events in Traceable.
Identify the fields and data types included in each event.
Interpret sample JSON payloads to integrate events with external systems.
Event Types and Attributes
The following sections provide a comprehensive list of all fields available in notification events when integrated with external SIEM platforms, along with a sample JSON.
Base Alert Fields (Inherited by All Event Types)
This event provides core details, such as tenant, environment, triggering rule, and alert message, for consistent tracking and integration. The following table outlines the fields included in this event, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Unique tenant identifier generating the event. |
| Instant | UTC timestamp when the event is generated. |
| String | Environment where the event occurs (for example, production, staging) |
| String | Event type identifier. |
| String | The notification rule that triggered the event. |
| String | Direct URL to the event in Traceable. |
| String | Logical classification of the event. |
| String | URL to the notification configuration. |
| String | Human-readable alert message. |
The following is a sample JSON for all the events mentioned above:
{
"tenantId": "tenant_123",
"timestamp": "2026-02-18T12:00:00Z",
"environment": "prod",
"eventType": "Blocked Event",
"notificationRuleName": "High Severity Alert",
"linkToEvent": "https://app.traceable.ai/event/123",
"eventCategory": "THREAT",
"linkToNotificationConfig": "https://app.traceable.ai/config/456",
"alertMessage": "High severity event detected"
}
Agent Entity Change Event
This event is triggered when an agent changes state (for example, upgrades or becomes inactive), providing visibility into agent status and operational changes within your environment. The following table outlines the fields included when an agent changes state (for example, becomes inactive or upgraded), along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Name of the agent. |
| String | Agent version. |
| String | Type of agent (for example, Kubernetes, VM). |
| String | Previous agent state (for example, ACTIVE) |
| String | Current agent state ( for example, INACTIVE) |
Sample JSON
{
"tenantId": "tenant-123",
"timestamp": "2026-02-20T10:15:30Z",
"environment": "production",
"eventType": "AGENT_ENTITY_CHANGE",
"notificationRuleName": "Agent Status Monitor",
"linkToEvent": "https://app.traceable.ai/event/123",
"eventCategory": "ENTITY_CHANGE",
"linkToNotificationConfig": "https://app.traceable.ai/config/456",
"alertMessage": "Agent status changed",
"agentName": "traceable-agent-1", "version": "1.4.2",
"agentType": "KUBERNETES",
"previousStatus": "ACTIVE",
"currentStatus": "INACTIVE"
}API and Backend Discovery Events
This event is triggered when Traceable discovers new API endpoints, services, or backend systems, providing visibility into your environment for inventory, monitoring, and operational tracking. The following table outlines the fields included when Traceable discovers new API endpoints or backend systems within your environment, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Type of discovery event generated by the platform. |
| String | Name of the newly discovered API endpoint, including HTTP method and path. |
| String | Name of the service associated with the discovered API. |
| String | Name of the newly discovered backend system or infrastructure component. |
Config and Environment Related Events
The following table outlines the fields included in this event, along with their respective data types and descriptions.
1. Config Change Event
The following table outlines the fields included when a platform configuration is created, modified, or updated, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Human-readable summary of the configuration change. Defaults to |
| String | Category or type of configuration that was modified (for example, notification rule, blocking rule, policy, integration). |
| String | Username or email address of the user who performed the configuration change. |
| String | User-defined name of the configuration rule affected by the change. |
2. Domain Discovery Event
The following table outlines the fields included when Traceable detects a new domain associated with API traffic, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Fully qualified domain name (FQDN) of the newly discovered domain observed in API traffic. |
3. Environment Entity Change Event
The following table outlines the fields included when the operational state of an environment changes, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Previous operational status of the environment (for example, ACTIVE, INACTIVE). |
| String | Updated operational status of the environment after the change. |
Sensitive Data Events
1. Sensitive Data Discovery Event
This event is triggered when sensitive data is detected in API requests or responses, including data sent to third-party backends, providing visibility for monitoring and compliance. The following table outlines the fields included when sensitive data types are detected in API requests or response payloads, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| Set | Collection of sensitive data types detected in the API traffic (for example, EMAIL, CREDIT_CARD, SSN, API_KEY). |
| String | Name of the API endpoint where the sensitive data was discovered, including HTTP method and path. |
2. Sensitive Data Third Party API Event
This event is triggered when sensitive data is detected in API requests or responses, including data sent to third-party backends, providing visibility for monitoring and compliance. The following table outlines the fields included when sensitive data is observed being transmitted to or from a third-party backend system, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| Set | Collection of sensitive data types detected in traffic involving the third-party backend. |
| String | Name of the third-party backend system associated with the detected sensitive data exposure. |
Third-Party Discovery Events
The following table outlines the fields included when Traceable detects a previously unknown third-party API endpoint communicating with your environment, along with their respective data types and descriptions.
1. Third Party API Discovery Event
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Name of the discovered third-party API endpoint, including identifying details such as domain or API path if available. |
2. Third Party Discovery Event
The following table outlines the fields included when a new third-party service or provider is identified based on API traffic patterns, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Name of the external third-party service, vendor, or provider detected in traffic. |
Blocked Event
This event provides enriched context, including client intelligence, API metadata, threat scoring, and data classification signals. The following table outlines the fields included when Traceable actively blocks an API request due to a policy violation, detected attack, threat actor enforcement, or risk-based protection rule, along with their respective data types and descriptions:
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Name of the rule or policy responsible for blocking the request. |
| String | Source IP address of the client that initiated the request. |
| String | Autonomous System Number (ASN) associated with the client IP. |
| String | Organization or ISP associated with the client's IP address. |
| Enum | Reputation level assigned to the client IP (for example, TRUSTED, SUSPICIOUS, MALICIOUS). |
| String | Classification of the IP type (for example, DATA_CENTER, RESIDENTIAL, PROXY, TOR). |
| String | Network connection type (for example, broadband, mobile, hosting provider). |
| String | Identifier of the threat actor entity associated with the blocked request. |
| Enum | Type of security or policy event that resulted in the block. |
| String | Unique identifier of the underlying event that triggered the block action. |
| String | Distributed tracing span identifier for request correlation. |
| String | User-Agent header string from the client request. |
| String | Parsed device or client platform information. |
| String | Name of the service handling the API request. |
| String | Name of the API endpoint (HTTP method and path). |
| String | Complete request URI path. |
| String | HTTP response status code returned after blocking (typically 403). |
| String | Human-readable description of why the request was blocked. |
| String | Geographic location derived from the client IP address. |
| Enum | Severity level assigned to the blocked event (LOW, MEDIUM, HIGH, CRITICAL). |
| Enum | Business or security impact level of the event. |
| Enum | Confidence level indicating detection certainty. |
| Double | Risk score assigned to the affected API. |
| String | Risk classification category of the API (for example, HIGH_RISK, MEDIUM_RISK). |
| String | Sensitive data types detected in the request payload. |
| String | Sensitive data types detected in the response payload. |
| String | Identified datasets present in the request payload. |
| String | Identified datasets present in the response payload. |
| Integer | Risk score assigned to the associated threat actor. |
| String | Identified scanner or automation tool (if applicable). |
| String | Data suppression policies applied to the event. |
| String | Labels or tags associated with the API. |
| Boolean | Indicates whether the API is externally exposed. |
Sample JSON
{
"tenantId": "tenant-123",
"timestamp": "2026-02-20T12:00:00Z",
"environment": "production",
"eventType": "BLOCKED_EVENT",
"notificationRuleName": "Critical Attack Blocking",
"linkToEvent": "https://app.traceable.ai/event/blocked-123",
"eventCategory": "SECURITY",
"alertMessage": "Malicious request blocked by SQL Injection Protection rule",
"blockingRuleName": "SQL Injection Protection",
"clientIp": "198.51.100.25",
"clientIpAsn": "AS15169",
"clientIpOrganisation": "Example ISP",
"clientIpReputation": "MALICIOUS",
"clientIpTypes": "DATA_CENTER",
"clientIpConnectionType": "HOSTING",
"blockedActorId": "actor-456",
"blockedEventType": "SECURITY_EVENT",
"blockedEventId": "sec-789",
"spanId": "span-abc-123",
"userAgent": "Mozilla/5.0",
"userDevice": "Chrome on Windows",
"serviceName": "payment-service",
"apiName": "POST /checkout",
"uri": "/checkout",
"statusCode": "403",
"description": "Request matched SQL injection detection pattern",
"clientGeoLocation": "US",
"severity": "CRITICAL",
"impactLevel": "HIGH",
"confidenceLevel": "HIGH",
"apiRiskScore": 92.5,
"apiRiskCategory": "HIGH_RISK",
"requestDatatypeNames": "CREDIT_CARD",
"responseDatatypeNames": "NONE",
"requestDatasetNames": "PaymentData",
"responseDatasetNames": "None",
"threatActorScore": 95,
"scanner": "sqlmap",
"dataSuppressions": "None",
"apiLabels": "external, payments",
"apiIsExternal": true
}Security Event
This event is triggered when Traceable detects suspicious or malicious activity, providing detailed context on the API, the client, and the associated risk to support monitoring, investigation, and response. The following table outlines the fields included when Traceable detects suspicious or malicious activity based on configured security rules, behavioral analytics, or threat intelligence signals, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Name of the security rule that triggered the detection. |
| String | Unique identifier of the security event. |
| Enum | Classification of the security event (for example, ATTACK_DETECTED, POLICY_VIOLATION, ANOMALY). |
| Enum | Severity level assigned to the event (LOW, MEDIUM, HIGH, CRITICAL). |
| String | Complete request URI path associated with the event. |
| Integer | HTTP response status code returned for the request. |
| String | Authenticated user identifier associated with the request, if available. |
| String | User-Agent header string from the client request. |
| String | Source IP address of the client request. |
| String | Geographic location derived from the client IP address. |
| String | Autonomous System Number (ASN) associated with the client IP. |
| String | Organization or ISP associated with the client's IP address. |
| Enum | Reputation level assigned to the client IP (for example, TRUSTED, SUSPICIOUS, MALICIOUS). |
| String | Classification of IP type (for example, DATA_CENTER, RESIDENTIAL, PROXY, TOR). |
| String | Network connection type for the client's IP address |
| String | Distributed tracing span identifier used for correlating requests across services. |
| String | Name of the service that handled the request. |
| String | Name of the API endpoint (HTTP method and path). |
| String | Human-readable explanation of the detected activity. |
| String | Parsed client device or platform information. |
| String | Session identifier associated with the user request, if available. |
| Enum | Business or security impact level of the event. |
| Enum | Confidence score indicating detection accuracy. |
| Double | Risk score assigned to the affected API. |
| String | Risk classification category of the API (for example, HIGH_RISK). |
| String | Sensitive data types identified in the request payload. |
| String | Sensitive data types identified in the response payload. |
| String | Identified datasets present in the request payload. |
| String | Identified datasets present in the response payload. |
| Integer | Risk score assigned to the associated threat actor. |
| String | Identified scanner or automation tool involved in the activity (if applicable). |
| String | Data suppression policies applied to the event. |
| String | Labels or tags associated with the API endpoint. |
| Boolean | Indicates whether the API endpoint is externally exposed. |
Sample JSON
{
"tenantId": "tenant-123",
"timestamp": "2026-02-20T12:30:00Z",
"environment": "production",
"eventType": "SECURITY_EVENT",
"notificationRuleName": "Critical Security Alerts",
"linkToEvent": "https://app.traceable.ai/event/sec-123",
"eventCategory": "SECURITY",
"alertMessage": "Potential broken authentication attack detected",
"ruleName": "OWASP API2 - Broken Authentication",
"eventId": "sec-123",
"securityEventType": "ATTACK_DETECTED",
"severity": "CRITICAL",
"uri": "/login",
"statusCode": 401,
"userId": "user-789",
"userAgent": "Mozilla/5.0",
"clientIpAddress": "203.0.113.45",
"clientGeoLocation": "US",
"clientIpAsn": "AS15169",
"clientIpOrganisation": "Example ISP",
"clientIpReputation": "SUSPICIOUS",
"clientIpTypes": "DATA_CENTER",
"clientIpConnectionType": "HOSTING",
"spanId": "trace-span-456",
"serviceName": "auth-service",
"apiName": "POST /login",
"description": "Multiple failed login attempts detected from the same IP",
"userDevice": "Chrome on Windows",
"sessionId": "session-123",
"impactLevel": "HIGH",
"confidenceLevel": "HIGH",
"apiRiskScore": 88.4,
"apiRiskCategory": "HIGH_RISK",
"requestDatatypeNames": "USERNAME,PASSWORD",
"responseDatatypeNames": "NONE",
"requestDatasetNames": "AuthPayload",
"responseDatasetNames": "None",
"threatActorScore": 90,
"scanner": "CredentialStuffingTool",
"dataSuppressions": "None",
"apiLabels": "external, authentication",
"apiIsExternal": true
}
Vulnerability Events
These events provide visibility into newly identified API vulnerabilities and status changes for existing vulnerabilities within the Traceable platform. The following table outlines the fields included in this event, along with their respective data types and descriptions.
1. Vulnerability Discovery Event
The following table outlines the fields included when a vulnerability is detected in an API endpoint during security analysis, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Classification of the detected vulnerability (for example, SQL_INJECTION, BROKEN_AUTHENTICATION, DATA_EXPOSURE). |
| String | Severity level assigned to the vulnerability based on risk assessment (for example, LOW, MEDIUM, HIGH, CRITICAL). |
| String | Name of the affected API endpoint, including HTTP method and path. |
2. Vulnerability Status Change Event
The following table outlines the fields included when the lifecycle state of a previously identified vulnerability changes, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Classification of the vulnerability whose status has changed. |
| String | Severity level associated with the vulnerability. |
| String | Name of the affected API endpoint. |
| String | Previous lifecycle state of the vulnerability (for example, OPEN, IN_PROGRESS, RESOLVED). |
| String | Updated lifecycle state of the vulnerability after the change. |
Threat Actor Change Events
These events provide visibility into changes in a threat actor’s severity classification or operational state within the Traceable platform. They help security teams track risk evolution and enforcement actions. The following table outlines the fields included in this event, along with their respective data types and descriptions.
1. Threat Actor Severity Change Event
Triggered when the calculated severity level of a threat actor changes based on updated risk signals, behavior, or intelligence.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Unique identifier assigned to the threat actor within the platform. |
| String | IP address associated with the threat actor. |
| String | Previous severity classification (for example, LOW, MEDIUM, HIGH, CRITICAL). |
| String | Updated severity classification after reassessment. |
| String | Geographic location associated with the threat actor’s IP address. |
| String | Internal entity identifier linked to the threat actor. |
| String | Previous IP reputation level (for example, TRUSTED, SUSPICIOUS, MALICIOUS). |
| String | Updated IP reputation level based on latest intelligence. |
Sample JSON
{
"tenantId": "tenant-123",
"timestamp": "2026-02-20T11:00:00Z",
"environment": "production",
"eventType": "THREAT_ACTOR_SEVERITY_CHANGE",
"notificationRuleName": "Threat Actor Severity Monitor",
"alertMessage": "Threat actor severity increased",
"threatActorId": "actor-789",
"threatActorIp": "203.0.113.25",
"threatActorOldSeverity": "MEDIUM",
"threatActorNewSeverity": "HIGH",
"actorGeolocation": "US",
"threatActorEntityId": "entity-456",
"threatActorOldIpReputationLevel": "SUSPICIOUS",
"threatActorNewIpReputationLevel": "MALICIOUS"
}
2. Threat Actor State Change Event
The following table outlines the fields included when the operational state of a threat actor changes, either automatically (for example, due to policy enforcement) or manually by a user, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Unique identifier assigned to the threat actor. |
| String | Explanation for the state change (for example, policy enforcement, manual override). |
| String | IP address associated with the threat actor. |
| String | Previous operational state (for example, MONITORED, BLOCKED, ALLOWED). |
| String | Updated operational state after the change. |
| String | User or system component responsible for initiating the change. |
| String | Geographic location associated with the actor’s IP. |
| String | Geographic location recorded for the threat actor entity (if different from actorGeoLocation). |
| String | Internal entity identifier associated with the threat actor. |
Sample JSON
{
"tenantId": "tenant-123",
"timestamp": "2026-02-20T11:10:00Z",
"environment": "production",
"eventType": "THREAT_ACTOR_STATE_CHANGE",
"notificationRuleName": "Threat Actor State Monitor",
"alertMessage": "Threat actor state changed",
"threatActorId": "actor-789",
"changeReason": "Manual unblock by admin",
"threatActorIp": "203.0.113.25",
"threatActorOldState": "BLOCKED",
"threatActorNewState": "MONITORED",
"changeInitiator": "admin@company.com",
"actorGeoLocation": "US",
"threatActorGeoLocation": "US",
"threatActorEntityId": "entity-456"
}
Fraud Detection Event
This event is triggered when fraudulent activity is detected, providing the entity, severity, risk score, and type of fraud for monitoring and investigation. The following table outlines the fields included in this event, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Entity identifier. |
| String | Type of entity. |
| String | Fraud severity. |
| Integer | Fraud risk score. |
| String | Fraud classification. |
The following is a sample JSON for all the events mentioned above:
{
"tenantId": "tenant_123",
"timestamp": "2026-02-18T12:10:00Z",
"environment": "Production",
"eventType": "Fraud Detection Event",
"notificationRuleName": "High Risk Entity",
"eventCategory": "FRAUD",
"alertMessage": "Fraud risk identified",
"entityName": "user_8842",
"entityType": "User",
"severity": "High",
"riskScore": 91,
"threatType": "Account Takeover"
}Risk Score Change event
This event is triggered when an API’s risk score changes, providing visibility into updated risk levels and categories for monitoring and response. The following table outlines the fields included in this event, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Contains the affected API. |
| Integer | Contains the previous risk score. |
| Integer | Includes the updated risk score. |
| String | Consists of the updated category. |
Sample JSON
{
"tenantId": "tenant_123",
"timestamp": "2026-02-18T15:00:00Z",
"environment": "Production",
"eventType": "Risk Score Change Event",
"eventCategory": "RISK",
"alertMessage": "API risk score updated",
"apiName": "POST /v1/orders",
"oldScore": 65,
"newScore": 89,
"riskCategory": "High"
}Team Activity Event
This event tracks user actions for auditing, compliance, and operational monitoring. The following table outlines the fields included when a user acts within the Traceable platform, such as creating, modifying, or deleting a configuration, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Unique identifier of the tenant. For this event type, the field is explicitly included in the payload, even if it is ignored in other base alert contexts. |
| String | Full name of the user who acted. |
| String | Email address of the user who initiated the activity. |
| String | High-level summary of the activity performed. |
| String | Type of action executed (for example, CREATE, UPDATE, DELETE). |
| String | Additional contextual information describing the activity in detail. |
Service Discovery Event
This event helps organizations maintain an accurate inventory of services participating in API communication within their environment. The following table outlines the fields included when Traceable detects a previously unknown service based on observed API traffic, along with their respective data types and descriptions.
Field | Type | Description |
|---|---|---|
| String | Identifies the event as |
| String | Name of the newly discovered service observed in API traffic. |