Integrating Analytics
This integration allows Analytics cases and alerts to be forwarded to Security Information and Event Management (SIEM) solutions via webhooks. This enables centralized security monitoring, correction with other security events, and automated response workflows.
For information on configuring webhooks in the Delinea Platform, see Managing Webhooks.
Webhook Payload Schema
when an alert or case event is triggered, the Delinea Platform sends an HTTP POST request containing a JSON payload. The following tables document each field to assist SIEM administrator in parsing and building forwarding rules.
Root-Level Fields
| Field | Type | Description |
|---|---|---|
| $type | string | Generic type Delinea.Audit.Platform.Messages.AuditEventConsumableModel, Delinea.Audit.Platform.Messages |
| AuditEventMessageId | UUID |
Unique identifier for this specific audit event message |
| TenantId | UUID |
Identifier for the Delinea tenant generating the event |
| TenantSecondaryId | UUID |
Secondary tenant identifier (typically matches TenantId) |
| Service.Type | string | The Delinea service originating the event (e.g., Identity Protection) |
| SessionId | string/null | Session identifier, if applicable |
| EventDateTime | ISO 8601 | Timestamp when the event occurred |
| ProcessedTime | ISO 8601 | Timestamp when the event was processed by the platform |
| Level | integer |
Event level indicator |
| Version | integer | Schema version number |
| Redelivered | boolean |
Indicates if this message is a redelivery attempt |
| RelayEvenIfExpired | boolean | Whether to relay the message even if past expiration |
| CorrelationId | UUID |
Identifier for correlating related events |
| ParentCorrelationId | UUID |
Parent correlation identifier for event chains |
| ForceCompress | boolean |
Compression flag |
| ExpiresOn | ISO 8601/null |
Message expiration timestamp |
| UniqueConsumableId | string/null |
Unique consumable identifier |
| _ucid | UUID |
Internal unique consumable ID |
| Notes | string/null |
Additional notes attached to the event |
| MetaData | object/null |
Additional metadata |
| FieldChanges | object/null |
Field change tracking data |
| RoutingKeySegments | array/null | Message routing segments |
| RiskData | object/null | Associated risk assessment data |
| Tags | Dictionary | Key-value pairs for event tagging |
Actor Object
| Field | Type | Desription |
|---|---|---|
| Actor.Id | string |
Identifier of the actor (e.g., ITDR for system-generated alerts) |
| Actor.PlatformId | string/null | Platform-specific identifier |
| Actor.IdType | string |
Type of identifier (e.g., platformid) |
| Actor.Type | string | Actor category (e.g., user, system) |
| Actor.Name |
string |
Human-readable name (e.g., Delinea System) |
Target Object
| Field | Type | Description |
|---|---|---|
| Target.Host | string/null |
Target host if applicable |
| Target.Id | string | Unique identifier for the target (e.g., Delinea.ITP.Alert.3465794) |
| Target.IdType | string/null |
Type of target identifier |
| Target.Type | string |
Target category (e.g., Feature) |
| Target.Name | string | Human-readable name/title of the alert or case |
Action Object
| Field | Type | Description |
|---|---|---|
| Action.Name | string |
Action identifier (e.g., Delinea.ITP.Alert.Created, Delinea.ITP.Case.Updated) |
| Action.Verb | string/null |
Action verb if applicable |
| Action.TargetType | string/null |
Type of target for the action |
Source Object
| Field | Type | Description |
|---|---|---|
| Source.Host | string/null |
Originating host |
Additional Attributes Object (Alert-Specific Data)
| Field | Type | Description |
|---|---|---|
| id | string[] |
Internal alert/case identifier |
| unique_id | string[] |
Globally unique identifier (hash) |
| title | string[] |
Alert/case title (e.g., User account detected as NHI) |
| description | string[] | Detailed description of the detection, including reasoning |
| severity | string[] |
Severity level: Low, Medium, High, Critical |
|
classification |
string[] |
Classification status (e.g., Undetermined, True Positive, False Positive) |
|
resolution |
string[] |
Resolution status (e.g., Unresolved, Resolved) |
| recommendation | string[] |
Recommended remediation actions |
| detection_rule_id | string[] |
Identifier of the detection rule that triggered the alert |
| source_app_ids | string[] | Application identifiers where the identity was detected |
| source_app_ids_and_types | string[] |
Combined application IDs and their types (e.g., Active Directory On Premises) |
| tenant_id | string[] |
Tenant identifier |
| created_at | string[] |
ISO 8601 timestamp when the alert was created |
| modified_at | string[] |
ISO 8601 timestamp of last modification |
| last_detected_at | string[] |
ISO 8601 timestamp of last detection occurrence |
Example Payload
json
{
"$type": "Delinea.Audit.Platform.Messages.AuditEventConsumableModel, Delinea.Audit.Platform.Messages",
"AuditEventMessageId": "88ee7395-6be8-47e6-b361-e8bf24506461",
"TenantId": "097e4d6b-e3c7-495d-b2f1-737d44a640d4",
"Service": {
"Type": "Identity Protection"
},
"Actor": {
"Id": "ITDR",
"IdType": "platformid",
"Type": "user",
"Name": "Delinea System"
},
"Target": {
"Id": "Delinea.ITP.Alert.3465794",
"Type": "Feature",
"Name": "User account detected as NHI"
},
"Action": {
"Name": "Delinea.ITP.Alert.Created"
},
"EventDateTime": "2026-01-08T19:31:49.424941+00:00",
"AdditionalAttributes": {
"id": ["3465794"],
"title": ["User account detected as NHI"],
"severity": ["Medium"],
"classification": ["Undetermined"],
"resolution": ["Unresolved"],
"description": ["A user account Partner PRA 10 (Vendor) has been detected..."],
"recommendation": ["- Verify the Identity: Confirm if this account..."],
"detection_rule_id": ["7436"],
"created_at": ["2026-01-08T19:31:39.796461+00:00"]
}
}
SIEM Parsing Recommendations
Key Fields for Filtering
-
Action.Name— Use to distinguish event types (e.g., Alert.Created vs Case.Updated) -
AdditionalAttributes.severity— Filter/prioritize by severity level -
AdditionalAttributes.resolution— Track resolution status
Correlation
-
Use
AuditEventMessageIdfor deduplication -
Use
AdditionalAttributes.unique_idto track the same alert across updates
Timestamp Fields
-
EventDateTime— Primary event timestamp for SIEM indexing -
AdditionalAttributes.created_at— Original alert creation time -
AdditionalAttributes.last_detected_at— Most recent detection (useful for recurring alerts)
Array Handling
-
All
AdditionalAttributesvalues are arrays; extract the first element ([0]) for single-value fields
