Webhook event reference
Full list of events you can subscribe to. Each event delivers the full corresponding resource object in the data field of the webhook payload.
All events
| Name | Type | Required | Description |
|---|---|---|---|
| alert.created | Alert | No | A new security alert was detected. |
| alert.severity_changed | Alert | No | Alert severity was upgraded or downgraded. |
| alert.acknowledged | Alert | No | Alert was acknowledged by an analyst or via API. |
| alert.resolved | Alert | No | Alert was resolved. |
| alert.escalated | Alert | No | Alert was escalated to Sentinel. |
| incident.created | Incident | No | A new incident was opened by Sentinel or manually. |
| incident.action_taken | Incident | No | A response action was executed against the incident. |
| incident.contained | Incident | No | Incident status changed to contained. |
| incident.resolved | Incident | No | Incident was resolved and closed. |
| incident.note_added | Incident | No | An analyst note was added to the incident. |
| device.enrolled | Device | No | A new device was enrolled into HomeBase. |
| device.isolated | Device | No | A device was isolated from the network. |
| device.deisolated | Device | No | A device was restored to full network access. |
| device.compliance_changed | Device | No | Device compliance status changed. |
| identity.risk_score_changed | Identity | No | User risk score crossed a threshold. |
| identity.account_disabled | Identity | No | A user account was disabled. |
| identity.sessions_revoked | Identity | No | All sessions for a user were revoked. |
| compliance.report.ready | Compliance | No | An asynchronous compliance report is ready for download. |
| compliance.control_failed | Compliance | No | A compliance control dropped to failing status. |
| tenant.created | Tenant | No | A new tenant was provisioned. |
| tenant.suspended | Tenant | No | A tenant was suspended. |
Subscribing to all events
Pass "events": ["*"] when registering a webhook endpoint to receive all event types. This is useful for logging pipelines but not recommended for production integrations — subscribe only to what you need.