- 05 Aug 2024
- Print
- DarkLight
HTTP Client Actions
- Updated on 05 Aug 2024
- Print
- DarkLight
HTTP Client Actions let you automatically send incident information through an API request to your organization when conditions in your Policy Rules are met. Once your team receives the request, you can choose how to handle the incident based on the request.
This feature requires your organization to create an API endpoint that HUMAN can send a request to.
Prerequisites
- An endpoint for HUMAN to send the request to.
- An HTTP integration, which you can access from Platform Settings > Integrations > HTTP. For more information, see our help article.
Set up HTTP Client Actions
To set up Client Actions, you need to:
Create an HTTP Client Action
Once you have connected your API endpoint with HUMAN’s HTTP integration, you must create a new HTTP Client Action for HUMAN to take whenever a Policy Rule’s conditions are met.
- Navigate to Account Defender > Settings > Action Settings.
- Select Add Action.
- Complete the following fields:
- Action name: The name that will appear for the Action throughout the HUMAN console
- Action type: The type of mitigation action you want to trigger with this action
- Application data source: The application the Action will be available on.
- Event type: The type of event the Action will be triggered by.
- Integration: Select the HTTP integration to be triggered by the Action.
- Field selection: Select any additional fields you want to include in HUMAN’s request body. The available fields are determined by the Event type you selected. Default fields are required and cannot be removed. You can review the definitions per field in Client Action request fields definitions and examples per event type in Response examples.
- Review the sample request body and select Send test request to test the Action.
- Once you’re satisfied with your settings, select Save changes.
Next, be sure to add your Action to a Policy Rule so it triggers automatically.
Add an HTTP Action to a Policy Rule
Once you have created an HTTP Client Action, we recommend adding it to a Policy Rule so you can automate when a request is sent to your organization.
- Navigate to Account Defender > Policies > Policy Rules.
- Select Create new rule or select an existing rule to edit it.
3.Select Actions and navigate to API-based actions, which should display your HTTP Client Actions. - In the Then section, drag and drop the HTTP Client Action that should be triggered when the If condition is met.
- Select Save.
Your Policy Rule has been updated with your Action. Now, whenever your rule is triggered, HUMAN will send a request to your specified endpoint with the fields you selected while creating the Action.
HTTP Client Action request fields definitions
You can customize the sent request body. The available fields for single, clustered, and network events are slightly different.
Default fields
Default fields are required and cannot be removed.
Field | Event type | Description | Type |
action_name | Single, Cluster, Network | The name of the action configured in the policy rule. | String |
attack_patterns | Single | Information about the patterns associated with the attack. | String |
attack_type | Single, Cluster, Network | The type of detected attack. Can only be ato or fake_account . | String |
cluster_key | Cluster | The unique identifier value of the cluster. | String |
cluster_key_type | Cluster | The unique identifier type of the cluster. | String |
network_id | Network | The unique identifier value of the network. | String |
network_type | Network | The unique identifier type of the network. | String |
rule_id | Single, Cluster, Network | The ID of the Policy Rule that triggered the request. | String |
score | Single, Cluster, Network | The severity score assigned to the incident, from 0 to 1. | Float |
timestamp | Single, Cluster, Network | The time of the incident in UTC. In YYY-MM-DDTHH:MM:SS.SSSZ format. | String |
user_id | Single | The ID of the user. | String |
user_ids | Cluster, Network | The IDs of the users in the cluster or network. | Array |
Non-default fields
Field | Event type | Description | Type |
account_age | Single | The age of the account part of the incident in days. | String |
asn | Single | Autonomous system (Network) | String |
city | Single | The city from which the incident originated. | String |
country | Single | The country from which the incident originated. | String |
custom_param1 | Single | A parameter with custom data sent by your organization. These can be customized in your Enforcer’s configuration. Refer to your Enforcer’s corresponding custom configuration documentation for more information in our knowledge base. | String |
custom_param2 | Single | See custom_param1 . | String |
custom_param3 | Single | See custom_param1 . | String |
custom_param4 | Single | See custom_param1 . | String |
custom_param5 | Single | See custom_param1 . | String |
custom_param6 | Single | See custom_param1 . | String |
custom_param7 | Single | See custom_param1 . | String |
custom_param8 | Single | See custom_param1 . | String |
custom_param9 | Single | See custom_param1 . | String |
custom_param10 | Single | See custom_param1 . | String |
device_fingerprint | Single | A fingerprint value that represents a device. | String |
email | Single | The email associated with the account. | String |
ip | Single | The IP address from which the incident originated. | String |
ip_reputation | Single | An evaluation of the trustworthiness of an IP address. | String |
path | Single | The application’s URL path that the incident occurred on. | String |
unnormalized_user_id | Single | The original user ID as it was sent by the customer in case of manipulation on HUMAN’s end. | String |
user_agent | Single | The user agent of the incident. | String |
vid | Single | A visitor ID. | String |
Response examples
You can review response examples per event type below.
Single event response
{
"user_id": "12345",
"score": 0.99,
"attack_type": "ato",
"attack_patterns": [
"non_withdrawing_account"
],
"rule_id": "cfa7d19b-3b06-4514-9924-d1eb77fc9791",
"rule_name": "ATO with high score",
"action_name": "Reset password",
"timestamp": "2024-05-12T15:11:27.745Z",
"additional": {
"city": "Tel Aviv",
"country": "IL",
"ip": "15.5.133.81",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.124 Safari/537.36 Edg/102.0.1245.44"
}
}
Cluster event response
{
"user_ids": ["123","456","789"],
"score": 1,
"attack_type": "ato",
"attack_patterns": null,
"rule_id": "39b524c9-f172-4d5c-ab1d-472a14c035da",
"rule_name": "ATO with high score",
"action_name": "Reset password",
"timestamp": "2024-05-12T16:48:08.362344483Z",
"additional": {
"cluster_key": "14720032442281872288",
"cluster_key_type": "device"
}
}
Network event response
{
"user_ids": ["92549020", "92549021", "92549022"],
"score": 0.98,
"attack_type": "fake_account",
"rule_id": "84734834",
"action_name": "account_suspension",
"timestamp": "2022-06-24T15:13:52.164Z",
"additional": {
"network_id": "320",
"network_type": "vid",
}
}