Appearance
Webhook Payload Reference
This page documents every webhook payload format the Console delivers. The format used for a given delivery depends on the webhook_type configured on the destination. All payloads are sent as HTTP POST with Content-Type: application/json and a 10-second timeout.
If a signing_secret is configured, every delivery includes an X-Telovix-Signature: sha256=<hex> header computed as HMAC-SHA256 over the raw request body bytes.
Payload types
The Console generates different payloads depending on which event system produces the delivery:
| Source | Payload type |
|---|---|
| Alert rules (from runtime events) | AlertDeliveryPayload (generic, or platform-formatted for Slack/Discord/Teams/PagerDuty/OpsGenie/TheHive) |
| Saved search alerts | saved_search_match JSON envelope |
| Test deliveries | AlertDeliveryPayload with alert_kind: "test_delivery" |
| Trust alerts (certificate renewal, revocation) | AlertDeliveryPayload with trust-specific alert_kind |
Generic / fallback payload (alert rules)
Used when webhook_type is generic or any unrecognized string. Also used by observe, huntress, and sumologic destinations (they use this format). Example URLs use port 15483 (Telovix self-hosted default).
json
{
"version": "1",
"alert_kind": "security_event",
"severity": "high",
"sensor_id": "sensor_3Tz8mQkLpNvXa1Yw",
"node_name": "upf-prod-01",
"trust_health": "not_applicable",
"headline": "detect-priv-esc fired on upf-prod-01",
"detail": "Process /opt/open5gs/bin/upf called setuid to root",
"occurred_at": "2026-04-26T14:22:00Z",
"delivered_at": "2026-04-26T14:22:01Z",
"source": "security_event",
"event_kind": "privilege_change",
"rule_name": "detect-priv-esc",
"message": "Process /opt/open5gs/bin/upf called setuid to root",
"process": "/opt/open5gs/bin/upf",
"parent_executable": "/bin/systemd",
"mitre_technique": "T1548",
"mitre_tactic": "privilege-escalation",
"observed_at": "2026-04-26T14:22:00Z",
"declared_role": "upf",
"os_name": "Ubuntu",
"os_version": "22.04",
"architecture": "x86_64",
"kernel_version": "5.15.0-91-generic",
"tags": ["site:oslo", "plmn:242-01"],
"is_contained": false,
"group_ids": [],
"related_event_count": 3,
"k8s_namespace": "5g-core",
"pod_name": "upf-0",
"workload_type": "StatefulSet",
"workload_name": "upf",
"container_id": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
"ancestors": "[{\"pid\":1,\"comm\":\"systemd\"}]",
"telecom_protocol_family": "PFCP",
"telecom_interface_context": "N4",
"telecom_transport_context": "UDP/8805",
"alert_inbox_url": "https://console.example.com:15483/alerts"
}Generic payload field reference
All timestamps are RFC3339. Optional fields are omitted when null.
| Field | Always present | Description |
|---|---|---|
version | Yes | Schema version. Currently "1". |
alert_kind | Yes | "security_event" for alert rule deliveries, "test_delivery" for test, trust alert kinds for trust events |
severity | Yes | "info", "warning", "high", or "critical" |
sensor_id | Yes | Sensor identifier |
node_name | Yes | Sensor display name |
trust_health | Yes | Trust health of the sensor at delivery time, or "not_applicable" for security event deliveries |
headline | Yes | Short human-readable summary |
detail | Yes | Longer description |
occurred_at | Yes | When the event occurred |
delivered_at | Yes | When this delivery was sent |
source | Yes | Internal source identifier ("security_event", "v2_api_test", etc.) |
event_kind | No | Runtime event kind that triggered the alert |
rule_name | No | Alert rule name |
message | No | Full event message |
process | No | Process binary path |
parent_executable | No | Parent process binary path |
mitre_technique | No | MITRE ATT&CK technique ID |
mitre_tactic | No | MITRE ATT&CK tactic |
observed_at | No | When the underlying event was observed |
declared_role | No | NF role of the sensor (telecom flavor) |
os_name | No | Operating system name |
os_version | No | Operating system version |
architecture | No | CPU architecture |
kernel_version | No | Kernel version string |
tags | No | Sensor tags (omitted if empty) |
is_contained | Yes | Whether the sensor is in containment mode |
group_ids | No | Sensor group IDs (omitted if empty) |
related_event_count | No | Count of related events in the detection window |
k8s_namespace | No | Kubernetes namespace |
pod_name | No | Kubernetes pod name |
workload_type | No | Kubernetes workload type |
workload_name | No | Kubernetes workload name |
container_id | No | Container ID |
ancestors | No | JSON-encoded process ancestor chain |
telecom_protocol_family | No | Telecom protocol (e.g., "PFCP", "NGAP") |
telecom_interface_context | No | Telecom interface context (e.g., "N4") |
telecom_transport_context | No | Telecom transport context (e.g., "UDP/8805") |
alert_inbox_url | Yes | URL to the alert in the Console Alert Inbox |
Slack payload
For webhook_type: "slack". Uses Slack Block Kit format. The signing secret is applied the same way as the generic format.
json
{
"text": "🚨 detect-priv-esc - upf-prod-01",
"blocks": [
{
"type": "header",
"text": { "type": "plain_text", "text": "🚨 detect-priv-esc" }
},
{
"type": "section",
"fields": [
{ "type": "mrkdwn", "text": "*Sensor:*\nupf-prod-01" },
{ "type": "mrkdwn", "text": "*Role:*\nupf" },
{ "type": "mrkdwn", "text": "*Event:*\nprivilege_change" },
{ "type": "mrkdwn", "text": "*Process:*\n/opt/open5gs/bin/upf" },
{ "type": "mrkdwn", "text": "*Severity:*\nhigh" },
{ "type": "mrkdwn", "text": "*OS:*\nUbuntu 22.04 (x86_64)" }
]
},
{
"type": "section",
"text": { "type": "mrkdwn", "text": "Process /opt/open5gs/bin/upf called setuid to root" }
},
{
"type": "context",
"elements": [{ "type": "mrkdwn", "text": "Telovix Console • 2026-04-26T14:22:00Z • <https://console.example.com:15483/alerts|View in Inbox>" }]
}
]
}Optional fields (MITRE, Tags, Parent, Telecom Context, K8s Context, Related (window)) are appended as additional section fields when present.
Discord payload
For webhook_type: "discord". Uses Discord Embed format.
json
{
"content": "🚨 **detect-priv-esc** on `upf-prod-01`",
"embeds": [{
"title": "privilege_change",
"description": "Process /opt/open5gs/bin/upf called setuid to root",
"color": 15548997,
"fields": [
{ "name": "Sensor", "value": "upf-prod-01", "inline": true },
{ "name": "Role", "value": "upf", "inline": true },
{ "name": "Process", "value": "/opt/open5gs/bin/upf", "inline": true },
{ "name": "Severity", "value": "high", "inline": true },
{ "name": "OS", "value": "Ubuntu 22.04 (x86_64)", "inline": true }
],
"timestamp": "2026-04-26T14:22:00Z",
"url": "https://console.example.com:15483/alerts"
}]
}The embed color 15548997 is a fixed red (#ED4245). Optional fields (Parent Process, Telecom Context, Tags, MITRE, Related, K8s, Inbox URL) are appended as additional embed fields when present.
Microsoft Teams payload
For webhook_type: "teams". Uses MessageCard format.
json
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"themeColor": "FF0000",
"summary": "detect-priv-esc - upf-prod-01",
"sections": [{
"activityTitle": "🚨 detect-priv-esc",
"activitySubtitle": "Sensor: upf-prod-01",
"facts": [
{ "name": "Event Kind", "value": "privilege_change" },
{ "name": "Role", "value": "upf" },
{ "name": "Process", "value": "/opt/open5gs/bin/upf" },
{ "name": "Message", "value": "Process /opt/open5gs/bin/upf called setuid to root" },
{ "name": "Severity", "value": "high" },
{ "name": "OS", "value": "Ubuntu 22.04 (x86_64)" },
{ "name": "Observed", "value": "2026-04-26T14:22:00Z" }
]
}]
}Optional fields (Parent Process, Telecom, Tags, MITRE, Related, Namespace, Workload, Pod, Container, Inbox URL) are appended as additional facts when present.
PagerDuty payload
For webhook_type: "pagerduty". Uses PagerDuty Events API v2 format. The signing_secret field on the destination is used as the routing_key. No X-Telovix-Signature header is sent for PagerDuty.
json
{
"routing_key": "<pd-routing-key>",
"event_action": "trigger",
"dedup_key": "telovix-{rule_id}-{sensor_id}",
"payload": {
"summary": "detect-priv-esc fired on upf-prod-01: Process /opt/open5gs/bin/upf called setuid...",
"severity": "error",
"source": "upf-prod-01",
"timestamp": "2026-04-26T14:22:00Z",
"component": "privilege_change",
"group": "upf",
"class": "detect-priv-esc",
"custom_details": {
"event_kind": "privilege_change",
"process": "/opt/open5gs/bin/upf",
"message": "...",
"declared_role": "upf",
"is_contained": false,
"mitre_technique": "T1548"
}
},
"links": [
{ "href": "https://console.example.com:15483/alerts", "text": "View in Telovix Alert Inbox" }
]
}PagerDuty severity mapping: critical - "critical", high - "error", medium - "warning", low (and all others) - "info".
The summary field is truncated to 1024 characters.
OpsGenie payload
For webhook_type: "opsgenie". The signing_secret field is used as the GenieKey API key in the Authorization header. No X-Telovix-Signature header is sent.
json
{
"message": "detect-priv-esc - upf-prod-01",
"description": "Process /opt/open5gs/bin/upf called setuid to root",
"alias": "telovix-{rule_id}-{sensor_id}",
"responders": [],
"visibleTo": [],
"tags": ["privilege_change", "high", "telovix", "site:oslo"],
"details": {
"event_kind": "privilege_change",
"process": "/opt/open5gs/bin/upf",
"declared_role": "upf",
"is_contained": false
},
"priority": "P2",
"source": "Telovix Console",
"entity": "upf-prod-01",
"actions": ["Acknowledge", "Close"]
}OpsGenie priority mapping: critical - P1, high - P2, medium - P3, low - P4, others - P5.
The message field is truncated to 130 characters. The description field is truncated to 15000 characters. Tags include the event kind, severity, "telovix", sensor tags, and telecom protocol family when present.
TheHive payload
For webhook_type: "thehive". Creates a TheHive v5 alert via POST {target_url}/api/v1/alert. The signing_secret field is used as the Bearer API token. No X-Telovix-Signature header is sent.
json
{
"type": "telovix-alert",
"source": "telovix",
"sourceRef": "telovix-{rule_id}-{sensor_id}",
"title": "detect-priv-esc - upf-prod-01",
"description": "**Rule:** detect-priv-esc\n**Sensor:** upf-prod-01\n**Event kind:** privilege_change\n**Severity:** high\n**Message:** ...\n**Observed at:** 2026-04-26T14:22:00Z\n\n[View in Telovix Alert Inbox](https://...)",
"severity": 3,
"date": 1745676120000,
"tags": ["telovix", "privilege_change", "high"],
"tlp": 1,
"pap": 1
}TheHive severity mapping: critical - 4, high - 3, medium - 2, others - 1.
The date field is a Unix timestamp in milliseconds. The title is truncated to 512 characters. tlp and pap are fixed at 1 (GREEN).
Saved search match payload
Generated when a saved search alert threshold is crossed. The format is the same regardless of webhook_type.
json
{
"version": "1",
"alert_kind": "saved_search_match",
"search_id": "<saved_search_id>",
"search_name": "UPF network anomalies",
"match_count": 15,
"window_secs": 3600,
"threshold": 10,
"triggered_at": "2026-04-26T14:22:00Z",
"event_search_url": "https://console.example.com:15483/events?saved_search_id=<id>"
}For slack destinations, the saved search alert uses a Slack Block Kit format with a button linking to the event search URL.
Signature verification
When a signing_secret is configured, the X-Telovix-Signature header is present on every delivery (except PagerDuty, OpsGenie, and TheHive, which use the signing_secret for authentication instead).
X-Telovix-Signature: sha256=<hex-encoded-hmac-sha256>The signature is HMAC-SHA256 computed over the raw request body bytes using the signing_secret. Always compute the HMAC over the raw body buffer before JSON parsing.
Test delivery payload
Sent by POST /api/v2/webhooks/{webhook_id}/test. Uses the generic payload format:
json
{
"version": "1",
"alert_kind": "test_delivery",
"severity": "info",
"sensor_id": "test",
"node_name": "test-node",
"trust_health": "healthy",
"headline": "Telovix V2 API test delivery",
"detail": "This is a test webhook delivery from the Telovix V2 API.",
"occurred_at": "<current_time>",
"delivered_at": "<current_time>",
"source": "v2_api_test",
"is_contained": false,
"alert_inbox_url": ""
}