Webhook Case Events
Case events are triggered whenever a case is created, updated, or changes state in RedCarbon. Each case event includes the full ticket object along with a log entry describing the specific change that occurred.
Case Event Structure
Every case event contains a ticketEvent field with the following structure:
{
"eventId": "evt_2fGh7kL9mNpQ",
"type": "ticket.created",
"customerId": "cktljin6l00030126t1juat7i",
"timestamp": "2026-02-18T12:00:04.739276Z",
"ticketEvent": {
"ticket": {
"ticketId": "case_cmlrzcozn01qj01e8ubn75hua",
"customerId": "cktljin6l00030126t1juat7i",
"tier": 1,
"assignedTo": "redbot.bot@redcarbon.ai",
"createdAt": "2026-02-18T12:00:04.739276Z",
"updatedAt": "2026-02-18T12:00:05.860653Z",
"status": "PROCESSING",
"description": "Possible Storm-0536 activity detected on one endpoint",
"title": "Possible Storm-0536 activity detected on one endpoint",
"severity": {
"value": 30,
"level": "MEDIUM"
},
"incidentId": "event_cmlrzcol500nx01xj7p6om3rq",
"firstClassification": "security_alert",
"origin": "microsoft-365-defender",
"category": "Initial Access",
"annotations": {
"annotations": {
"report/subject": {
"name": "report/subject",
"value": {
"value": "[case#cmlrzcozn01qj01e8ubn75hua] Possible Storm-0536 activity detected on one endpoint"
}
}
}
}
},
"log": {
"ticketId": "case_cmlrzcozn01qj01e8ubn75hua",
"timestamp": "2026-02-18T12:00:04.739276Z",
"created": {
"severity": {
"value": 30,
"level": "MEDIUM"
}
},
"customerId": "cktljin6l00030126t1juat7i",
"createdBy": "system"
}
}
}
| Field | Type | Description |
|---|---|---|
ticketEvent.ticket | object | The full Ticket object at the time of the event |
ticketEvent.log | object | The Log entry describing the change that triggered the event |
Ticket Object
The ticket field contains the full ticket data at the time of the event.
Fields with default values (0, empty strings, empty arrays, false) may be omitted from the payload.
| Field | Type | Description |
|---|---|---|
ticketId | string | Unique identifier for the case |
customerId | string | Customer the case belongs to |
tier | integer | Case tier level |
assignedTo | string (optional) | Analyst assigned to the case |
createdAt | string | ISO 8601 creation timestamp |
updatedAt | string | ISO 8601 last update timestamp |
closedAt | string (optional) | ISO 8601 closure timestamp |
status | string | Current case status (see CaseStatus) |
parentId | string (optional) | ID of the parent case |
closeNotes | string (optional) | Notes added when closing the case |
description | string | Case description |
title | string | Case title |
closedBy | string (optional) | User who closed the case |
severity | object | Severity object (see Severity below) |
incidentId | string | Associated incident ID |
firstClassification | string | Initial classification of the case |
spentTimeMin | integer | Time spent on the case in minutes |
tags | array | List of tags |
origin | string | Source integration of the case |
finalClassification | string (optional) | Final classification after investigation |
subscribers | array | List of subscriber identifiers |
mitre | array | Associated MITRE ATT&CK technique IDs |
category | string (optional) | Case category |
notificationListId | string (optional) | Associated notification list ID |
handledByAi | boolean | Whether the case was handled by AI |
annotations | object | Annotations attached to the case |
Severity
| Field | Type | Description |
|---|---|---|
value | integer | Numeric severity score |
level | string | Severity level: NOT_VALID, LOW, MEDIUM, HIGH, CRITICAL |
Log Entry
The log field describes the specific change that triggered the event. It always contains the following common fields:
| Field | Type | Description |
|---|---|---|
ticketId | string | The case that was modified |
timestamp | string | ISO 8601 timestamp of the change |
customerId | string | Customer the case belongs to |
createdBy | string | User or system that performed the action |
Additionally, the log contains one field specific to the event type (described below for each event).
Event Types
| Event Type | Description |
|---|---|
ticket.created | A new case is created |
ticket.updated | A case is updated (status, severity, tier, category, classification, spent time) |
ticket.assigned | A case is assigned to an analyst |
ticket.unassigned | A case is unassigned from an analyst |
ticket.closed | A case is closed |
ticket.reopened | A previously closed case is reopened |
ticket.escalated | A case is escalated |
ticket.notify | A notification is sent for a case |
ticket.parent.set | A case is linked to a parent case |
ticket.parent.unset | A case is unlinked from its parent case |
ticket.note.created | A note is added to a case |
ticket.report.change | A case report is created or updated |
ticket.comment.created | A comment is added to a case |