HomeMITRECVE JournalCarbonpediaDocsReleases
Webhook IOC Events

Webhook IOC Events

IOC (Indicator of Compromise) events are triggered when a new indicator is validated and created in RedCarbon.

IOC Event Structure

Every IOC event contains an iocEvent field with the following structure:

{
  "eventId": "evt_9Ht3Kw7Bn",
  "type": "ioc.created",
  "customerId": "cust_8xR3vB5nW",
  "timestamp": "2024-03-15T11:00:00Z",
  "iocEvent": {
    "indicator": "malicious-domain.example.com",
    "createdAt": "2024-03-15T11:00:00Z",
    "expiresAt": "2024-06-15T11:00:00Z",
    "type": "DOMAIN",
    "customerId": "cust_8xR3vB5nW",
    "validatedBy": "analyst@company.com"
  }
}

IOC Event Fields

FieldTypeDescription
indicatorstringThe indicator value (e.g., a domain name, IP address, email, or file hash)
createdAtstringISO 8601 timestamp of when the IOC was created
expiresAtstringISO 8601 timestamp of when the IOC expires
typestringThe type of indicator (see IOC Types below)
customerIdstringCustomer the IOC belongs to
validatedBystringUser who validated the IOC

IOC Types

ValueDescription
DOMAINA domain name (e.g., malicious-domain.example.com)
IP_ADDRESSAn IP address (e.g., 192.168.1.100)
EMAILAn email address (e.g., attacker@malicious.com)
HASHA file hash (e.g., SHA-256 hash of a malicious file)

Examples

Domain IOC

{
  "eventId": "evt_9Ht3Kw7Bn",
  "type": "ioc.created",
  "customerId": "cust_8xR3vB5nW",
  "timestamp": "2024-03-15T11:00:00Z",
  "iocEvent": {
    "indicator": "malicious-domain.example.com",
    "createdAt": "2024-03-15T11:00:00Z",
    "expiresAt": "2024-06-15T11:00:00Z",
    "type": "DOMAIN",
    "customerId": "cust_8xR3vB5nW",
    "validatedBy": "analyst@company.com"
  }
}

IP Address IOC

{
  "eventId": "evt_4Lm8Rn2Qp",
  "type": "ioc.created",
  "customerId": "cust_8xR3vB5nW",
  "timestamp": "2024-03-15T12:30:00Z",
  "iocEvent": {
    "indicator": "203.0.113.42",
    "createdAt": "2024-03-15T12:30:00Z",
    "expiresAt": "2024-04-15T12:30:00Z",
    "type": "IP_ADDRESS",
    "customerId": "cust_8xR3vB5nW",
    "validatedBy": "analyst@company.com"
  }
}

Email IOC

{
  "eventId": "evt_6Wp1Ks5Tv",
  "type": "ioc.created",
  "customerId": "cust_8xR3vB5nW",
  "timestamp": "2024-03-15T13:45:00Z",
  "iocEvent": {
    "indicator": "attacker@malicious-phishing.com",
    "createdAt": "2024-03-15T13:45:00Z",
    "expiresAt": "2024-09-15T13:45:00Z",
    "type": "EMAIL",
    "customerId": "cust_8xR3vB5nW",
    "validatedBy": "analyst@company.com"
  }
}

File Hash IOC

{
  "eventId": "evt_2Jx7Gd4Mf",
  "type": "ioc.created",
  "customerId": "cust_8xR3vB5nW",
  "timestamp": "2024-03-15T15:10:00Z",
  "iocEvent": {
    "indicator": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "createdAt": "2024-03-15T15:10:00Z",
    "expiresAt": "2025-03-15T15:10:00Z",
    "type": "HASH",
    "customerId": "cust_8xR3vB5nW",
    "validatedBy": "analyst@company.com"
  }
}