Skip to content
English
Contact Support Customer portal Sign in
Go to netrise.io
  • There are no suggestions because the search field is empty.

Webhook Notifications Guide

NetRise Webhook Notifications

This document describes the structure and behavior of NetRise webhook notifications. Webhooks deliver real-time activity events from your NetRise organization to a configured HTTP endpoint.

 

Configuring Webhooks

Webhook configuration is managed from within the NetRise Turbine platform. You must have administrator permissions to create, edit, or delete webhooks.

Finding the Webhooks Page

  1. Click Settings (gear icon) in the left sidebar navigation.
  2. Select the Webhooks tab along the top of the Settings page.

This page displays all configured webhooks for your organization along with their name, payload URL, subscribed event count, last updated timestamp, the user who last modified them, and an enabled/disabled toggle.

Creating a Webhook

  1. Click the + Add webhook button in the top-right corner of the Webhooks page.
  2. Fill in the following fields:
Field Description
Name A human-readable label for this webhook (e.g., "SIEM Ingestion" or "Slack Vulnerability Alerts").
Payload URL The HTTP endpoint that will receive POST requests. This must be a publicly reachable URL that accepts JSON payloads.
Activities to send Select one or more event types from the dropdown. Only selected activity types will trigger deliveries to this webhook.
  1. Click Add to save the webhook.

Overview

Each webhook delivery is a JSON payload containing three top-level objects:

Field Type Description
configuration object The notification rule that triggered this delivery
activities array One or more activity events included in this delivery
service object Platform service URLs for linking back to the NetRise UI

All webhook deliveries are real-time. A single delivery may contain multiple activities when they originate from the same triggering operation (e.g., a single analysis run updating many vulnerabilities at once). These related activities share a correlationId.

Service Object

The service block is included with every delivery and provides URLs for linking back to the NetRise platform.

Field Type Description
url.web string Base URL for the NetRise web UI (e.g., https://app.netrise.io)
url.apollo string Base URL for the NetRise GraphQL API

These URLs can be used to construct deep links to specific assets, vulnerabilities, or other entities referenced in the activities.

Configuration Object

The configuration block is included with every delivery and describes the notification rule.

Field Type Description
id string (UUID) Unique identifier for this notification configuration
type string Scope of the notification. NOTIFICATION_TYPE_ORGANIZATION indicates org-wide
channel string Delivery mechanism. NOTIFICATION_CHANNEL_WEBHOOK for HTTP POST
inventoryScopes array Defines which inventory is in scope. { "organization": true } means all assets in the org
activityScopes array List of activity types this notification subscribes to
createdTime string (ISO 8601) When the notification configuration was created
updatedTime string (ISO 8601) When the configuration was last modified
updatedBy string Email of the user who last modified the configuration
name string Human-readable name for this notification
inventoryScopesCount integer Number of inventory scopes configured
activityScopesCount integer Number of activity types subscribed to
webhook object Webhook-specific settings
webhook.url string The destination URL receiving the POST

Subscribable Activity Types

The activityScopes array defines which event types trigger a delivery. The full set of available types:

Activity Type Category Description
ASSET_ACTIVITY_TYPE_VULNERABILITY_ADDED Vulnerability A new CVE was identified on an asset
ASSET_ACTIVITY_TYPE_VULNERABILITY_UPDATED Vulnerability An existing vulnerability's metadata changed
ASSET_ACTIVITY_TYPE_VULNERABILITY_REMEDIATED Vulnerability A vulnerability was marked as remediated (VEX)
ASSET_ACTIVITY_TYPE_VULNERABILITY_REMOVED Vulnerability A vulnerability was removed from an asset
ASSET_ACTIVITY_TYPE_MISCONFIG_CHANGED Misconfiguration A configuration check result changed
ASSET_ACTIVITY_TYPE_IDENTIFICATION_ADDED Identification A new software identification was added
ASSET_ACTIVITY_TYPE_IDENTIFICATION_REMOVED Identification A software identification was removed
ASSET_ACTIVITY_TYPE_ASSET_CREATED Asset A new asset was uploaded/created
ASSET_ACTIVITY_TYPE_ASSET_UPDATED Asset Asset metadata was modified
ASSET_ACTIVITY_TYPE_ASSET_RISK_CHANGED Asset The asset's risk score or category changed
ASSET_ACTIVITY_TYPE_ASSET_ANALYSIS_COMPLETED Asset Asset analysis finished processing
ASSET_ACTIVITY_TYPE_ASSET_GROUP_ADDED Asset An asset was added to a group
ASSET_ACTIVITY_TYPE_ASSET_GROUP_REMOVED Asset An asset was removed from a group
ASSET_ACTIVITY_TYPE_GROUP_CREATED Group A new asset group was created
ASSET_ACTIVITY_TYPE_GROUP_UPDATED Group A group's metadata was modified
ASSET_ACTIVITY_TYPE_GROUP_DELETED Group A group was deleted
ASSET_ACTIVITY_TYPE_GROUP_MEMBERSHIP_CHANGED Group Group membership was modified
ASSET_ACTIVITY_TYPE_SECRET_REMEDIATED Secret A detected secret was remediated
ASSET_ACTIVITY_TYPE_ORG_SETTINGS_UPDATED Organization Organization-level settings were changed
ASSET_ACTIVITY_TYPE_LICENSE_ISSUE_REMEDIATED License A license compliance issue was remediated

Activity Object (Common Fields)

Every activity in the activities array shares these base fields:

Field Type Description
auditLogId string (UUID) Unique identifier for this specific activity record
correlationId string (UUID) Groups related activities from the same operation. All activities triggered by a single event (e.g., one analysis run) share this ID
activityTime string (ISO 8601) Timestamp of when the activity occurred
orgId string Organization identifier
orgName string Human-readable organization name
assetId string The asset this activity pertains to
assetName string Human-readable asset name (filename or display name)
entityType string The type of entity affected (see below)
activityType string The specific activity type (matches the subscription types above)
activityUser string (Optional) Email of the user who triggered the activity. Present for user-initiated actions (e.g., uploads, remediations); absent for system-triggered events (e.g., EPSS refresh)
userReason string (Optional) User-supplied reason for the action. Present on user-initiated activities like remediations

Entity Types

Entity Type Used By
ACTIVITY_ENTITY_TYPE_ASSET Asset created, updated, risk changed, analysis completed, group membership
ACTIVITY_ENTITY_TYPE_VULNERABILITY Vulnerability added, updated, removed, remediated
ACTIVITY_ENTITY_TYPE_MISCONFIGURATION Misconfiguration changed
ACTIVITY_ENTITY_TYPE_IDENTIFICATION Identification added/removed

Activity Type Details

Vulnerability Updated

Activity type: ASSET_ACTIVITY_TYPE_VULNERABILITY_UPDATED Entity type: ACTIVITY_ENTITY_TYPE_VULNERABILITY Payload key: vulnerabilityUpdated

Fired when metadata for an existing vulnerability changes. Common triggers include EPSS score refreshes, CVSS score assignments, severity reclassifications, exploit maturity updates, and known attack prevalence changes.

Field Type Description
identificationId string The software identification (component) where this CVE was found
cveId string The CVE identifier (e.g., CVE-2024-1086)
entityUpdates array List of field-level changes

Each entry in entityUpdates:

Field Type Description
field string The field that changed
previous string The prior value
current string The new value

Observed update fields:

Field Value Type Example Previous Example Current Notes
epss_score decimal string "0.7926700115203857" "0.8214600086212158" EPSS probability score (0–1)
cvss_score decimal string "0" "6.5" CVSS base score (0–10)
severity enum string "SEVERITY_NONE" "SEVERITY_MEDIUM" Severity category
exploit_maturity enum string "unproven" "poc" Exploit maturity level
exploit_prevalence integer string "0" "1" Whether exploits are observed in the wild
known_attack_prevalence integer string "510" "511" Count of known attack prevalence observations

Severity values: SEVERITY_NONE, SEVERITY_LOW, SEVERITY_MEDIUM, SEVERITY_HIGH, SEVERITY_CRITICAL

Exploit maturity values: unproven, poc, functional, high

Example:

 
 
json
{
  "auditLogId": "9b97824c-d1cf-4f34-af76-b3671323f561",
  "correlationId": "ea8ef95f-c405-43bd-baa6-ed64a9469aaa",
  "activityTime": "2026-05-12T22:14:27.984647Z",
  "orgId": "org_Pjw4doVth1Yl4j",
  "assetId": "GZ1LDaDubjwIIAqoTUNLK_n9x1S-sn9lqUdxc09l2Q",
  "entityType": "ACTIVITY_ENTITY_TYPE_VULNERABILITY",
  "activityType": "ASSET_ACTIVITY_TYPE_VULNERABILITY_UPDATED",
  "orgName": "Netrise Inc.",
  "assetName": "dotnet-sdk-9.0.304-win-x64.zip",
  "vulnerabilityUpdated": {
    "identificationId": "Xz06iEe6aLEAkCfhY5qtOg",
    "cveId": "CVE-2024-29059",
    "entityUpdates": [
      {
        "field": "known_attack_prevalence",
        "previous": "510",
        "current": "511"
      }
    ]
  }
}

Vulnerability Added

Activity type: ASSET_ACTIVITY_TYPE_VULNERABILITY_ADDED Entity type: ACTIVITY_ENTITY_TYPE_VULNERABILITY Payload key: vulnerabilityAdded

Fired when a new CVE is discovered on an asset, typically after initial analysis or when a new CVE is published that matches a component already in the asset's SBOM.

Field Type Description
identificationId string The software identification (component) where this CVE was found
cveId string The CVE identifier
entity object Vulnerability metadata at time of discovery
entity.severity string Severity classification (e.g., SEVERITY_MEDIUM, SEVERITY_HIGH)
entity.cvssScore number CVSS base score (0–10). Absent or 0 if not yet assigned
entity.exploitMaturity string Exploit maturity level (e.g., unproven, poc, functional, high)

Note: A single analysis may produce many VULNERABILITY_ADDED activities for the same asset — one per CVE per affected component. These will share the same correlationId.

Example:

 
 
json
{
  "auditLogId": "b0bfd8a8-c155-4a46-a4c7-ca47f752f977",
  "correlationId": "ea8ef95f-c405-43bd-baa6-ed64a9469aaa",
  "activityTime": "2026-05-12T22:14:27.952198Z",
  "orgId": "org_PIw4doVtah1Yl4j",
  "assetId": "GZ1LDaDubjwIIAqoTUNLK_n9x1S-sn9lqUdxc09l2Q",
  "entityType": "ACTIVITY_ENTITY_TYPE_VULNERABILITY",
  "activityType": "ASSET_ACTIVITY_TYPE_VULNERABILITY_ADDED",
  "orgName": "Netrise Inc.",
  "assetName": "dotnet-sdk-9.0.304-win-x64.zip",
  "vulnerabilityAdded": {
    "identificationId": "Xz06iEe6aLEAkCfhY5qtOg",
    "cveId": "CVE-2026-32226",
    "entity": {
      "severity": "SEVERITY_MEDIUM",
      "cvssScore": 5.9,
      "exploitMaturity": "unproven"
    }
  }
}

Vulnerability Removed

Activity type: ASSET_ACTIVITY_TYPE_VULNERABILITY_REMOVED Entity type: ACTIVITY_ENTITY_TYPE_VULNERABILITY Payload key: vulnerabilityRemoved

Fired when a vulnerability is removed from an asset, typically after re-analysis determines the CVE no longer applies (e.g., the affected component was updated or the CVE was retracted).

Field Type Description
identificationId string The software identification (component) the CVE was previously associated with
cveId string The CVE identifier being removed
entity object Vulnerability metadata at time of removal
entity.severity string Severity classification at time of removal
entity.cvssScore number CVSS base score at time of removal
entity.exploitMaturity string Exploit maturity level at time of removal

Note: A single re-analysis may produce many VULNERABILITY_REMOVED activities. The same CVE may appear multiple times if it was associated with different components (identificationId values) within the asset.

Example:

 
 
json
{
  "auditLogId": "d640d8cd-3404-4305-8dea-6a0e8d6b14b0",
  "correlationId": "ea8ef95f-c405-43bd-baa6-ed64a9469aaa",
  "activityTime": "2026-05-12T22:14:27.969714Z",
  "orgId": "org_PjIw4oVtah1Yl4j",
  "assetId": "GZ1LDaDubjwIIAqoTUNLK_n9x1S-sn9lqUdxc09l2Q",
  "entityType": "ACTIVITY_ENTITY_TYPE_VULNERABILITY",
  "activityType": "ASSET_ACTIVITY_TYPE_VULNERABILITY_REMOVED",
  "orgName": "Netrise Inc.",
  "assetName": "dotnet-sdk-9.0.304-win-x64.zip",
  "vulnerabilityRemoved": {
    "identificationId": "xXsBNfmlUqHaJ5a8CXe02g",
    "cveId": "CVE-2024-38095",
    "entity": {
      "severity": "SEVERITY_HIGH",
      "cvssScore": 7.5,
      "exploitMaturity": "unproven"
    }
  }
}

Vulnerability Remediated

Activity type: ASSET_ACTIVITY_TYPE_VULNERABILITY_REMEDIATED Entity type: ACTIVITY_ENTITY_TYPE_VULNERABILITY Payload key: vulnerabilityRemediated

Fired when a vulnerability is marked as remediated via a VEX (Vulnerability Exploitability eXchange) assessment. This is a user-initiated action — activityUser will be present.

Field Type Description
vulnerabilityId string The CVE identifier of the remediated vulnerability
cveId string The CVE identifier (same as vulnerabilityId)
componentName string Name of the affected component (e.g., .net, .net_framework)
componentVersion string Version of the affected component
componentVendor string Vendor of the affected component (e.g., microsoft)
vexData object VEX assessment details
vexData.status string VEX status applied to the vulnerability

VEX Status values: VEX_STATUS_FIXED, VEX_STATUS_NOT_AFFECTED, VEX_STATUS_UNDER_INVESTIGATION

Note: The userReason field on the common activity object may contain a justification provided by the user when applying the remediation. It may also be empty.

Example:

 
 
json
{
  "auditLogId": "3bcc3e2e-c130-4247-b861-bb6ac883b885",
  "correlationId": "1079227d-cbc0-4516-94f6-736ce41a9746",
  "activityTime": "2026-05-12T15:14:21.962426Z",
  "orgId": "org_jIw4doVth1Yl4j",
  "assetId": "gCUeZfzLbbmhO-pQcwiQpgjOBfNVvSLDUPrR-72NChc",
  "entityType": "ACTIVITY_ENTITY_TYPE_VULNERABILITY",
  "activityType": "ASSET_ACTIVITY_TYPE_VULNERABILITY_REMEDIATED",
  "activityUser": "colin.lernihan@netrise.io",
  "userReason": "",
  "orgName": "Netrise Inc.",
  "assetName": "dotnet-sdk-9.0.105-win-x64.exe",
  "vulnerabilityRemediated": {
    "vulnerabilityId": "CVE-2023-24897",
    "componentName": ".net",
    "componentVersion": "6.0.0",
    "componentVendor": "microsoft",
    "vexData": {
      "status": "VEX_STATUS_FIXED"
    },
    "cveId": "CVE-2023-24897"
  }
}

Asset Risk Changed

Activity type: ASSET_ACTIVITY_TYPE_ASSET_RISK_CHANGED Entity type: ACTIVITY_ENTITY_TYPE_ASSET Payload key: assetRiskChanged

Fired when an asset's computed risk score or risk category changes, such as after vulnerability updates shift the overall risk profile.

Field Type Description
assetType string The type of asset (e.g., ASSET_TYPE_BINARY)
name string Display name of the asset
vendor string Vendor/manufacturer of the asset
oldRisk object Previous risk state
oldRisk.category string Previous risk category (e.g., RISK_CATEGORY_SIGNIFICANT)
oldRisk.score number Previous numeric risk score
newRisk object Updated risk state
newRisk.category string New risk category
newRisk.score number New numeric risk score

Risk category values: RISK_CATEGORY_CRITICAL, RISK_CATEGORY_SIGNIFICANT, RISK_CATEGORY_MODERATE, RISK_CATEGORY_LOW, RISK_CATEGORY_MINIMAL

Note: oldRisk may be an empty object {} when the asset has just been analyzed for the first time.

Example:

 
 
json
{
  "auditLogId": "01fdc2c3-44c5-4b08-9f7a-caff4a63ef40",
  "correlationId": "463b6675-0b87-4a7b-8dd2-e7a1b5ac515f",
  "activityTime": "2026-05-01T21:40:03.885712Z",
  "orgId": "org_jIw4doVt1Yl4j",
  "assetId": "60Fqlh4prybGsJsq-uU_lDb_BybYZVuWhdHA9Dj2M8k",
  "entityType": "ACTIVITY_ENTITY_TYPE_ASSET",
  "activityType": "ASSET_ACTIVITY_TYPE_ASSET_RISK_CHANGED",
  "orgName": "Netrise Inc.",
  "assetName": "dumpfile.elf",
  "assetRiskChanged": {
    "assetType": "ASSET_TYPE_BINARY",
    "name": "dumpfile.elf",
    "vendor": "Ubuntu",
    "oldRisk": {
      "category": "RISK_CATEGORY_SIGNIFICANT",
      "score": 6.139
    },
    "newRisk": {
      "category": "RISK_CATEGORY_SIGNIFICANT",
      "score": 6.287
    }
  }
}

Asset Created

Activity type: ASSET_ACTIVITY_TYPE_ASSET_CREATED Entity type: ACTIVITY_ENTITY_TYPE_ASSET Payload key: assetCreated

Fired when a new asset is uploaded to the platform. This is always a user-initiated action, so activityUser will be present.

Field Type Description
assetType string The type of asset (e.g., ASSET_TYPE_BINARY)
name string Display name / filename of the asset
vendor string (Optional) Vendor/manufacturer, if set at upload time

Example:

 
 
json
{
  "auditLogId": "2fa06ed7-64b9-493b-b1e9-659c795020cd",
  "correlationId": "f8cbe099-4c44-4617-83d7-a82a1545a1e2",
  "activityTime": "2026-05-12T22:04:18.094856Z",
  "orgId": "org_jIw4doVt1Yl4j",
  "assetId": "rGZ1LDaDubjwIIAqoTUNLK_n9x1S-sn9lqUdxc09l2Q",
  "entityType": "ACTIVITY_ENTITY_TYPE_ASSET",
  "activityType": "ASSET_ACTIVITY_TYPE_ASSET_CREATED",
  "activityUser": "colin.lernihan@netrise.io",
  "orgName": "Netrise Inc.",
  "assetName": "dotnet-sdk-9.0.304-win-x64.zip",
  "assetCreated": {
    "assetType": "ASSET_TYPE_BINARY",
    "name": "dotnet-sdk-9.0.304-win-x64.zip"
  }
}

Asset Analysis Completed

Activity type: ASSET_ACTIVITY_TYPE_ASSET_ANALYSIS_COMPLETED Entity type: ACTIVITY_ENTITY_TYPE_ASSET Payload key: assetAnalysisCompleted

Fired when the platform finishes analyzing (or re-analyzing) an asset. Typically followed by VULNERABILITY_ADDED and MISCONFIG_CHANGED activities.

Field Type Description
assetId string The asset that was analyzed
revision integer The analysis revision number. 1 for the initial analysis; increments on re-analysis

Example:

 
 
json
{
  "auditLogId": "47818821-6ae1-4709-a0e3-0730e54d07c1",
  "correlationId": "6ab6445f-6e9a-42fd-a192-5fb3f3f119df",
  "activityTime": "2026-05-12T22:14:26.997817Z",
  "orgId": "org_jIw4doVtaYl4j",
  "assetId": "rGZ1LDaDubjwIIAqoTUNLK_n9x1S-sn9lqUdxc09l2Q",
  "entityType": "ACTIVITY_ENTITY_TYPE_ASSET",
  "activityType": "ASSET_ACTIVITY_TYPE_ASSET_ANALYSIS_COMPLETED",
  "orgName": "Netrise Inc.",
  "assetName": "dotnet-sdk-9.0.304-win-x64.zip",
  "assetAnalysisCompleted": {
    "assetId": "rGZ1LDaDubjwIIAqoTUNLK_n9x1S-sn9lqUdxc09l2Q",
    "revision": 4
  }
}

Misconfiguration Changed

Activity type: ASSET_ACTIVITY_TYPE_MISCONFIG_CHANGED Entity type: ACTIVITY_ENTITY_TYPE_MISCONFIGURATION Payload key: misconfigChanged

Fired when a configuration check result changes, typically after an analysis completes.

Field Type Description
checkId string Identifier of the configuration check
checkName string Human-readable name of the check
previousResult string Prior pass/fail state
currentResult string New pass/fail state

Behavioral Notes

Correlation IDs

The correlationId links activities that result from the same triggering operation. For example, when EPSS scores are refreshed across all assets, each asset's updates are delivered with a shared correlationId, and each CVE update is a separate activity within that delivery.

Duplicate CVEs Across Identifications

A single CVE may appear multiple times within the same delivery if it affects multiple software components (identifications) within the same asset. Each occurrence will have a distinct identificationId but the same cveId. This is expected — the vulnerability exists in multiple places within the asset.

Event Ordering

Activities within a delivery are ordered by activityTime. The activityTime values may have sub-second differences.

Initial Analysis Flow

When a new asset is uploaded and analyzed, the typical event sequence is:

  1. ASSET_CREATED — the asset is uploaded (user-initiated, includes activityUser)
  2. ASSET_ANALYSIS_COMPLETED — analysis finishes (revision 1)
  3. VULNERABILITY_ADDED — one per CVE per component (often hundreds in a single delivery), each including severity, CVSS score, and exploit maturity
  4. MISCONFIG_CHANGED — one per configuration check
  5. ASSET_RISK_CHANGED — the computed risk score is assigned (with oldRisk as empty {})

Re-Analysis Flow

When an asset is re-analyzed (e.g., due to updated component data or manual re-submission):

  1. ASSET_ANALYSIS_COMPLETED — revision increments (e.g., revision  greater than 1)
  2. VULNERABILITY_ADDED — newly discovered CVEs, with full severity/CVSS/exploit metadata
  3. VULNERABILITY_REMOVED — CVEs that no longer apply, with severity/CVSS/exploit metadata at time of removal
  4. ASSET_RISK_CHANGED — risk score updated based on the new vulnerability profile

Ongoing Monitoring Flow

After initial analysis, ongoing events are typically triggered by external data updates:

  • EPSS refreshes produce VULNERABILITY_UPDATED activities with epss_score changes across many assets simultaneously
  • New CVE data (CVSS scores, severity assignments, exploit maturity changes) produce VULNERABILITY_UPDATED activities with multiple entityUpdates per activity
  • Known attack prevalence updates produce VULNERABILITY_UPDATED activities with known_attack_prevalence field changes
  • User-initiated remediations produce VULNERABILITY_REMEDIATED activities with full component context and VEX status

 

Turbine Asset Deep Links

You can link directly to any tab within an asset's detail view in Turbine using the following URL pattern:

 
 
https://turbine.netrise.io/assets/{assetId}%7C0/{tab}

Replace {assetId} with the asset's unique identifier and {tab} with one of the available tab paths below.

Available Tabs

Tab Path
Summary /Summary
Vulnerabilities /Vulnerabilities
SBOM /SBOM
Misconfigurations /Misconfigurations
Binaries /Binaries
Certificates /Cryptography/Certificates
Public Keys /Cryptography/Public%20Keys
Private Keys /Cryptography/Private%20Keys
Detected Hashes /Credentials/Detected%20Hashes
User Accounts /Credentials/User%20Accounts
Exposed Secrets /Credentials/Exposed%20Secrets
License Issues /License%20Issues
File System /File%20System?filePath=%2Fdata

Example

For an asset with ID lssj1Q9MS5mkCsdXRDe3KzYJ44eyv1jP7122pvHZQBY, the link to its Vulnerabilities tab would be:

 
 
https://turbine.netrise.io/assets/lssj1Q9MS5mkCsdXRDe3KzYJ44eyv1jP7122pvHZQBY%7C2/Vulnerabilities

Notes

  • The %7C0 suffix after the asset ID is required — it is the URL-encoded form of |2.
  • Tab paths with spaces use standard URL encoding (e.g., Public%20Keys, License%20Issues).
  • The File System tab accepts a filePath query parameter to open directly to a specific directory.
Real person here 👉