Account DefenderAccount Defender Actions

HTTP Client actions

HTTP Client actions let you automatically send incident information through an API request to your organization when conditions in your Policy Rules are met. Once your team receives the request, you can choose how to handle the incident based on the request.

This feature requires your organization to create an API endpoint that HUMAN can send a request to.

Prerequisites

  • An endpoint for HUMAN to send the request to.

  • An HTTP integration, which you can access from Platform Settings > Integrations > HTTP. For more information, see our help article.

  • An existing Account Defender policy rule to add the action to. See Create Account Defender policy rules for more information.

Set up HTTP Client Actions

To set up, you need to:

  1. Create a Client action
  2. Add an action to a Policy Rule

Create an HTTP Client action

Once you have connected your API endpoint with HUMAN’s HTTP integration, you must create a new HTTP Client action for HUMAN to take whenever a Policy Rule’s conditions are met.

  1. Navigate to Account Defender > Settings > Action Settings.
  2. Select Add Action.
  3. Complete the following fields:
    • Action name: The name that will appear for the action throughout the HUMAN console.
    • Action type: The type of mitigation action you want to trigger with this action.
    • Cooldown duration: The length of time Account Defender should wait to trigger this action each time it detects a match on the rule it’s assigned to.
    • Duration unit: The unit of time for the cooldown.
    • Application data source: The application the action will be available on.
    • Event type: The type of event the action will be triggered by.
    • Integration: Select the HTTP integration to be triggered by the action.
    • Field selection: Select any additional fields you want to include in HUMAN’s request body. The available fields are determined by the Event type you selected. Default fields are required and cannot be removed. You can review the definitions per field in Client Action request fields definitions and examples per event type in Request examples.
  4. Review the sample request body and select Send test request to test the action.
  5. Once you’re satisfied with your settings, select Save changes.

Next, be sure to add your Action to a Policy Rule so it triggers automatically.

Add an HTTP action to a Policy Rule

Once you have created an HTTP Client action, we recommend adding it to a Policy Rule so you can automate when a request is sent to your organization.

  1. Navigate to Account Defender > Policies > Policy Rules.
  2. Select Create new rule or select an existing rule to edit it.
    3.Select Actions and navigate to API-based actions, which should display your HTTP Client Actions.
  3. In the Then section, drag and drop the HTTP Client Action that should be triggered when the If condition is met.
  4. Select Save.

Your Policy Rule has been updated with your action. Now, whenever your rule is triggered, HUMAN will send a request to your specified endpoint with the fields you selected while creating the action.

HTTP Client action request fields definitions

You can customize the sent request body. The available fields for single and network events are slightly different.

Default fields

Default fields are required and cannot be removed.

FieldEvent typeDescriptionType
action_nameSingle, NetworkThe name of the action configured in the policy rule.String
attack_patternsSingleInformation about the patterns associated with the attack.String
attack_typeSingle, NetworkThe type of detected attack. Can only be ato or fake_account.String
network_idNetworkThe unique identifier value of the network.String
network_typeNetworkThe unique identifier type of the network.String
rule_idSingle, NetworkThe ID of the Policy Rule that triggered the request.String
scoreSingle, NetworkThe severity score assigned to the incident, from 0 to 1.Float
timestampSingle, NetworkThe time of the incident in UTC. In YYY-MM-DDTHH:MM:SS.SSSZ format.String
user_idSingleThe ID of the user.String
user_idsNetworkThe IDs of the users in the network.Array

Non-default fields

FieldEvent typeDescriptionType
account_ageSingleThe age of the account part of the incident in days.String
asnSingleAutonomous system (Network)String
citySingleThe city from which the incident originated.String
countrySingleThe country from which the incident originated.String
custom_param1SingleA parameter with custom data sent by your organization.String
custom_param2SingleSee custom_param1.String
custom_param3SingleSee custom_param1.String
custom_param4SingleSee custom_param1.String
custom_param5SingleSee custom_param1.String
custom_param6SingleSee custom_param1.String
custom_param7SingleSee custom_param1.String
custom_param8SingleSee custom_param1.String
custom_param9SingleSee custom_param1.String
custom_param10SingleSee custom_param1.String
device_fingerprintSingleA fingerprint value that represents a device.String
emailSingleThe email associated with the account.String
ipSingleThe IP address from which the incident originated.String
ip_reputationSingleAn evaluation of the trustworthiness of an IP address.String
pathSingleThe application’s URL path that the incident occurred on.String
unnormalized_user_idSingleThe original user ID as it was sent by the customer in case of manipulation on HUMAN’s end.String
user_agentSingleThe user agent of the incident.String
vidSingleA visitor ID.String

Request examples

You can review request examples per event type below.

Single event request

1{
2    "user_id": "12345",
3    "score": 0.99,
4    "attack_type": "ato",
5    "attack_patterns": [
6        "non_withdrawing_account"
7    ],
8    "rule_id": "cfa7d19b-3b06-4514-9924-d1eb77fc9791",
9    "rule_name": "ATO with high score",
10    "action_name": "Reset password",
11    "timestamp": "2024-05-12T15:11:27.745Z",
12    "additional": {
13        "city": "Tel Aviv",
14        "country": "IL",
15        "ip": "15.5.133.81",
16        "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.124 Safari/537.36 Edg/102.0.1245.44"
17    }
18}

Network event request

1{
2  "user_ids": ["92549020", "92549021", "92549022"],
3  "score": 0.98,
4  "attack_type": "fake_account",
5  "rule_id": "84734834",
6  "action_name": "account_suspension",
7  "timestamp": "2022-06-24T15:13:52.164Z",
8  "additional": {
9    "network_id": "320",
10    "network_type": "vid",
11  }
12}