ThreatLens Event Subscribing Guide
This document contains confidential information from Bugsmirror Research Pvt. Ltd. By accessing this document you agree to keep the information in strict confidence. Do not copy, disclose, or distribute it without proper authorisation or written consent from Bugsmirror Research Pvt. Ltd. If you are not the intended recipient, please delete or shred all the copies of the document with you and inform the sender immediately. Be aware that any unauthorised disclosure, copying, or distribution of the contents of this document is strictly prohibited.
1. Introduction
Welcome to the ThreatLens Webhook Integration Guide. Our system provides real-time security threat intelligence. To ensure your applications receive these critical alerts instantly and securely, ThreatLens utilizes a robust webhook architecture to push data directly to your infrastructure.
2. Architecture & Flow
The webhook delivery lifecycle operates in three real-time phases:
- Detection: The ThreatLens engine detects a security threat relevant to your organization's monitored assets.
- Dispatch: The alert is immediately generated and published to our secure messaging queue.
- Delivery: Our system fires an HTTPS POST request containing the threat data to your registered Webhook URL.
3. Webhook Endpoint Requirements
To successfully integrate with ThreatLens, your engineering team must expose a Webhook Endpoint that meets the following technical specifications:
- Protocol: Must be a secure HTTPS endpoint (e.g., https://api.yourcompany.com/v1/threat-receiver).
- HTTP Method: POST
- Response: Your server must acknowledge receipt by returning an HTTP status code 200 OK within 10 seconds. (Note: Other success codes like 201 or 202 are not accepted and will trigger a retry)
The webhook URL must not exceed 1024 bytes (1 KB). Larger values are not supported.
4. Request Headers
Every webhook event dispatched by ThreatLens will include the following standardized headers. Your system should parse these to handle the payload and authenticate the request.
| Header | Type | Description |
|---|---|---|
| Content-Type | String | Will always be application/json. |
| X-AUTHENTICATION | String | A pre-shared cryptographic secret token used to verify that the request originated from ThreatLens. ⚠️ Note: The X-AUTHENTICATION token must not exceed 1024 bytes (1 KB). Tokens larger than this limit are not supported and will result in the request being rejected. |
| Content-Encoding | String | The request body is gzip-encoded, Server must handle it explicitly. |
5. Message Payload Schema
Threat events are delivered in the body of the POST request as a JSON object.
Schema Definition
| Field | Type | Description |
|---|---|---|
DeviceId | String | The unique identifier of the device where the threat was detected. |
ThreatId | Integer | The internal classification code/ID for the specific threat detected. |
EventDate | Integer | The Epoch UTC timestamp (in milliseconds) recording exactly when the threat occurred. |
Example JSON Payload
{
"DeviceId": "nkjnkjdnfkjds",
"ThreatId": 61007,
"EventDate": 1775068199000
}
6. Security & Verification
Security is critical when receiving automated security events. We strongly require implementing the following guardrails:
- Require HTTPS: Ensure your endpoint enforces TLS/SSL encryption to prevent man-in-the-middle (MITM) attacks.
- Validate the Secret Token: Your endpoint should check the
X-AUTHENTICATIONheader on every incoming request. If the token is missing or does not match your provided secret, your system must reject the request with a401 Unauthorizedor403 Forbiddenstatus code.
7. Retry Policy & Delivery Guarantees
In the event of network instability or endpoint downtime, ThreatLens ensures high availability of your alerts through an automated retry mechanism.
Retry Triggers:
- Timeout: Your server fails to respond within 10 seconds.
- Failure Codes: Your server responds with any non-200 HTTP status code (including other 2xx codes or 5xx errors).
Retry Strategy:
- ThreatLens utilizes an exponential backoff mechanism.
- We will attempt to deliver the payload up to 5 times before marking the event as failed.
8. Example cURL Request
curl -X POST https://api.yourcompany.com/v1/threat-receiver \
-H "Content-Type: application/json" \
-H "X-AUTHENTICATION: <your-secret-token>" \
-d '{
"DeviceId": "nkjnkjdnfkjds",
"ThreatId": 61007,
"EventDate": 1775068199000
}'
9. Implementation Checklist
Please run through this checklist before moving your webhook integration to production:
- Create a dedicated, secure HTTPS webhook endpoint.
- Implement logic to parse incoming JSON payloads (handling strings and integers).
- Implement strict validation for the
X-AUTHENTICATIONheader. - Ensure your server responds specifically with
200 OKwithin 10 seconds of receipt. - Test your endpoint locally using Postman, cURL, or similar API tools.
- Share your production Webhook URL and
X-AUTHENTICATIONsecret code securely with the ThreatLens integration team.