Custom Event Mapping
Map your custom event types to canonical signals. When a custom event fires, it applies the canonical signal's delta_risk to the entity's score — exactly as if the canonical event itself had fired.
How It Works
- Send custom events like
"okta.login.failed"from your system - In the Humifortis dashboard, map it to
AUTH_LOGIN_FAILED - When the custom event fires, it applies +0.5 delta_risk (same as the canonical signal)
No code changes needed beyond the initial event push.
Mapping Examples
Identity Providers
| Custom Event | Canonical Signal | Delta Risk |
|---|---|---|
okta.login.failed | AUTH_LOGIN_FAILED | +0.5 |
okta.mfa.success | AUTH_MFA_SUCCESS | −25.0 |
okta.user.suspended | Custom mapping in UI | Configurable |
auth0.login.failed | AUTH_LOGIN_FAILED | +0.5 |
auth0.mfa.required | AUTH_MFA_SUCCESS | −25.0 |
SIEM Systems
| Custom Event | Canonical Signal | Delta Risk |
|---|---|---|
splunk.brute_force | AUTH_BRUTE_FORCE | +15.0 |
splunk.malware | EDR_MALWARE_DETECTED | +50.0 |
splunk.dlp_alert | DLP_EXFILTRATION_ATTEMPT | +30.0 |
elastic.anomaly | EDR_PROCESS_ANOMALY | +30.0 |
Cloud Providers
| Custom Event | Canonical Signal | Delta Risk |
|---|---|---|
aws.unauthorized_access | AUTH_LOGIN_FAILED | +0.5 |
azure.impossible_travel | AUTH_IMPOSSIBLE_TRAVEL | +20.0 |
gcp.suspicious_activity | SESSION_HIJACK_DETECTED | +25.0 |
Custom Applications
| Custom Event | Canonical Signal | Delta Risk |
|---|---|---|
app.failed_login | AUTH_LOGIN_FAILED | +0.5 |
app.sensitive_data_access | DLP_EXFILTRATION_ATTEMPT | +30.0 |
app.admin_action | Custom mapping in UI | Configurable |
app.bulk_download | DLP_BULK_ACCESS | +20.0 |
Configuration Steps
- Identify your events — list all security-relevant events from your systems
- Choose mappings — select the appropriate canonical signal for each event type
- Configure in UI — use Policies → Event Mappings → New mapping
- Test mappings — send test events and verify the risk score calculations
- Monitor and adjust — review mappings periodically as your event volume grows
Best Practices
Event naming: use consistent conventions across systems — e.g. system.action.result. Avoid generic names that could apply to multiple scenarios.
Mapping strategy: map to the most specific canonical signal available. Consider the actual risk impact, not just the event name.
Monitoring: watch for unmapped events in the dashboard — they often reveal new integration points or misconfigured systems.
See Also
- Canonical Signals — full list of mappable signals with delta values
- Quick Start — sending your first event
- Custom Connectors — integration patterns for custom systems