Skip to main content

Custom Event Mapping

Map your custom event types to canonical signals. When a custom event fires, it applies the canonical signal's delta_risk to the entity's score — exactly as if the canonical event itself had fired.


How It Works

  1. Send custom events like "okta.login.failed" from your system
  2. In the Humifortis dashboard, map it to AUTH_LOGIN_FAILED
  3. When the custom event fires, it applies +0.5 delta_risk (same as the canonical signal)

No code changes needed beyond the initial event push.


Mapping Examples

Identity Providers

Custom EventCanonical SignalDelta Risk
okta.login.failedAUTH_LOGIN_FAILED+0.5
okta.mfa.successAUTH_MFA_SUCCESS−25.0
okta.user.suspendedCustom mapping in UIConfigurable
auth0.login.failedAUTH_LOGIN_FAILED+0.5
auth0.mfa.requiredAUTH_MFA_SUCCESS−25.0

SIEM Systems

Custom EventCanonical SignalDelta Risk
splunk.brute_forceAUTH_BRUTE_FORCE+15.0
splunk.malwareEDR_MALWARE_DETECTED+50.0
splunk.dlp_alertDLP_EXFILTRATION_ATTEMPT+30.0
elastic.anomalyEDR_PROCESS_ANOMALY+30.0

Cloud Providers

Custom EventCanonical SignalDelta Risk
aws.unauthorized_accessAUTH_LOGIN_FAILED+0.5
azure.impossible_travelAUTH_IMPOSSIBLE_TRAVEL+20.0
gcp.suspicious_activitySESSION_HIJACK_DETECTED+25.0

Custom Applications

Custom EventCanonical SignalDelta Risk
app.failed_loginAUTH_LOGIN_FAILED+0.5
app.sensitive_data_accessDLP_EXFILTRATION_ATTEMPT+30.0
app.admin_actionCustom mapping in UIConfigurable
app.bulk_downloadDLP_BULK_ACCESS+20.0

Configuration Steps

  1. Identify your events — list all security-relevant events from your systems
  2. Choose mappings — select the appropriate canonical signal for each event type
  3. Configure in UI — use Policies → Event Mappings → New mapping
  4. Test mappings — send test events and verify the risk score calculations
  5. Monitor and adjust — review mappings periodically as your event volume grows

Best Practices

Event naming: use consistent conventions across systems — e.g. system.action.result. Avoid generic names that could apply to multiple scenarios.

Mapping strategy: map to the most specific canonical signal available. Consider the actual risk impact, not just the event name.

Monitoring: watch for unmapped events in the dashboard — they often reveal new integration points or misconfigured systems.


See Also