Skip to main content


DTEX Integration

The DTEX Agents can forward information to the SafeTitan On-Premise or Azure Orchestrator. Like other integrations, it does this via webhook. When setting up the DTEX alerting rules, a webhook URL can be specified to forward the information to the Orchestrator. The payload that is forwarded appears as follows:


  ""dataset"": [


      ""occurred_at"": ""2016-12-30T00:00:00-05:00"",

      ""hits"": [


          ""category"": ""Obfuscation (Unusual File Deletes)"",

          ""severity"": ""High"",

          ""updated_at"": ""2017-06-06T23:09:45.851852+00:00"",

          ""risk_score"": 0.5,

          ""category_id"": ""DELETE"",





      ""activities_count"": 6,

      ""user_name"": ""dev\\gary"",

      ""user_risk_score"": 0.5


The highlighted properties (user_name and category) are the only properties that the Orchestrator requires. These properties are used to identify the rule/alert that was triggered and the offending user. Depending on which Orchestrator you are using, the Orchestrator finds the identified user's email either from On-Premise Active Directory or Azure Active Directory. The URL for the webhook is configured as follows:

  • For the On-Premise Orchestrator, the URL format is:

    {Orchestrator Site Path}/api/SIEM/dtex/alert. (For example, this could be http://localhost:5555/api/SIEM/dtex /alert).

  • For an Azure-based setup, the URL format is:{api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}