api-integrations
Integrations
Outbound real-time delivery of security events to Slack, PagerDuty, generic webhooks, ServiceNow, Splunk, and Microsoft Sentinel.
Updated Jun 23, 2026
Integrations push security-relevant audit events out of VaultTerm to your own tooling in real time — chat, on-call, ITSM, and SIEM. Delivery is best-effort and runs out of band: an integration failure is recorded but never affects the action that produced the event. This is the push counterpart to the pull Events API.
Integrations are a Team and above capability.
Channels
Each integration is one of the following kinds. You supply the endpoint and any credential; VaultTerm shapes the payload to that system’s expected format.
| Channel | Transport | Authentication |
|---|---|---|
| Slack | Incoming webhook | Webhook URL; payload is HMAC-signed |
| PagerDuty | Events API (Events v2 enqueue) | Routing (integration) key |
| Webhook | HTTP POST of the full event JSON | Optional HMAC-SHA256 signature header |
| ServiceNow | Table API (opens an incident) | Basic auth against your instance |
| Splunk | HTTP Event Collector (HEC) | HEC token |
| Microsoft Sentinel | Log Analytics Data Collector API | Workspace ID + shared key |
For the generic webhook, the signed request carries X-VaultTerm-Event (the event action) and,
when a signing secret is configured, X-VaultTerm-Signature: sha256=<hex> so the receiver can
verify the request originated from VaultTerm. ServiceNow events map onto the ITSM urgency scale so a
critical VaultTerm event opens a high-urgency incident; PagerDuty and the SIEM channels each receive
the event in their native shape.
Tenant-supplied destination URLs are fetched through an egress guard that blocks requests to internal and metadata addresses; a blocked target simply surfaces as a delivery failure.
The event catalog
VaultTerm dispatches a curated catalog of roughly 60 typed events — not raw audit rows. Routine
reads and CRUD are noise for an alerting channel, so only events worth a human’s attention are
eligible. Every event carries a severity (low, medium, high, critical) and a category
(secret, access, identity, org, ai, anomaly). Examples:
| Event | Category | Severity |
|---|---|---|
CREDENTIAL_EXPOSURE_DETECTED | secret | critical |
CREDENTIAL_BREACH_DETECTED | secret | high |
JIT_APPROVED | access | medium |
SSH_CA_ROTATED | access | high |
SSO_LOGIN_FAILED | identity | medium |
HONEYTOKEN_TRIPPED | anomaly | critical |
Per-integration filtering
Each integration subscribes to a subset of the catalog (or all of it) and sets a minimum severity. An event is delivered only if its action is in the integration’s event list and its severity meets the threshold — so you can route only high-and-above access events to PagerDuty while sending the full secret-and-anomaly set to your SIEM. Credential-exposure events carry their own effective severity, so a critical leak still surfaces on a channel configured for high-only.
Related
- Events API — pull the full audit stream as paginated JSON for bulk export.