Custom events
Custom events let you push security telemetry from any source Jutsu doesn't support natively. You post arbitrary JSON to the Jutsu Ingest API over a webhook, and Jutsu normalizes it into events alongside the rest of your data.
Overview
For any source without a dedicated connector, you can send JSON events directly to the Ingest API webhook. Each request authenticates with an organization-scoped API key, so events land only in your organization. This is the most flexible way to integrate a custom script, an in-house tool, or a vendor that can fire webhooks.
What this enables
Once you're posting events, Jutsu:
- Ingests your custom JSON and surfaces it in the Events view.
- Feeds those events into the same normalization, triage, and response pipeline as built-in sources.
- Lets you cover gaps in coverage without waiting for a native integration.
Authentication
Generate an ingest API key in Jutsu and send it on every request in an API key header (for example, X-API-Key). Keep the key secret — anything holding it can write events to your organization.
Confirm the exact header name, Ingest API host, and webhook route against your deployment.
Send an event
Post your event as a JSON body to an Ingest API webhook. Jutsu exposes connector-specific webhook routes (for example the syslog connector) rather than a single generic endpoint — see the Ingestion API for the exact routes and the accepted body for each. The request shape looks like this:
curl -X POST "https://<your-ingest-host>/api/v1/webhooks/<connector>" \
-H "X-API-Key: <your-ingest-api-key>" \
-H "Content-Type: application/json" \
-d '{
"source": "my-custom-tool",
"timestamp": "2026-06-14T12:00:00Z",
"severity": "high",
"message": "Suspicious activity detected on host web-01",
"host": "web-01",
"details": {
"rule": "custom-rule-42",
"src_ip": "203.0.113.10"
}
}'You can send a single object or an array of events in one request. Use a stable, descriptive source so events are easy to filter later.
The host, webhook path, header name, and accepted fields depend on your deployment and the ingestion contract. Confirm them against your deployment and the API reference before going to production.
Verify
After sending an event, confirm it landed:
- Check the API response for a success status.
- In Jutsu, open the Events view and confirm your event appears with the
sourceyou set.
Troubleshooting
If posted events don't appear, work through the most common causes:
| Symptom | Likely cause | Fix |
|---|---|---|
| 401 response | Missing or invalid API key | Send a valid key in the API key header and regenerate it if revoked. |
| 400 response | Malformed JSON or wrong shape | Validate the JSON body and confirm it matches the ingestion contract. |
| 200 response but no event in Jutsu | Wrong organization or endpoint | Confirm the key belongs to the right organization and you're posting to the correct host and route. |
| Events delayed | Normalization backlog | Allow a moment for processing, then re-check the Events view. |
| Connection refused or timeout | Network path blocked | Allow egress from your source to the Ingest API host and port. |
For the full request and response contract, headers, and field reference, see the ingestion API documentation and confirm it against your deployment.
Related
- Ingestion API — the full request and response contract.
- Events — explore custom events once they're flowing.
- Integrations — see all available and roadmap sources.