> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/playbooks/outbound-webhooks/webhook-recipes.md). # Webhook Recipes ## Recipes You can use these patterns as starting points and ideas/inspiration for automation powered by our outbound webhooks. Each recipe lists the core topic set. Add downstream filters in your receiver or destination where needed. {% hint style="info" %} You can send these events to Slack workflows, N8N workflows, Jira, queues, serverless functions, or your own HTTP endpoints. You can set these up in a self-service manner, or contact BalkanID support to handle your workflows in a managed manner. {% endhint %} ### Send an alert when privileged access is granted Use this when you want instant visibility into high-risk [access approvals](/lifecycle-management/access-requests.md). Subscribe to `request.actioned` , and add an event payload filter for `status = approved` . In your workflow: * check whether the target resource or connection is privileged, or something that you want to otherwise keep track of * post a message to Slack or your alerting tool of choice ### Trigger your employee JML playbooks from BalkanID automatically You can use BalkanID as the source of truth for triggering JML workflows/playbooks when an employee's information is added or changed. Subscribe to: * `employee.created` * `employee.updated` * `employee.deleted` ### Be notified when an admin [user is created or updated](/getting-started/user-onboarding.md) Use this to monitor admin creation and privilege escalation. Subscribe to: * `employee.created` * `employee.updated` In your receiver, check whether the employee has an admin role after the change. Alert when a new admin appears or a standard user becomes an admin. ### Track access decisions made automatically by policy Use this to audit [policy-driven approvals and denials of access requests](/lifecycle-management/policies.md). Subscribe to `request.actioned`. If you wish to use payload filters, narrow the stream to events where `actionedByPolicy` is set. Otherwise, filter on that field in your receiver. This gives you a clean feed of actions BalkanID handled automatically via your configured access policies. ### Track destructive admin actions Use this for high-signal security and audit alerts. Subscribe to: * `employee.deleted` * `campaign.deleted` * `integration.deleted` Send these events to your SIEM, ticketing system, or admin alert channel. ### Ask for an abort reason when a campaign is aborted Use this to capture follow-up context from campaign owners. Subscribe to `campaign.aborted`. Trigger a Slack Workflow, form, or ticket that asks why the campaign was aborted and who approved the change. ### Create Jira tickets for denied access at campaign close Use this to turn denied review outcomes into remediation work. Subscribe to `campaign.completed`. When the campaign completes, fetch denied access items for that campaign using our Public API. Create one Jira issue per denied item, or group them by application owner. {% hint style="info" %} Campaign completion is the point where reviewer decisions typically become final and actionable for downstream provisioning, de-provisioning or other actions. {% endhint %} ### Notify your offboarding team when terminated users still have access Use this to close the gap between HR termination and real access removal. Subscribe to: * `finding_rule.computed` * `integration.sync` A common pattern is: 1. wait for an `integration.sync` 2. evaluate findings for terminated users with active access 3. notify the offboarding or security operations team ### Alert on syncs without audit evidence Use this when you want to make sure that [audit evidence](/getting-started/setting-up-your-tenant/application-integrations/audit-evidence-and-sync-history.md) is present for integration config changes/new syncs. Subscribe to `integration.sync`. If you use payload filters, narrow to syncs without attached audit evidence. Log an alert, then store any attached evidence in your audit evidence S3 bucket according to your policy. ### Monitor governance changes Use this to track changes to [policies](/lifecycle-management/policies.md), [purposes](/lifecycle-management/jitpbac/purposes.md), and [constraints](/lifecycle-management/jitpbac/constraints.md). Subscribe to the relevant governance topics from the [Topic Catalog](/playbooks/outbound-webhooks.md#topic-catalog). Send these events to Slack, email, or your SIEM so governance changes are visible outside BalkanID. ### Build your own pattern The recipies on this page are not exhaustive — as we continue adding more subscribable events with rich payloads, more automation and actionable capabilities will be unlocked. If your use-case is to directly send event payloads to destinations such as an S3 Bucket, or a queue (such as AWS SQS, or GCP Pub-Sub), you can use the corresponding pre-built destination types with minimal config. For more complex use-cases, you should choose the Webhook destination type, and take it from there. Start narrow with one topic. Validate the payload. Then expand to more topics or destinations. ### Related pages * [Webhooks](/playbooks/outbound-webhooks.md) * [Events and Deliveries](/playbooks/outbound-webhooks/events-and-deliveries.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.balkan.id/playbooks/outbound-webhooks/webhook-recipes.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.