Detecting difference between security vs normal dependabot PRs

I’m trying to setup notifications to chat for vulnerability alerts and generic dependabot PRs. I’m now subscribing to repository_vulnerability_alert webhooks which allow me to create notifications for vulnerability alerts all fine.

For regular dependency updates I need to subscribe to pull_request webhooks and notify on those, however, the vulnerability alerts also create PRs sometimes and I can’t see how they are different from the regular PRs.

How I can detect that a PR from dependabot is for a vulnerability alert or not so I can prevent double notifications?