Red Canary’s webhook integration allows you to trigger any HTTP listener as part of an automation playbook. Common uses of webhooks include the following:
- Creating tickets in ticket-tracking systems such as ServiceNow or JIRA.
- Posting data to Security information and event management (SIEM) / log collection platforms like Splunk or SumoLogic.
- Triggering incidents in paging systems such as OpsGenie or VictorOps (PagerDuty has a distinct integration action).
- Sending data to a custom business application you have exposed to the internet as custom software, an Azure function, or an AWS endpoint.
Webhooks are highly customizable and allow you to configure which HTTP method is used and specify HTTP headers that are used for authorization, routing, and so on.
Trigger a webhook as part of an automation playbook
- Within any playbook, click Add Action.
- Click Webhook/API and then click Invoke Webhook or API.
- Click Add to Playbook.
- Select an HTTP Method that should be used.
- Enter the URL that should be invoked.
- Optionally, enter one or more HTTP headers that should be included in the HTTP request.
Note: By default, no HTTP headers are sent.
- Specify a Payload type (learn more about these below).
Note: Payloads are applicable to the POST, PUT, and PATCH HTTP methods.
- Click Save.
Note: For Splunk, a HTTP Event Collector (HEC) token is required in the HTTPS Headers section, with this format: Authorization= Splunk [token]
Note: Splunk truncates syslog messages sent via automate. For more information, please read Splunk: Line Breaking
What are payloads?
A webhook's payload is the content contained in the body of the HTTP request to the specified URL. These payloads can be customized based on your needs and the API you’re integrating with.
All attributes as JSON
This payload type sends all of the objects and attributes that triggered the action to the webhook URL as the body of a JSON post.
If the receiving application requires the Content-Type header to properly process the message, ensure you specify Content-Type=application/json in the HTTP Headers section.
This payload type allows you to specify a fully custom webhook payload. This content can be JSON, text, and so on.
If required by the receiving application, ensure you send the appropriate HTTP headers using the HTTP Headers section.
What happens if my payload fails?
If your application returns an HTTP status code other than 200, we will send an email to your technical contacts with details about the failure to assist you in troubleshooting.
To prevent flooding your inbox, we will send only one Webhook Failure email per playbook every 24 hours. In addition to this, we will create an Audit Log (https://my_customer_domain.co/audit_logs) with "Action: Automate Action Executed", and include details about the error in the Details section. We will create this AuditLog every time the Webhook fails. At the moment, we do not allow these AuditLogs to trigger playbooks.