Red Canary’s webhook integration allows you to trigger any HTTP listener as part of an automation playbook. Common uses of webhooks include:
- Creating tickets in ticket-tracking systems such as ServiceNow or JIRA.
- Posting data to SIEM / log collection platforms like Splunk or SumoLogic.
- Triggering incidents in paging systems such as OpsGenie or VictorOps (PagerDuty has a distinct integration action).
- Sending data to a custom business application you have exposed to the internet as custom software, an Azure function, or an AWS endpoint.
Webhooks are highly customizable and allow you to configure which HTTP method is used and specify HTTP headers that are used for authorization, routing, etc.
To trigger a webhook as part of an automation playbook:
- Within any playbook, click Add Action.
- Click Webhook/API > Invoke Webhook or API > Add to Playbook.
- Select an HTTP Method that should be used.
- Enter the URL that should be invoked.
- Optionally, enter one or more HTTP headers that should be included in the HTTP request. By default, no HTTP headers are sent.
- Specify a Payload type (learn more about these below). Payloads are applicable to the POST, PUT, and PATCH HTTP methods.
- Click Save.
Note: For Splunk, a HTTP Event Collector (HEC) token is required in the HTTPS Headers section, with this format: Authorization= Splunk [token]
What are payloads?
The payload of a webhook is the content that is included in the body of the HTTP request to the specified URL. These payloads can be customized based on your needs and the API you’re integrating with.
All attributes as JSON
This payload type sends all of the objects and attributes that triggered the action to the webhook URL as the body of a JSON post.
If the receiving application requires the Content-Type header to properly process the message, ensure you specify Content-Type=application/json in the HTTP Headers section.
This payload type allows you to specify a fully custom webhook payload. This content can be JSON, text, etc.
If required by the receiving application, ensure you send the appropriate HTTP headers using the HTTP Headers section.
What happens if my payload fails?
If your application responds with an HTTP status of anything other than 200, we will send your technical contacts an email containing details of the failure to help you troubleshoot.
To prevent flooding your inbox, we will send only one Webhook Failure email per playbook every 24 hours. In addition to this, we will create an Audit Log (https://my_customer_domain.co/audit_logs) with "Action: Automate Action Executed", and include details about the error in the Details section. We will create this AuditLog every time the Webhook fails. At the moment, we do not allow these AuditLogs to trigger playbooks.