Skip to main content

How do I set up webhook integration? [HOW-TO GUIDE]

  • Updated

The Webhook Configuration page allows you to integrate Source Defense event notifications with your external systems, such as SIEM or custom monitoring platforms. You can define where events are sent, how they are authenticated, and which event types you want to receive.

1. Navigate

Select Integrations under the Settings option in the left navigation menu.

2. Provider Selection

Splunk (Built-in Provider)

Select Splunk if you want to forward events directly to a Splunk HTTP Event Collector (HEC).

When Splunk is selected:

  • The system automatically formats the request as required by Splunk.
  • Authentication is handled via a Secret Key, sent in the Authorization header.

Fields Required:

  • Target URL – The full Splunk HEC endpoint.
  • Secret Key – Token used to authenticate the request.

Custom Provider

Select Custom to send events to any external system of your choice.

When Custom is selected:

  • You may define any number of custom headers.
  • Headers allow you to pass authentication tokens, tenant IDs, or any metadata your system requires.

Fields Available:

  • Target URL
  • Headers (Name / Value pairs) – Add, edit, or remove as needed.

3. Activation Settings

Active

Toggle Active to enable or disable the webhook integration.
When disabled, no events will be sent.

Send Messages of Child Account

If your parent account manages child accounts, you may enable this option to receive events from those child accounts as well.
(Option is available only for accounts with children.)

4. Webhook Event Selection

Choose which event types you want to receive via the webhook. Available options include:

  • New Scripts – Alerts when new third-party scripts are detected.
  • New Script Policy Recommendations – Alerts when policy recommendations become available.
  • New PCI Header Changes – Alerts related to PCI compliance header updates.
  • New Behaviors – Alerts on newly detected behavior patterns.
  • Data Missing – Alerts when data expected from a site is missing.
  • Unknown Domains – Alerts when unidentified domains are detected.

Check or uncheck each box according to your needs.

Click Source Defense Webhook Events Structure [TECHNICAL SPEC] for the data format used.

5. Allowed IP Addresses

At the bottom of the page, you will find a list of Source Defense IP addresses.
Your system should whitelist these IPs to ensure successful event delivery.

6. Saving and Testing

Save

Click Save to apply your webhook configuration.

Test

Click Test to trigger a sample event and verify that your endpoint receives data correctly.

 

Implementation Notes

  • Webhook notifications are sent via HTTP POST requests.
  • The endpoint should return a 2xx HTTP status code to acknowledge receipt of the notification.
  • If the endpoint does not respond or returns an error, the system may retry sending the notification.

Related articles