Skip to content

Webhooks

Org Admins can integrate tripwire alerts with supported vendors using webhook connections. Once configured, NodeZero will send all tripwire alerts to the connected vendor.

Configuring a Webhook

To connect a new vendor to receive tripwire alerts via a webhook:

  1. Navigate to the Settings page and go to Integrations.
  2. Click Create Webhook.
  3. Fill out the configuration details in the modal and save.

Configure Webhook

Testing a Webhook Configuration

To test a webhook configuration:

  1. In the Settings page, go to Integrations.
  2. Click the carrot (dropdown arrow) next to the webhook configuration you want to test.
  3. Click Test Webhook.

Updating a Webhook Configuration

To update a webhook configuration:

  1. In the Settings page, go to Integrations.
  2. Click the carrot next to the webhook configuration you wish to update.
  3. Click the three dots and select Edit Webhook.
  4. Make your changes in the modal and save.

Deleting a Webhook Configuration

To delete a webhook configuration:

  1. In the Settings page, go to Integrations.
  2. Click the carrot next to the webhook configuration you wish to delete.
  3. Click the three dots and select Delete Webhook.
  4. Confirm the deletion from the modal.

Viewing a Sample Payload

Tripwire alerts may vary depending on the type of tripwire. A sample event payload is provided, showing all possible fields with sample values that could be sent.

To view the sample payload:

  1. In the Settings page, go to Integrations.
  2. Click the carrot next to the webhook configuration.
  3. Click the three dots and select View Sample Payload.

Viewing Webhook Events

All webhook events are logged in the Integrations page under the Event Log section. The log includes all events that NodeZero attempted to send and their status.

  • SENT indicates the event was successfully delivered.
  • FAIL indicates the event failed to send.

Supported Vendors

Currently, NodeZero supports integration with Splunk Cloud, with more vendor options coming soon.

Setting up a HTTP Event Collector (HEC) in Splunk Cloud

  1. Enable HEC:
  2. In Splunk Web, go to Settings > Data Inputs > HTTP Event Collector.

  3. Click Global Settings and toggle All Tokens to Enabled.

  4. Create a New HEC Token:

  5. Click New Token and configure your token (Name, Source Type, Index, etc.).

  6. Click Next, then Review, and Submit.

  7. Use the HEC Token:

  8. Use the token you created to configure the webhook as described above.

For more detailed information, refer to Splunk’s official documentation: Splunk HTTP Event Collector Documentation.