Webhook Guidance
This page is for guidance only. Custom configuration must be handled by Customer or Professional Services.
Webhook Formatting Requirements
When sending data to a SIEM or another external system using webhooks, the request body must follow specific formatting rules.
First, the webhook body must be valid JSON. This means it must start with { and end with }, and all fields must follow proper "key": "value" formatting. If the JSON is invalid—either before or after variables are inserted—the UI will display a “Bad string” error and prevent you from saving.
All webhook payloads must also include a required top-level wrapper:
{
"event": {
...your fields here...
}
}This event object is required by the webhook system. Even if the JSON inside is valid, removing this wrapper will cause validation to fail.
Inside the event object, you can structure the data however your destination system (such as a SIEM) expects. You can rename fields, flatten the structure, or reorganize values—as long as the JSON remains valid and you reference fields using their correct paths.
Most available data comes from the activity JSON structure, with fields such as:
-
event.user.username
-
event.event.id
Nested under event
-
event.event.observedAt
Nested under event
-
event.incident.name
You can reference these values using Handlebars syntax.
For example:
"event": {
"name": "{{event.incident.name}}",
"id": "{{event.event.id}}",
"user": "{{event.user.username}}",
"time": "{{event.event.observedAt}}"
}
}Notes
-
Handlebars variables only insert values—they do not fix invalid JSON.
-
Validation happens before any data is sent, so the payload must already be correctly formatted.
For most SIEM integrations, a simple, flat JSON structure like the example above is recommended.
Webhook Example
The following is an example of a Webhook template.
Supported Fields
The following fields are officially supported in email templates:
-
Alert Details
{{event.incident.name}}{{event.incident.severity}}
-
Event Metadata
{{event.event.createdAt}}{{event.event.occurredAt}}
-
Endpoint Information
{{event.endpoint.hostname}}
-
User Information
{{event.user.displayName}}{{event.user.email}}
-
File Metadata
{{event.resources.[0].name}}{{event.resources.[0].path}}{{event.resources.[0].container.name}}{{event.resources.[0].owner.user.name}}
-
Rule Details
{{#each event.incident.reasons}} ... {{/each}}
Requirements
JSON Format Validation
The Webhook body must be valid JSON.
-
It must:
-
Begin with { and end with }
-
Use proper key-value formatting: "key": "value"
-
-
Validation is performed both before and after Handlebars variables are resolved.
-
If the JSON is invalid at any stage, the UI will display “Bad string” and prevent saving.
Handlebars variables only substitute values; they do not correct invalid JSON structure.
Required Top-Level Structure
-
All webhook payloads must include a top-level event object.
-
The required structure is:
{
"event": {
... your fields here ...
}
}
-
This wrapper is mandatory for the webhook engine.
-
Even if the inner content is valid JSON, omitting the event object will cause validation to fail.
Custom Field Mapping
-
Within the event object, you may include any fields required by your SIEM.
-
You can:
-
Rename fields
-
Flatten or restructure the payload
-
Organize data to match your SIEM’s schema
-
-
The only requirements are:
-
The JSON remains valid
-
Field references use the correct source paths
-
Source Field Paths
The relevant data fields are located under the following paths:
event.user.username
event.event.id
event.event.observedAt
event.incident.name
Example: Flattened Payload
Below is a valid example using flattened fields and correct variable references:
{
"event": {
"incidentName": "{{event.incident.name}}",
"incidentId": "{{event.event.id}}",
"username": "{{event.user.username}}",
"timestamp": "{{event.event.observedAt}}"
}
}SIEM-Friendly Minimal Example
For most SIEM integrations, a simple flattened structure is recommended:
{
"event": {
"name": "{{event.incident.name}}",
"id": "{{event.event.id}}",
"user": "{{event.user.username}}",
"time": "{{event.event.observedAt}}"
}
}Key Validation Notes
-
JSON must be valid before and after variable substitution.
-
Validation occurs within the webhook UI, prior to sending any data to the SIEM.
-
Invalid formatting will prevent the webhook from being saved or executed.
Additional Links
Slack template
Splunk template
Generic template
Teams template
IOutlook template
Related Topic: