Webhooks and SIEM delivery

Send audit logs to your monitoring platform in near real-time.

Send audit logs to your monitoring platform in near real-time. This works with tools like Splunk, Datadog, and Sumo Logic.

Add a webhook

Open audit log webhooks

Go to Account Settings → Security → Audit logs.

Create the webhook

Click Add webhook.

Configure

Name: label for the destination
URL: HTTPS endpoint
Description: optional notes
Secret key: optional HMAC signing secret
Custom headers: optional auth headers
Timeout: 1–300 seconds
Max retries: 0–10

Filter what gets sent

Filters are per webhook:

Categories
Event types
Severities

Leave filters empty to receive everything.

Test delivery

Click Test next to the webhook.
Review the delivery result.

Payload format (example)

Webhook payload (example)

{
  "event": "user.login",
  "event_category": "authentication",
  "severity": "low",
  "timestamp": "2026-02-02T14:30:00Z",
  "audit_log": {
    "id": 12345,
    "event_type": "user.login",
    "status": "success",
    "ip_address": "192.168.1.100",
    "user_agent": "Mozilla/5.0...",
    "metadata": {}
  },
  "user": {
    "id": 42,
    "name": "Jane Smith",
    "email": "[email protected]"
  },
  "account": {
    "id": 1,
    "name": "Acme Corp"
  }
}

Verify webhook signatures (optional)

When a secret key is set, verify the X-Webhook-Signature header:

HMAC-SHA256(secret_key, request_body)

Retries

Failed deliveries retry with exponential backoff:

1 min
5 min
15 min
30 min
1 hour
2 hours

PreviousExport and retention NextIntegrity and event reference

Last updated 21 days ago

Was this helpful?

Good evening

hashtagAdd a webhook

hashtagOpen audit log webhooks

hashtagCreate the webhook

hashtagConfigure

hashtagFilter what gets sent

hashtagTest delivery

hashtagPayload format (example)

hashtagVerify webhook signatures (optional)

hashtagRetries