# Webhooks and SIEM delivery

Send audit logs to your monitoring platform in near real-time. This works with tools like Splunk, Datadog, and Sumo Logic.

### Add a webhook

<figure><img src="/files/bL8xM1etKX7OhjyJ41lp" alt=""><figcaption></figcaption></figure>

{% stepper %}
{% step %}

### Open audit log webhooks

Go to **Account Settings → Security → Audit logs**.
{% endstep %}

{% step %}

### Create the webhook

Click **Add webhook**.
{% endstep %}

{% step %}

### Configure

<figure><img src="/files/QfOXgZKxr4wRYLb8qPSu" alt=""><figcaption></figcaption></figure>

* **Name**: label for the destination
* **URL**: HTTPS endpoint
* **Description**: optional notes
* **Secret key**: optional HMAC signing secret
* **Custom headers**: optional auth headers
* **Timeout**: 1–300 seconds
* **Max retries**: 0–10
  {% endstep %}
  {% endstepper %}

### Filter what gets sent

Filters are per webhook:

* **Categories**
* **Event types**
* **Severities**

Leave filters empty to receive everything.

### Test delivery

1. Click **Test** next to the webhook.
2. Review the delivery result.

### Payload format (example)

{% code title="Webhook payload (example)" %}

```json
{
  "event": "user.login",
  "event_category": "authentication",
  "severity": "low",
  "timestamp": "2026-02-02T14:30:00Z",
  "audit_log": {
    "id": 12345,
    "event_type": "user.login",
    "status": "success",
    "ip_address": "192.168.1.100",
    "user_agent": "Mozilla/5.0...",
    "metadata": {}
  },
  "user": {
    "id": 42,
    "name": "Jane Smith",
    "email": "jane@company.com"
  },
  "account": {
    "id": 1,
    "name": "Acme Corp"
  }
}
```

{% endcode %}

### Verify webhook signatures (optional)

When a secret key is set, verify the `X-Webhook-Signature` header:

```
HMAC-SHA256(secret_key, request_body)
```

### Retries

Failed deliveries retry with exponential backoff:

* 1 min
* 5 min
* 15 min
* 30 min
* 1 hour
* 2 hours


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.screendesk.io/security/audit-logs/webhooks-and-siem-delivery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.