Configuring Webhooks
Webhooks deliver audit events as JSON HTTP POST requests to one or more external endpoints. Use them to integrate with Slack, Microsoft Teams, monitoring APIs, or custom workflows. Configuration is stored in webhook.xml.
Global Switch
The <Enabled> element is a global on/off switch. When set to false, no webhooks are sent regardless of how many endpoints are configured. The webhook sink is only active when Enabled = true and at least one endpoint is defined.
Endpoint Configuration
Each <Endpoint> element defines a delivery target:
| Setting | Description | Default |
|---|---|---|
Url |
Target URL (HTTPS recommended) | — |
Events |
Comma-separated list of event action names to forward. All forwards everything. |
All |
Headers |
Custom HTTP headers (e.g. Authorization, X-Source) |
— |
TimeoutSeconds |
HTTP request timeout per endpoint (overrides pipeline default) | 10 |
RetryCount |
Endpoint-specific retry count | 3 |
Example Configuration
<WebhookConfiguration xmlns="urn:appprofilesafe:webhook:v1" SchemaVersion="1.0.0">
<Enabled>true</Enabled>
<Endpoints>
<!-- Slack: failures only -->
<Endpoint>
<Url>https://hooks.slack.com/services/T.../B.../XXX</Url>
<Events>ExportFailed,ImportFailed,IntegrityCheckFailed</Events>
<TimeoutSeconds>10</TimeoutSeconds>
</Endpoint>
<!-- Monitoring API: all events, with Bearer token -->
<Endpoint>
<Url>https://monitoring.company.com/api/v1/events</Url>
<Events>All</Events>
<Headers>
<Header>
<n>Authorization</n>
<Value>Bearer eyJhbGci...</Value>
</Header>
</Headers>
<TimeoutSeconds>10</TimeoutSeconds>
</Endpoint>
</Endpoints>
</WebhookConfiguration>Automatic Headers
In addition to any custom headers, every webhook request includes these headers automatically:
| Header | Value |
|---|---|
Content-Type |
application/json; charset=utf-8 |
X-Event-Id |
The event's unique GUID (for deduplication) |
X-Operation-Id |
The operation GUID (for correlating related events) |
Credential Store Support
Header values that contain secrets (such as Authorization tokens) can be stored in Windows Credential Manager instead of inline plaintext. Use <ValueCredRef> on a header element to reference a stored credential:
<Header>
<n>Authorization</n>
<ValueCredRef>AppProfileSafe:Webhook:0:Header:Authorization</ValueCredRef>
</Header>When ValueCredRef is set, the value is resolved from the secret store at load time and the inline <Value> element is ignored.
Signature Verification
AppProfileSafe can sign webhook payloads with HMAC-SHA256 for integrity and replay protection. When a shared secret is configured, two additional headers are sent with each request:
| Header | Value |
|---|---|
X-Signature |
sha256=<hex-encoded HMAC> |
X-Timestamp |
Unix timestamp (seconds since epoch) |
The signature is computed as HMAC-SHA256(timestamp + "." + payload_json, shared_secret). The receiving endpoint should recompute the signature and compare using constant-time comparison to prevent timing attacks.
Event Filtering
The <Events> element on each endpoint controls which events are forwarded. Use All to receive everything, or a comma-separated list of action names. Examples:
All— Every audit eventExportFailed,ImportFailed,IntegrityCheckFailed— Failures and security events onlyExportCompleted,ImportCompleted— Successful operations only
Filtering is case-insensitive. Events that do not match any endpoint's filter are silently skipped for that endpoint.