AppProfileSafe - Support Portal

Configuring Webhooks

Webhooks deliver audit events as JSON HTTP POST requests to one or more external endpoints. Use them to integrate with Slack, Microsoft Teams, monitoring APIs, or custom workflows. Configuration is stored in webhook.xml.


Global Switch

The <Enabled> element is a global on/off switch. When set to false, no webhooks are sent regardless of how many endpoints are configured. The webhook sink is only active when Enabled = true and at least one endpoint is defined.


Endpoint Configuration

Each <Endpoint> element defines a delivery target:

Setting Description Default
Url Target URL (HTTPS recommended)
Events Comma-separated list of event action names to forward. All forwards everything. All
Headers Custom HTTP headers (e.g. Authorization, X-Source)
TimeoutSeconds HTTP request timeout per endpoint (overrides pipeline default) 10
RetryCount Endpoint-specific retry count 3


Example Configuration

<WebhookConfiguration xmlns="urn:appprofilesafe:webhook:v1" SchemaVersion="1.0.0">
  <Enabled>true</Enabled>
  <Endpoints>

    <!-- Slack: failures only -->
    <Endpoint>
      <Url>https://hooks.slack.com/services/T.../B.../XXX</Url>
      <Events>ExportFailed,ImportFailed,IntegrityCheckFailed</Events>
      <TimeoutSeconds>10</TimeoutSeconds>
    </Endpoint>

    <!-- Monitoring API: all events, with Bearer token -->
    <Endpoint>
      <Url>https://monitoring.company.com/api/v1/events</Url>
      <Events>All</Events>
      <Headers>
        <Header>
          <n>Authorization</n>
          <Value>Bearer eyJhbGci...</Value>
        </Header>
      </Headers>
      <TimeoutSeconds>10</TimeoutSeconds>
    </Endpoint>

  </Endpoints>
</WebhookConfiguration>


Automatic Headers

In addition to any custom headers, every webhook request includes these headers automatically:

Header Value
Content-Type application/json; charset=utf-8
X-Event-Id The event's unique GUID (for deduplication)
X-Operation-Id The operation GUID (for correlating related events)


Credential Store Support

Header values that contain secrets (such as Authorization tokens) can be stored in Windows Credential Manager instead of inline plaintext. Use <ValueCredRef> on a header element to reference a stored credential:

<Header>
  <n>Authorization</n>
  <ValueCredRef>AppProfileSafe:Webhook:0:Header:Authorization</ValueCredRef>
</Header>

When ValueCredRef is set, the value is resolved from the secret store at load time and the inline <Value> element is ignored.


Signature Verification

AppProfileSafe can sign webhook payloads with HMAC-SHA256 for integrity and replay protection. When a shared secret is configured, two additional headers are sent with each request:

Header Value
X-Signature sha256=<hex-encoded HMAC>
X-Timestamp Unix timestamp (seconds since epoch)

The signature is computed as HMAC-SHA256(timestamp + "." + payload_json, shared_secret). The receiving endpoint should recompute the signature and compare using constant-time comparison to prevent timing attacks.


Event Filtering

The <Events> element on each endpoint controls which events are forwarded. Use All to receive everything, or a comma-separated list of action names. Examples:

  • All — Every audit event
  • ExportFailed,ImportFailed,IntegrityCheckFailed — Failures and security events only
  • ExportCompleted,ImportCompleted — Successful operations only

Filtering is case-insensitive. Events that do not match any endpoint's filter are silently skipped for that endpoint.