Forwarding to Webhook

Webhooks are "user-defined HTTP callbacks." They are usually triggered by some event. When that event occurs, the source site makes an HTTP request to the URL configured for the webhook. Users can configure them to cause events on one site to invoke behavior on another.

Sysdig Secure leverages webhooks to support integrations that are not covered by any other particular integration/protocol present in the Event Forwarder list.

To forward secure data to a Webhook:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the Add Integration button.

  3. Select Webhook from the drop-down menu.

  4. Configure the required options:

    syslog.png
    1. Integration Name: Define an integration name.

    2. Endpoint: Webhook endpoint following the schema protocol (i.e. https://)hostname:port

    3. Authentication: Three different methods are supported:

      • Basic authentication: If you select this method, you must fill the Secret field with the desired user: password. No whiteespaces, semicolon character as separation.

      • Bearer token: If you select this method, you must fill the Secret field with the desired user: password. No whiteespaces, semicolon character as separation.

      • Signature header: If you select this method, you must fill the Secret field with the cryptographic key provided by the software on the other end.

    4. Secret: Authorization / Authentication data. This field depends on the method selected in c).

    5. Custom Headers Any number of custom headers defined by the user to accommodate additional parameters required on the receiving end.

      To avoid interfering with the regular webhook protocol and expected headers, the following headers cannot be set using this form.

    6. Data to Send: Currently, Sysdig only supports sending policy events (events from Sysdig Secure).

      Due to the heavy connection establishment overhead imposed by the HTTP protocol, the Secure policy events are grouped by time proximity into batches and sent together in a single request as a JSON array. In other words, every HTTP request will contain a JSON array containing one or more policy runtime events.

    7. Select whether or not you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).

    8. Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.

  5. Click the Save button to save the integration.