Skip to content


You can set up Wallarm to send instant notifications to any system that accepts incoming webhooks via HTTPS protocol. For this, specify Webhook URL to receive the notifications for the following event types:

  • Hits detected

  • System related: newly added users, deleted or disabled integration

  • Vulnerabilities detected

  • Scope changed: updates in hosts, services, and domains

Notification format

Notifications are sent in JSON format. The set of JSON objects depend on the event for which the notification is sent. For example:

  • Hit detected

        "anomality": 0.9806949806949808,
        "domain": "",
        "heur_distance": 36.28571421111111,
        "method": "GET",
        "parameter": "GET_id_value",
        "path": "/",
        "payloads": [
        "'or 1=1--"
        "point": [
        "probability": 36.11111118571429,
        "remote_country": null,
        "remote_port": 41616,
        "remote_addr4": "",
        "remote_addr6": null,
        "datacenter": "unknown",
        "tor": "none",
        "request_time": 1591261367,
        "create_time": 1591261381,
        "response_len": 345,
        "response_status": 404,
        "response_time": 257,
        "stamps": [
        "regex": [],
        "stamps_hash": -1888294073,
        "regex_hash": -2147483648,
        "type": "sqli",
        "block_status": "monitored",
        "id": [
        "object_type": "hit"
  • Vulnerability detected

        "title": "Missing \"Strict-Transport-Security\" header in server's response at ''",
        "source": "",
        "type": "Info",
        "domain": "",
        "threat": "Low",
        "link": "",
        "summary": "New vulnerability identified"

Setting up integration

  1. Open Wallarm UI → SettingsIntegrations.

  2. Click the Webhook block or click the Add integration button and choose Webhook.

  3. Enter an integration name.

  4. Enter target Webhook URL.

  5. If required, configure advanced settings:

    • Request method: POST or PUT. By default, POST requests are sent.
    • Request header and its value if the server requires a non-standard header to execute the request. The number of headers is not limited.
    • Security certificate if the server requires authorization by using the SSL certificate.
    • Request timeout, in seconds: if the server does not respond to the request within the specified time, the request fails. By default: 15 seconds.
    • Connection timeout, in seconds: if the connection to the server cannot be established during the specified time, the request fails. By default: 20 seconds.

    Advanced settings example

  6. Choose event types to trigger sending notifications to Webhook URL. If the events are not chosen, then notifications will not be sent.

  7. Test the integration and ensure the settings are correct.

  8. Click Add integration.

    Webhook integration

Examples of integrations

Webhooks can be used as system log sources. The number of log sources depends on the system complexity: the more components in the system, the greater number of log sources and logs. The most common logging scheme in complex systems consists of the following components:

  • Log collector: accepts logs from several sources and forwards logs to the SIEM system

  • SIEM system: used to analyze logs and monitor the system status

We described some examples of how to configure the integration with the popular log collectors forwarding logs to the SIEM systems:

Testing integration

Integration testing allows checking configuration correctness, availability of the Wallarm Cloud, and the notification format. To test the integration, you can use the button Test integration when creating or editing the integration.

The integration is tested as follows:

  • Test notifications with the prefix [Test Message] are sent to the selected system.

  • Test integrations are sent for all events available for the selected system. If the integration card includes 3 event types, the system will receive 3 test notifications.

    If the integration card includes the event type System related, an appropriate test notification includes details on the newly added user.

  • Test notifications include test data.

Test webhook example:

    "title": "Test",
    "source": "Wallarm",
    "type": "Info",
    "domain": "",
    "threat": "Medium",
    "link": "",
    "summary": "[Test Message] New vulnerability identified"

Updating integration

To update the settings of active integration:

  1. Go to your Wallarm account → SettingsIntegrations in the EU or US cloud.

  2. Open an active integration.

  3. Make required changes and click Save.

Disabling integration

To stop sending reports and notifications temporarily, you can disable the integration:

  1. Go to your Wallarm account → SettingsIntegrations in the EU or US cloud.

  2. Open an active integration and click Disable.

To re-enable sending reports and notifications, open the disabled integration and click Enable.

Deleting Integration

To stop sending reports and notifications permanently, you can delete the integration. Deleting an integration cannot be undone. The integration will be removed from the list permanently.

  1. Go to your Wallarm account → SettingsIntegrations in the EU or US cloud.

  2. Open integration and click Delete.

  3. Confirm the action.