Configure an webhook external application in Cortex XSIAM to forward cases and issues to a Webhook endpoint.
You can forward issues and cases to webhook.
Note
Cortex sends webhook notifications using its own predefined payload format. If your webhook endpoint requires the payload to be structured in a specific way — for example, the format expected by Google Chat or another third-party service — the notification will not be delivered successfully. Only endpoints that accept arbitrary JSON payloads are supported.
Add the IP addresses for your tenant region to your firewall. For more information, refer to the list of ingress IPs in Enable access to required PANW resources.
Before forwarding cases or issues to Splunk, you need to configure egress. Only a user with Account Admin or Instance Admin permissions can configure egress.
To configure egress, you need to enter the FQDN (fully qualified domain name), without including the port or the path. For example, if the full URL is https://webhook..mycompany.com/target_resource, you would enter webhook.mycompany.com.
In the Cortex Gateway, go to → → .
Select the account name and tenant.
In the Flow field, select Webhook.
Enter the FQDN (full qualified domain name) of the webhook endpoint. For example,
webhook.mycompany.com. Note that the path does not include HTTP or HTTPS.Add the configuration.
Go to → → → → and select Webhook.
Enter the webhook URL. The URL can include a port, but the connection must be HTTPS.
Click Verify. If egress has not been configured in the Cortex Gateway, verification will fail.
After verification is successful, enter the instance name and optional description.
Show advanced settings to add HTTPS headers if required.
Enter the authentication token for secure access to your Splunk instance.
Click Test to verify the connection, then click Connect.
Follow the instructions for Configure notification forwarding.