Inbound webhooks

The inbound webhook lets external systems push security events into your SIEM.

Endpoint:
https://turtini.com/api/siemWebhook?orgId=<your-org-id>

Setup:
1. Security → Integrations → Inbound Webhooks
2. Set a webhook secret → click Save
3. Copy the pre-filled endpoint URL

Send events via POST:
Content-Type: application/json
X-Turtini-Webhook-Secret: <your-secret>

{
"type": "webhook.threat",
"severity": "high",
"title": "WAF blocked SQL injection",
"description": "...",
"source": "cloudflare",
"ip": "1.2.3.4",
"metadata": { "rule": "SQLi", "country": "RU" }
}

The endpoint uses timing-safe secret comparison — requests with an invalid or missing secret return 403.

Integration quick-starts (Security → Integrations → Inbound Webhooks → Integration Quick-Starts):

Cloudflare — Use Logpush to forward firewall_events and security_events. Set the HTTP destination to your webhook URL and add X-Turtini-Webhook-Secret as a custom header.

GitHub — Add a webhook in your repo or org Settings → Webhooks. Choose individual events: Secret scanning alerts, Code scanning alerts, Security advisories.

Google Workspace — A one-click Apps Script forwards Admin SDK audit logs every 5 minutes. The pre-filled script is available in the quick-start.

Slack — Enable Event Subscriptions on a Slack App and point the Request URL at your webhook endpoint. Subscribe to message.channels and app_mention.

Microsoft 365 — Use a Power Automate flow triggered by "When a new Defender XDR alert is created". Add an HTTP action posting to your webhook URL.

Datadog — Add a Webhook integration in Datadog, set the URL to your endpoint, and attach it to any monitor using @webhook-Turtini.