Webhook Rule

A Webhook rule allows Automation to respond to incoming webhooks from other products. When a webhook is received, and if the conditions are met, a workflow will be executed.

To use the Webhook rule, you must have a webhook configured. The webhook configuration will provide a URL where your source can send events. Events sent to that URL will trigger the Webhook rule you create.

To ensure platform integrity, webhooks support an individual payload size of up to 1 MB.

Create New Webhook Rule

Perform the following steps to create a new Webhook rule:

  1. In the General section, enter the following information:

    • Type - Webhook Rule

    • Rule Name - A unique display name for the rule.

    • Description - Text that describes the rule, such as what it will trigger.

  2. The toggle is switched to on by default, so when left on, the rule is enabled and the workflow can be executed. If you want to create the rule but prevent it from triggering your workflow to run, switch the Automation rule on toggle off to disable the rule. This is useful for testing and debugging purposes.

  3. In the Webhook section, click the drop-down list and choose an existing webhook or click Add New to open the New Webhook dialog box and configure a new webhook. For information on how to configure webhooks, see the Webhooks Help topic.

  4. In the Conditions section, click Add Condition to configure a condition, so that if it's met, the workflow you associate with the rule will be executed. The criteria allow you to check the incoming webhooks for a specific HTTP header or a certain value in the request body.

    1. Property - Click the variable browser icon and choose the variable.

    2. Comparison - Click the drop-down list and choose the operator.

    3. Value - Click the drop-down list or enter the desired value, depending on the data type.

    You can click the (Ellipsis) icon and either reset or delete a condition.

  5. If you add more than one condition, choose one of the following options:

    • ALL of these conditions must be met - The workflow will be triggered only if every condition is met (logical AND operator).

    • ANY of these conditions can be met - The workflow will be triggered if any of the conditions is met (inclusive OR operator).

    • Advanced - Click the operator drop-down to choose any combination of operators, in which case, it's processed sequentially, top-to-bottom.

      For example: {[(condition1 AND condition2) OR condition3] AND condition4}

  6. Configure a workflow to associate with this rule.

    • In the Apply to selected workflows section, click the Select workflow drop-down and select a valid workflow or enter its name.

      • Only a non-atomic workflow can be associated to the rule directly; custom and system atomic workflows cannot.

      • The most relevant workflows to this type of rule are shown starting at the top of the drop-down list.

      • Out-of-box XDR system workflows are prefixed with a Cisco icon.

    • Depending on the workflow, enter the parameter data as needed. If the workflow has input variables, you can click the variable browser icon and select event input/output variables, which enable you to provide trigger-related values to the input variables as a reference.

    • To delete a workflow, click the (Trash Can) icon next to it.

    • By default, the workflow is on and enabled. To disable it, click the toggle switch to off.

  7. To include additional workflows, click Add another workflow.

    • Multiple workflows will be executed in parallel, not sequentially.

    • To delete a workflow, click the (Trash Can) icon next to it.

    • If you delete a workflow from here, the actual workflow itself does not get deleted, only its association with this rule is removed. In the workflow's properties, this rule would no longer appear as a trigger.

  8. Click Submit, and a trigger for this rule is automatically added to the associated workflow (see Workflow Properties).