We’re introducing Webhooks in THOR Cloud — a new feature that delivers event-driven notifications and facilitates integration with your existing systems. Webhooks allow you to subscribe to specific events and automatically receive event data as soon as those events occur. This approach eliminates the need for polling or manual status checks and supports automation-driven workflows.

Webhook

Event-Driven Alerts and Integration

Webhooks improve operational awareness by pushing notifications when a relevant event occurs. Examples include scan completion, scan failure, campaign creation, or configuration changes. Each event triggers an HTTP POST request to a user-defined endpoint, containing a structured JSON payload with event details.

Settings

These notifications can be consumed by various systems, including:

• SIEM platforms
• SOAR systems
• Ticketing and alerting solutions
• Communication tools (e.g., Slack, Microsoft Teams)

Advantages:

• No Polling Required: Reduces unnecessary API requests by sending data only when relevant events occur.
• Automation-Ready: Allows incident response playbooks, notifications, or other actions to be triggered automatically.
• Scoped Subscriptions: Supports fine-grained control over which events are forwarded to each endpoint.

Global vs. Campaign-Specific Webhooks

THOR Cloud supports two levels of webhook configurations:

• Global Webhooks: Applied at the account level. They monitor events across all campaigns and actions within the organization. Suitable for central logging and enterprise-wide monitoring setups.
• Campaign-Specific Webhooks: Tied to a specific scan campaign. These webhooks are ideal for use cases where campaigns represent different business units, projects, or customers. They are also useful for testing integrations in isolated environments.

Both webhook types can operate in parallel, enabling layered notification strategies. For instance, a global webhook can log all events to a central SIEM, while campaign-specific webhooks alert distinct teams about events in high-priority scans.

Key Technical Features

HTTP POST Delivery

THOR Cloud sends event payloads via HTTP POST to the configured webhook URL. Payloads are in JSON format and include metadata such as campaign ID, event type, timestamp, and outcome.

Recent Events

Customizable Event Types

Users can subscribe to specific events including:

• Campaign Created / Modified / Expired
• Scan Finished / Failed
• Output Profile Changes

Filters can further restrict notifications to cases where scans return alerts or warnings.

Security via HMAC Signatures

Optionally, a secret token can be configured per webhook. If set, THOR Cloud includes an HMAC-SHA256 signature of the payload in the Event-Signature header. Receiving systems can verify the signature to ensure authenticity.

Standardized Headers

• Event-UUID: Unique identifier for the event instance.
• Event-Timestamp: Time when the event was generated.
• Event-Signature: HMAC signature (if secret is set).

Webhook Testing

A built-in test function allows you to simulate events and validate endpoint readiness before activating the webhook in production.

Delivery Considerations

Retry Logic

THOR Cloud retries failed webhook deliveries using exponential backoff for up to approximately 70 hours. However, it is the user’s responsibility to ensure the receiving endpoint is highly available and robust.

Webhook Testing

Summary

Webhooks in THOR Cloud provide a flexible mechanism to integrate external systems with THOR Cloud event data. By enabling instant event-driven notifications and automating downstream responses, this feature improves situational awareness and supports efficient incident handling workflows.

To get started, log into THOR Cloud, navigate to the Webhook section, and create a global or campaign-specific webhook. Configure the desired event types, optionally set a secret for HMAC verification, and test the webhook using the built-in function.

For assistance, contact your Nextron representative or support team.