Guides
Start typing to search…

Tines Webhook Destination Setup

Send detection alerts to Tines Story webhooks for automation workflows.

Tines Webhook Destination Setup

Send detection alerts to Tines Story webhooks for automation workflows.

Prerequisites

  • Tines account with story creation permissions
  • Target Tines story with a Webhook action

Setup Steps

1. Create Webhook Action in Tines Story

  1. Open or create a Tines story
  2. Drag a Webhook Action onto the canvas
  3. Configure the webhook:
    • Path: Copy the path portion (e.g., eb7f40dbc217bfd8c4a5a843611a3b2d)
    • Secret: Copy the secret key (e.g., c9e648cdf08204c3aa9784fe2efa2e61)
    • Verbs: Set to post

Full webhook URL structure: https://your-tenant.tines.com/webhook/<path>/<secret>

2. Configure in Query.ai

Contact your Query.ai administrator to configure the Tines Webhook destination with:

Required Configuration:

  • Webhook URL (without secret) - e.g., https://your-tenant.tines.com/webhook/<path>
  • Webhook secret (stored securely)

Optional Configuration:

  • Timeout in seconds (default: 30)

Webhook Payload

The webhook receives a JSON payload with all detection fields:

{
  "detection_id": 123,
  "detection_name": "Suspicious Login Attempts",
  "description": "Multiple failed login attempts detected",
  "severity": "HIGH",
  "outcome": "MATCHED",
  "match_count": 5,
  "replay_link": "https://app.query.ai/replay/123",
  "ran_at": "2025-01-15T10:00:00Z",
  "range_start": "2025-01-15T09:00:00Z",
  "range_end": "2025-01-15T10:00:00Z",
  "run_id": "run-456",
  "run_type": "SCHEDULED",
  "errors": [],
  "match_operator": "GREATER_THAN",
  "match_threshold": 0,
  "match_eagerness": "EXHAUSTIVE",
  "match_exhaustiveness": "COMPLETED",
  "search_id": "search-abc-123",
  "trace_id": "1-abc-def"
}

Testing

Test webhook with curl:

curl -X POST \
  "https://your-tenant.tines.com/webhook/eb7f40dbc217bfd8c4a5a843611a3b2d/c9e648cdf08204c3aa9784fe2efa2e61" \
  -H "Content-Type: application/json" \
  -d '{
    "detection_id": 123,
    "detection_name": "Test Detection",
    "severity": "HIGH",
    "outcome": "MATCHED",
    "match_count": 5,
    "replay_link": "https://app.query.ai/replay/123"
  }'

Expected Response: 200 OK (or custom response configured in Tines)

Using Webhook Data in Tines

Access webhook data in your Tines story using:

<<webhook_action.body.detection_name>>
<<webhook_action.body.severity>>
<<webhook_action.body.match_count>>
<<webhook_action.body.replay_link>>

Example: Send to Slack

{
  "url": "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK",
  "content_type": "application/json",
  "method": "post",
  "payload": {
    "text": "🚨 Detection Alert: <<webhook_action.body.detection_name>>",
    "blocks": [
      {
        "type": "section",
        "text": {
          "type": "mrkdwn",
          "text": "*Severity:* <<webhook_action.body.severity>>\n*Matches:* <<webhook_action.body.match_count>>"
        }
      },
      {
        "type": "actions",
        "elements": [
          {
            "type": "button",
            "text": {
              "type": "plain_text",
              "text": "View in Query.ai"
            },
            "url": "<<webhook_action.body.replay_link>>"
          }
        ]
      }
    ]
  }
}

Example: Create Jira Ticket

{
  "url": "https://your-domain.atlassian.net/rest/api/3/issue",
  "method": "post",
  "basic_auth": ["[email protected]", "<<CREDENTIAL.jira_api_token>>"],
  "content_type": "application/json",
  "payload": {
    "fields": {
      "project": {"key": "SEC"},
      "summary": "[<<webhook_action.body.severity>>] <<webhook_action.body.detection_name>>",
      "description": "<<webhook_action.body.description>>\n\nReplay: <<webhook_action.body.replay_link>>",
      "issuetype": {"name": "Task"}
    }
  }
}

Troubleshooting

ErrorSolution
404 Not FoundVerify webhook path is correct
401 UnauthorizedCheck secret key is correct
Connection refusedVerify Tines tenant domain is correct
No events appearingCheck webhook action is connected in story, verify logs

Configuration Options

Required

url

  • Tines webhook URL without the secret
  • Format: https://your-tenant.tines.com/webhook/<path>

secret (secret)

  • Webhook secret key
  • Stored securely in AWS Secrets Manager

Optional

timeout

  • Request timeout in seconds
  • Default: 30
  • Maximum: 300 (5 minutes)

Security Best Practices

  1. Never Commit Secrets: Always store webhook secrets in Secrets Manager
  2. Use Unique Secrets: Use different secrets for each webhook
  3. Rotate Secrets: Rotate secrets every 90 days
  4. Limit Access: Only grant webhook access to necessary stories

Resources

Updated 2 days ago