Overview
The Activity Log Webhook enables Lucidya to automatically push user activity logs to your configured endpoint in near real-time. Instead of manually pulling logs, you can integrate them directly into your SIEM system (such as Splunk) for security monitoring and compliance.
Key Features
Near real-time log delivery
Secure webhook authentication
JSON-structured log payloads
Full coverage of user activity and audit data
Prerequisites
Before configuring the webhook, make sure you have:
A valid endpoint URL from your SIEM system
An authentication method ready (header, body, or both)
Manager role access under General Settings in Lucidya
How to Configure the Webhook
Step 1 — Navigate to Activity Logs
Go to Settings → Users → Activity Log, then click the Webhook Configuration icon.
Step 2 — Fill in the Webhook Details
1. Method Select the HTTP method for your endpoint:
HTTP POST (recommended)
HTTP GET
2. URL Enter your SIEM endpoint URL. It must be a valid and reachable URL.
3. Authentication Variable Name Enter a name for the authentication variable. It must:
Start with a letter
Contain only letters and numbers
Contain no spaces
Example: authorization
4. Authentication Location Choose where the authentication token is sent:
Header
Body
Both
5. Authentication Token Enter your secure token. Note that Arabic characters and special characters are not supported.
6. Enable the Webhook Toggle the webhook to Enable to activate log delivery.
Log Data Structure
All logs are delivered in JSON format. Below is a sample payload and a description of each field.
Sample Payload
{
"timestamp": "2026-03-16T11:10:54Z",
"activity_log": "User A updated permissions for User B",
"user_action": "Update",
"feature": "User Management",
"user_email": "[email protected]",
"user_ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0"
}
Field Reference
Field | Description |
timestamp | UTC time the action occurred |
activity_log | Description of the activity |
user_action | Action type: Read, Create, Update, or Delete |
feature | The platform module where the action took place |
user_email | Email of the user who performed the action |
user_ip_address | IP address of the user |
user_agent | Browser or device information |
Supported Events
The webhook captures all platform activity, including:
General Actions
Viewing data (Read)
Creating resources (Create)
Updating configurations (Update)
Deleting resources (Delete)
User Management Actions
User invitations (including the inviter)
Permission changes
User profile updates
User deletions
Managing the Webhook
Users with the Manager role under General Settings can:
Create a webhook
Edit webhook settings
Enable or disable the webhook
Delete the webhook
Note: Disabling the webhook stops log delivery immediately. Re-enabling it resumes delivery.
Security
The authentication token is stored encrypted
The token is masked after saving
You can update or replace the token at any time
Activity Logging
All webhook-related actions are recorded in the Activity Log page, including:
Webhook created
Webhook edited
Webhook enabled
Webhook disabled
Webhook deleted
Troubleshooting
Logs not being received?
Confirm the webhook is enabled
Verify the endpoint URL is correct and reachable
Check your authentication configuration
Configuration errors?
Review field validations for the token, variable name, and URL
Ensure no unsupported characters are used in any field
Best Practices
Use HTTP POST for better payload handling
Store and manage your authentication token securely
Monitor delivery logs on your SIEM side regularly
Test with a staging endpoint before going to production
Support
For help configuring the webhook or testing your integration, contact the Lucidya support team at [email protected].