Learn how to integrate DataDome with your other services.

To be notified as soon as possible when your endpoints are under attack, you can use a DataDome Webhook to receive Attack Notifications in your existing third-party services.

List of defined integrationsList of defined integrations

List of defined integrations

Configure a Webhook

  1. To define a new Webhook, click on the "Add +" button
Define and test your webhook settingsDefine and test your webhook settings

Define and test your webhook settings

  1. Input a name for your Webhook

  2. Enter the URL where you want to receive the HTTP POST requests from the Webhook

  3. Three different payload formats are available for you to choose from:

    • Default payload: lists all the available variables in a flat JSON object
    • Slack payload: sends the same variables, but they are predefined as a ready-to-be-displayed Slack message
    • Microsoft Teams payload: a customized JSON ready-to-be-displayed in a Teams message
Example of a Slack messageExample of a Slack message

Example of a Slack message

  1. Choose which threats you want to be notified about, or select "All threats" to include them all

  2. Click on the "Test your webhook" button to send a test message and immediately validate your settings

For the chosen threats, a POST request will be sent using the selected payload template


Request timeout

Please note that a timeout of 5 seconds is applied to the sent requests

  1. Click on the "Save" button when you're done

Webhook Variables

The notification message contains various details about the attack event that occurred on your endpoint:

Variable placeholder


Example value


The name of the concerned tenant


Will either be 'A bot attack has been blocked' or 'You are under bot attack' depending on the protection status

A bot attack has been blocked


Whether or not the attack has been blocked by DataDome



The name of the detected threat


The name of the targeted endpoint


The duration of the attack


The date and time the attack started

19 January, 13:53 UTC +00:00


The date and time the attack ended

19 January, 14:00 UTC +00:00


The number of requests detected in this attack


The peak speed reached by this attack, in terms of requests per minute


The count of distinct IPs from where the attack requests originated


The count of distinct user agents used in the attack


The count of distinct countries from where the attack requests originated


The count of distinct targeted URLs