Configure a Universal Email Templated Connection
You can configure a universal email templated connection in the Alert Logic console to send incident notifications to any public-facing web server configured to accept email requests. Email templated connections allow you to send notifications about threats or changes in your environment directly to a third-party application in near real time so you can respond quickly.
When you set up a notification and subscribe an email templated connection, Alert Logic sends the event to the target email you configured and can generate a message or IT service management (ITSM) ticket for the incident automatically.
For example, you can configure an email templated connection for an ITSM such as ServiceNow or Jira Service Desk and subscribe it to receive notifications. When an incident occurs that meets the notification criteria, Alert Logic sends the incident notification to the configured email address, and the third-party application generates a service ticket. The email subject configured in the Alert Logic templated connection becomes the ticket summary. The body of the Alert Logic email notification becomes the ticket description. The description includes a link to the incident in the Alert Logic console.
Complete the following steps to successfully receive Alert Logic notifications or generate service tickets in your application:
- Set up the third-party application
- Create the email templated connection from the Alert Logic console
- Subscribe your email templated connection to receive notifications
Set up the third-party application
Before you create the email templated connection in the Alert Logic console, you must find or configure the target email address in the third-party application that can accept Alert Logic notifications or ticket creation requests. The target email address must belong to a registered user or account in the application to which you want to connect. Note the email address because you need it to configure your templated connection. This table lists common examples:
Application | Email Address | Notes |
---|---|---|
Jira Service Desk | myjiraproject@myjira.atlassian.net | Replace myjiraproject with the name of the specific Jira Service Desk project you want to connect to and myjira.atlassian.net with your cloud instance URL. |
Jira Software | myjiraproject@myjira.atlassian.net | Replace myjiraproject with the name of the specific Jira project you want to connect to and myjira.atlassian.net with your cloud instance URL. |
ServiceNow | myinstance@service-now.com | Replace myinstance with the name specified in your cloud instance URL. |
You may also want to set up how you want Alert Logic incident notifications to be processed in the external application. In Jira Service Desk, for example, you can create a specific request type for Alert Logic security incidents. You can also configure the Jira Service Desk fields that you want to include in that request type and assign them to fields in the Alert Logic incident payload. A good practice is to configure a custom request type instead of using a generic type such as "Report a system problem" because it allows you to restrict access for security incidents.
See the documentation for the third-party application for more information about the target email address and configuration options.
Create the email templated connection from the Alert Logic console
After you identify the target email address for the third-party application to which you want to connect, you can create and test the email templated connection from the Connections page in the Alert Logic console.
To create an email templated connection:
- In the Alert Logic console, click the Settings icon (), and then click Connections.
- Click the Templated Connections tab.
- On the Templated Connections page, click the add icon (), and then click Email.
- On the Create an Email Templated Connection page, type a descriptive name for the templated connection—for example, "Jira Email Templated Connection for Incidents."
- In Email Address, enter the email address for the third-party application that you noted previously.
- (Optional) Customize the Email Subject. You can change the text and insert variables enclosed with double braces ({{variable}}).
- In Payload Type, leave Incident selected.
- Click TEST to send a test email to the target email address provided. For more information, see Test results.
- If your email templated connection sent the test event to the target email successfully, click SAVE.
Email subject variables
To customize the subject line of the email that you send to the third-party application, you can add these variables to the Email Subject field.
Variable | Description | Example |
---|---|---|
{{accountId}} | Customer account identifier | 12345678 |
{{correlation_name}} | Name of correlation that triggered the incident | Admin Failed Login Correlation |
{{createtime_str}} | Incident creation date and time in UTC | 2020-08-10T11:22:27.799796+00:00 |
{{customer}} | Customer name of the Alert Logic account affected by the incident | XYZ Corporation |
{{deployment}} | Name of deployment affected by the incident | AWS Production Deployment |
{{extra.location_ip}} | One or more IP addresses, if determined, of the attacker for this incident | 192.0.2.1 192.0.2.25 |
{{extra.target_host}} | One or more IP addresses, if determined, of the target affected by the incident | 10.1.2.3 |
{{humanFriendlyId}} | Short incident ID | 8fn5sf |
{{incident_attack_class}} | Incident classification type | brute-force |
{{incident_escalated}} | Escalation status | Valid values:
|
{{incident.summary}} | Brief description of the incident that is suitable as a title or message subject | Brute force attempt from 1.2.3.4 |
{{incident_threat_rating}} | Incident threat level | Critical |
Test results
The test email that Alert Logic sends confirms the configuration was successful.
If the test is unsuccessful, Alert Logic displays an error message. For server response errors, you can use the error code and message that Alert Logic passes through to troubleshoot the issue.
Information sent to your application
The email subject configured in the Alert Logic templated connection becomes the ticket title or message subject. The email body uses the following information from the incident payload, transformed from Markdown to HTML. If any of the fields are empty, lines are empty in the resulting email.
Field | Description | Example |
---|---|---|
incident.summary | Brief description of the incident that is suitable as a title or message subject | Brute force attempt from 1.2.3.4 |
incident.description | Incident explanation from the incident investigation report, if any | "<p><strong>Attack Detail</strong>:<br />\n<strong>Attacker:</strong> 172.31.37.117, local_ip<br />\n<strong>Targets:</strong> 122.99.34.111, 172.31.37.90, and 172.31.39.79 </p>\n<p>We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.</p>" |
incident.recommendations | Recommendations from the incident investigation report, if any | "<p>A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.</p>" |
incident.extra.incidentUrl | Links to the incident in the Alert Logic console | https://console.incidents.product.dev.alertlogic.com/#/incidents/incidentId/investigation |
Subscribe your email templated connection to receive notifications
After you create and test your email templated connection, the next step in the Alert Logic console is to set up your incident notifications to subscribe to the templated connection. For instructions, see Incident Notifications.
Manage your templated connections
You can view the list of email templated connections and edit or delete an existing one. For more information, see Manage Templated Connections.