Configure Slack Templated Connection

You can configure a templated connection in the Alert Logic console to send notifications to Slack. When you set up a notification and subscribe a templated connection, Alert Logic sends the event to the URL you configured and creates a message in Slack automatically.

Alert Logic notifications alert you to threats, changes, and scheduled events in your environment so you can respond quickly. From the Alert Logic console, you can subscribe your Slack webhook to receive:

Complete the following steps to successfully send messages to Slack:

  1. Identify the connection
  2. (Optional) Identify your Slack URL path
  3. (Optional) Customize the payload template
  4. Create the Slack templated connection from the Alert Logic console
  5. Subscribe your templated connection to receive notifications

Identify the connection

This templated connection requires a Slack connection, which stores authentication and credential information that grants Alert Logic access to Slack. If you do not have the connection already, you can create it now or when you create the templated connection.

For more information, see Configure Slack Connection.

(Optional) Identify your Slack URL path

The URL Path field in the templated connection configuration is blank by default. The connection defines the required URL (for more information, see Configure Slack Connection). Advanced API integration targeting can be done by modifying the URL path.

(Optional) Customize the payload template

Decide which type of security information that you want Alert Logic to send to Slack: Incident, Observation (of a log correlation), or a Scheduled Report Notification payload.

If you want to send more than one payload type, you must configure a templated connection for each one. Because the payload is different, each payload type requires a separate templated connection instance.

Alert Logic provides a payload template for each payload type in JSON format using Mustache template-like transformations where a field in the JSON payload can be referenced by enclosing it in braces ({{}}. For example, the threatRating field in the following JSON {'incident': {'threat.Rating': "critical"}} is specified as {{incident.threatRating}}. A payload template converts the Alert Logic security information to the format expected by Slack. You can add or remove lines in the sample template to meet your workflow requirements and security goals.

For definitions of the Alert Logic variables in the templates and the full JSON that you can use to configure your payload template in JQ or JSON format, see:

For more information about Mustache, see the Mustache Manual. For more complex transformations, you can use JQ. A helpful website for converting JSON to JQ is jq play.

Incident payload template

Copy

JSON Template

{
  "text": "{{incident.summary}}{{^incident.summary}}No Summary{{/incident.summary}}",
  "blocks": [
    {
      "type": "section",
      "text": {
        "text": "Summary: {{incident.summary}}{{^incident.summary}}No Summary{{/incident.summary}}",
        "type": "plain_text"
      }
    },
    {
      "type": "section",
      "text": {
        "text": "{{incident.description}}{{^incident.description}}No Description{{/incident.description}}",
        "type": "mrkdwn"
      }
    },
    {
      "type": "section",
      "text": {
        "text": "Recommendations: {{incident.recommendations}}{{^incident.recommendations}}{{extra.recommendations}}{{^extra.recommendations}}No recommendations{{/extra.recommendations}}{{/incident.recommendations}}",
        "type": "mrkdwn"
      }
    }
  ]
}

Observation payload template

Copy

JSON Template

{
    "text": "{{fields.summary}}",
    "blocks": [
        {
            "type": "section",
            "text": {
                "text": "*Summary:* {{fields.summary}}",
                "type": "mrkdwn"
            }
        },
        {
            "type": "divider",
            "block_id": "divider1"
        },
        {
            "type": "section",
            "text": {
                "text": "*Description:* {{fields.desc}}",
                "type": "mrkdwn"
            }
        },
        {
            "type": "divider",
            "block_id": "divider2"
        },
        {
            "type": "section",
            "text": {
                "text": "*Recommendations:* {{fields.recommendations}}",
                "type": "mrkdwn"
            }
        },
        {
            "type": "divider",
            "block_id": "divider3"
        },
        {
            "type": "section",
            "text": {
                "text": "*Details*",
                "type": "mrkdwn"
            },
            "fields": [
                {
                    "text": "*Customer ID:*",
                    "type": "mrkdwn"
                },
                {
                    "type": "plain_text",
                    "text": "{{id.account}}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Class:*"
                },
                {
                    "type": "plain_text",
                    "text": "{{fields.class}}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Subclass:*"
                },
                {
                    "type": "plain_text",
                    "text": "{{fields.subclass}}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Severity*"
                },
                {
                    "type": "plain_text",
                    "text": "{{fields.severity}}"
                }
            ]
        }
    ]
}

Scheduled Report Notification payload template

Copy

JSON Template

{
  "text": "'Scheduled report completed.",
  "blocks": [
    {
      "type": "section",
      "text": {
        "text": "*'{{name}}'* Scheduled Report Completed",
        "type": "mrkdwn"
      }
    },
    {
      "type": "divider",
      "block_id": "divider1"
    },
    {
      "type": "section",
      "text": {
        "text": "*Description:* {{artifact_data.metadata.report_description}}",
        "type": "mrkdwn"
      }
    },
    {
      "type": "divider",
      "block_id": "divider2"
    },
    {
      "type": "section",
      "text": {
        "text": "*Details*",
        "type": "mrkdwn"
      },
      "fields": [
        {
          "text": "*Customer Name:*",
          "type": "mrkdwn"
        },
        {
          "type": "plain_text",
          "text": "{{artifact_data.metadata.customer_name}}"
        },
        {
          "type": "mrkdwn",
          "text": "*Customer ID:*"
        },
        {
          "type": "plain_text",
          "text": "{{account_id}}"
        },
        {
          "type": "mrkdwn",
          "text": "*Report Type:*"
        },
        {
          "type": "plain_text",
          "text": "{{artifact_data.metadata.report_type}}"
        },
        {
          "type": "mrkdwn",
          "text": "*Cadence:*"
        },
        {
          "type": "plain_text",
          "text": "{{artifact_data.metadata.cadence}}"
        },
        {
          "type": "mrkdwn",
          "text": "*Created on:*"
        },
        {
          "type": "plain_text",
          "text": "{{artifact_data.metadata.artifact_create_date}}"
        }
      ]
    },
    {
      "type": "actions",
      "block_id": "actionblock789",
      "elements": [
        {
          "type": "button",
          "text": {
            "type": "plain_text",
            "text": "View Report"
          },
          "url": "{{extra.ui_url}}"
        },
        {
          "type": "button",
          "text": {
            "type": "plain_text",
            "text": "Download Report"
          },
          "url": "{{extra.download_url}}"
        }
      ]
    }
  ]
}

Create the Slack templated connection from the Alert Logic console

The next step is to create the templated connection in the Alert Logic console and test the payload.

To create a Slack templated connection:

  1. In the Alert Logic console, click the Settings icon (), and then click Connections.
  2. Click the Templated Connections tab.
  3. On the Templated Connections page, click the add icon (), and then click Slack.
  4. On the Create a Slack Templated Connection page, type a descriptive name for the templated connectionfor example, "Slack Templated Connection for Incidents."
  5. In Connection, select or create a Slack connection.
  6. Leave URL Path blank, or enter the path identified earlier.
  7. Select the Payload Type, which is the type of Alert Logic security information that you want to send: Incident, Observation (of a log correlation), or Scheduled Report Notification.
  8. Select the format of the payload template you customized earlier: JSON or JQ.
  9. Select an HTTP verb for the templated connection payload. If you are unsure, leave it as the default verb: POST.
  10. In the Payload Template area, enter the payload template that you customized.
  11. A red bar next to a line indicates a syntax error. Code with errors is underlined with a jagged red line. You can hover the pointer over the underlined code to view a tip about the error.
  12. Click TEST to send a test event to the URL provided. For more information about test results, see the next section.
  13. If your templated connection sent the test event to the target URL successfully, click SAVE.

Test results

If you receive a message that the templated connection was successfully tested, Alert Logic sent the payload template you configured and populated a message in Slack with sample data. Check Slack to ensure the results are expected, and adjust the payload template if necessary.

If the test is unsuccessful, Alert Logic displays an error message. For server response errors, you can use the error code and message that Alert Logic passes through to troubleshoot the issue. Alert Logic also informs you if your JSON or JQ payload template contains syntax errors.

Subscribe your templated connection to receive notifications

After you test and save the templated connection configuration, the last step is to set up your notification criteria and subscribe the templated connection.

You can set up and manage a notification of any type directly from the Notifications page. For more information, see Manage Notifications. You can create notifications from other pages according to notification type:

  • For incidents, you can also create a notification from the Incidents page. For more information, see Incident Notifications.
  • For observations, you can also create a notification from the Search page (Log Search tab or Correlations tab) during the process of creating the correlation or by editing an existing correlation listed on the Correlations tab. For more information, see Correlations and Notifications and Observation Notifications.
  • For scheduled reports, you can also schedule the report and subscribe notification recipients from the Reports page. For more information, see Scheduled Reports and Notifications.

Manage your templated connections

You can view the list of templated connections and edit or delete an existing one. For more information, see Manage Templated Connections.