Configure a Universal Webhook Templated Connection
You can configure a universal webhook templated connection in the Alert Logic console to send notifications to any public-facing HTTP endpoint. Templated connections allow you to send data directly to a third-party application. When you set up a notification and subscribe a templated connection, Alert Logicsends the event to the URL you configured and can generate a message or service ticket automatically.
Alert Logic notifications alert you to threats, changes, and scheduled events in your environment so you can respond quickly. From the Alert Logic console, you can subscribe a webhook to receive:
- Incident notifications—Send an alert or generate a service ticket when incidents occur that meet specific criteria, such as escalated incidents.
- Log correlation notifications—Send an alert or generate a service ticket when your log correlation rules trigger an incident or observation.
- Scheduled report notifications—Send a notification or generate as service ticket when Alert Logic generates a scheduled report that is available for download.
Complete the following steps to successfully receive Alert Logic notifications or generate service tickets in your application:
- Identify the connection
- (Optional) Identify the webhook URL path
- Customize the sample payload template
- Create the universal webhook templated connection from the Alert Logic console
- Subscribe your templated connection to receive notifications
Identify the connection
This templated connection requires a universal webhook connection, which stores authentication and credential information that grants Alert Logic access to your external system. If you do not have the connection already, you can create it now or when you create the templated connection.
For more information, see Configure Universal Webhook Connection.
(Optional) Identify the webhook URL path
Depending on how you chose to set up your base URL in Configure Universal Webhook Connection, you may need to customize information in the URL Path field.
- If you set up a simple Webhook connection that includes the entire third-party URL, leave the URL Path field blank.
- If you set up a generic Webhook connection for multiple integrations, paste the specific URL path information for the integration.
Customize the sample payload template
Decide which type of security information that you want Alert Logic to send to the third-party application: Incident, Observation (of a log correlation), or Scheduled Report Notification payload.
Alert Logic provides sample templates for each payload type to help you get started. The templates are in JSON format and use Mustache template-like transformations where a field in the JSON payload can be referenced by enclosing it in braces ({{}}. For example, the threatRating field in the following JSON {'incident': {'threat.Rating': "critical"}} is specified as {{incident.threatRating}}. You must replace the attributes with the appropriate ones for your system. You can add or remove lines in the sample template to meet your workflow requirements and security goals.
For definitions of the Alert Logic variables in the samples and the full JSON that you can use to configure your payload template, see:
Sample Incident payload template
JSON Template
{
"account_id": "{{accountId}}",
"customer_name": "{{customer}}",
"deployment_name": "{{assets.al__deployment}}",
"short_incident_id": "{{humanFriendlyId}}",
"long_incident_id": "{{incidentId}}",
"summary": "{{incident.summary}}",
"description": "{{incident.description}}",
"recommendations": "{{incident.recommendations}}",
"attacker": "{{attacker.value}}",
"victim": "{{victim.value}}",
"timestamp": "{{createtime_str}}",
"threat_rating": "{{incident_threat_rating}}",
"incident_class": "{{incident_class}}",
"status": "{{customer_status.status}}"
}
Sample Observation payload template
JSON Template
{
"account_id": "{{id.account}}",
"summary": "{{fields.summary}}",
"description": "{{fields.desc}}",
"severity": "{{fields.severity}}",
"class": "{{fields.class}}",
"subclass": "{{fields.subclass}}",
"recommendations": "{{fields.recommendations}}",
"message": "{{fields.keys.message}}"
}
Sample Scheduled Report Notification payload template
JSON Template
{
"account_id": "{{account_id}}",
"summary": "Alert Logic Scheduled Report Complete",
"subtitle": "Type: {{artifact_data.metadata.report_type}} | Customer: {{artifact_data.metadata.customer_name}} | Customer ID: {{account_id}}",
"cadance": "{{artifact_data.metadata.cadence}}",
"report_description": "{{artifact_data.metadata.report_description}}",
"view_report": "{{extra.ui_url}}",
"download_report": "{{extra.download_url}}",
"created_on": "{{artifact_data.metadata.artifact_create_date}}",
"filters": "{{definition.filter_values}}"
}
Create the universal webhook templated connection from the Alert Logic console
The next step is to create the templated connection in the Alert Logic console and test the payload.
If your application does not require information such as additional headers, leave the field blank.
To add a universal webhook templated connection:
- In the Alert Logic console, click the Settings icon (), and then click Connections.
- Click the Templated Connections tab.
- On the Templated Connections page, click the add icon (), and then click Webhook.
- On the Create a Webhook Templated Connection page, type a descriptive name for the templated connection—for example, "My Third-Party Application Templated Connection for Incidents."
- In Connection, select or create a Webhook connection.
- Leave URL Path blank or paste the path that you copied previously.
- (Optional) In Additional Header(s), enter any custom HTTP request headers your integration requires, in addition to the ones defined in the Webhook connection, as HTTP header name-value pairs. Each header must be on a separate line.
- Select a Payload Type, which is the type of Alert Logic security information that you want to send: Incident, Observation (of a log correlation), or Scheduled Report Notification.
- Select the format of the payload template you customized: JSON or JQ.
- Select an HTTP verb for the templated connection payload. If you are unsure, leave it as the default verb: POST.
- In the Payload Template area, enter the payload template that you customized.
- Click TEST to send a test webhook request to the target URL provided. For more information, see Test results.
- If your templated connection sent the test event to the target URL successfully, click SAVE.
Test results
If you receive a message that the templated connection was successfully tested, Alert Logic sent the payload template you configured and populated the notification or ticket with sample data. Check your third-party application to ensure the results are expected, and adjust the payload template if necessary.
If the test is unsuccessful, Alert Logic displays an error message. For server response errors, you can use the error code and message that Alert Logic passes through to troubleshoot the issue. Alert Logic also informs you if your JSON or JQ payload template contains syntax errors.
Subscribe your templated connection to receive notifications
After you test and save the templated connection configuration, the last step is to set up your notification criteria and subscribe the templated connection.
You can set up and manage a notification of any type directly from the Notifications page. For more information, see Manage Notifications. You can create notifications from other pages according to notification type:
- For incidents, you can also create a notification from the Incidents page. For more information, see Incident Notifications.
- For observations, you can also create a notification from the Search page (Log Search tab or Correlations tab) during the process of creating the correlation or by editing an existing correlation listed on the Correlations tab. For more information, see Correlations and Notifications and Observation Notifications.
- For scheduled reports, you can also schedule the report and subscribe notification recipients from the Reports page. For more information, see Scheduled Reports and Notifications.
Manage your templated connections
You can view the list of templated connections and edit or delete an existing one. For more information, see Manage Templated Connections.