Configure a Universal Email Templated Connection

You can configure a universal email templated connection in the Alert Logic console to send incident notifications to any public-facing web server configured to accept email requests. Email templated connections allow you to send notifications about threats or changes in your environment directly to a third-party applicationso you can respond quickly.

When you set up a notification and subscribe an email templated connection, Alert Logic sends the event to the target email you configured and can generate a message or IT service management (ITSM) ticket for the incident automatically.

For example, you can configure an email templated connection for an ITSM such as ServiceNow or Jira Service Desk and subscribe it to receive notifications. When an incident occurs that meets the notification criteria, Alert Logic sends the incident notification to the configured email address, and the third-party application generates a service ticket. The email subject configured in the Alert Logic templated connection becomes the ticket summary. The body of the Alert Logic email notification becomes the ticket description. The description includes a link to the incident in the Alert Logic console.

Complete the following steps to successfully receive Alert Logic notifications or generate service tickets in your application:

  1. Set up the third-party application
  2. Create the email templated connection from the Alert Logic console
  3. Subscribe your email templated connection to receive notifications

Set up the third-party application

Before you create the email templated connection in the Alert Logic console, you must find or configure the target email address in the third-party application that can accept Alert Logic notifications or ticket creation requests. The target email address must belong to a registered user or account in the application to which you want to connect. Note the email address because you need it to configure your templated connection. This table lists common examples:

Application Email Address Notes
Jira Service Desk myjiraproject@myjira.atlassian.net Replace myjiraproject with the name of the specific Jira Service Desk project you want to connect to and myjira.atlassian.net with your cloud instance URL.
Jira Software myjiraproject@myjira.atlassian.net Replace myjiraproject with the name of the specific Jira project you want to connect to and myjira.atlassian.net with your cloud instance URL.
ServiceNow myinstance@service-now.com Replace myinstance with the name specified in your cloud instance URL.

You may also want to set up how you want Alert Logic incident notifications to be processed in the external application. In Jira Service Desk, for example, you can create a specific request type for Alert Logic security incidents. You can also configure the Jira Service Desk fields that you want to include in that request type and assign them to fields in the Alert Logic incident payload. A good practice is to configure a custom request type instead of using a generic type such as "Report a system problem" because it allows you to restrict access for security incidents.

See the documentation for the third-party application for more information about the target email address and configuration options.

Create the email templated connection from the Alert Logic console

After you identify the target email address for the third-party application to which you want to connect, you can create and test the email templated connection from the Connections page in the Alert Logic console.

To create an email templated connection:

  1. Click the navigation menu icon (), click Configure, and then click Connections.
  2. Click the Templated Connections tab.
  3. On the Templated Connections page, click the add icon (), and then click Email.
  4. On the Create an Email Templated Connection page, type a descriptive name for the templated connectionfor example, "Jira Email Templated Connection for Incidents."
  5. In Email Address, enter the email address for the third-party application that you noted previously.
  6. (Optional) Customize the Email Subject. You can change the text and insert variables enclosed with double braces ({{variable}}).
  7. In Payload Type, leave Incident selected.
  8. Click TEST to send a test email to the target email address provided. For more information, see Templated connection test results.
  9. If your email templated connection sent the test event to the target email successfully, click SAVE.

Email subject variables

To customize the subject line of the email that you send to the third-party application, you can add these variables to the Email Subject field.

For an example of the full incident JSON payload that Alert Logic sends for email templated connections, see Incident Schema. You can add any of the fields listed to the email subject, but some values are lengthier and not recommended.
Variable Description Example

{{accountId}}

Customer account identifier 12345678
{{correlation_name}} Name of correlation that triggered the incident

Admin Failed Login Correlation

{{createtime_str}} Incident creation date and time in UTC 2020-08-10T11:22:27.799796+00:00
{{customer}} Customer name of the Alert Logic account affected by the incident XYZ Corporation
{{deployment}} Name of deployment affected by the incident AWS Production Deployment
{{extra.location_ip}} One or more IP addresses, if determined, of the attacker for this incident 192.0.2.1 192.0.2.25
{{extra.target_host}} One or more IP addresses, if determined, of the target affected by the incident 10.1.2.3

{{humanFriendlyId}}

Short incident ID 8fn5sf

{{incident_attack_class}}

Incident classification type brute-force
{{incident_escalated}} Escalation status

Valid values:

  • true
  • false

{{incident.summary}}

Brief description of the incident that is suitable as a title or message subject Brute force attempt from 1.2.3.4
{{incident_threat_rating}} Incident threat level Critical

Templated connection test results

The test email that Alert Logic sends confirms the configuration was successful.

After you subscribe your templated connection to receive incident notifications, the notification emails use the email subject you configured.

If the test is unsuccessful, Alert Logic displays an error message. For server response errors, you can use the error code and message that Alert Logic passes through to troubleshoot the issue.

Information sent to your application

The email subject configured in the Alert Logic templated connection becomes the ticket title or message subject. The email body uses the following information from the incident payload, transformed from Markdown to HTML. If any of the fields are empty, lines are empty in the resulting email.

Field Description Example
incident.summary Brief description of the incident that is suitable as a title or message subject Brute force attempt from 1.2.3.4
incident.description Incident explanation from the incident investigation report, if any "<p><strong>Attack Detail</strong>:<br />\n<strong>Attacker:</strong> 172.31.37.117, local_ip<br />\n<strong>Targets:</strong> 122.99.34.111, 172.31.37.90, and 172.31.39.79 </p>\n<p>We have detected a recon attack targeting a number of common server vulnerabilities. This is a vulnerability scan however we are unable to determine the specific tool or company performing this attack.</p>"
incident.recommendations Recommendations from the incident investigation report, if any "<p>A compromised host should be isolated from the network and cleaned. You will want to remove the back doors installed and check the system logs for other actions taken. Once a system is compromised, usually one of the first things done by an attacker is creating a secondary access channel. Assume that additional modifications have been made to the system beyond the initial breach.</p>"
incident.extra.incidentUrl Links to the incident in the Alert Logic console https://console.incidents.product.dev.alertlogic.com/#/incidents/incidentId/investigation

Subscribe your email templated connection to receive notifications

After you create and test your email templated connection, the next step in the Alert Logic console is to set up your incident notifications to subscribe to the templated connection. For instructions, see Incident Notifications.

Manage your templated connections

You can view the list of email templated connections and edit or delete an existing one. For more information, see Manage Templated Connections.