Webhooks

You can configure webhooks in the Alert Logic console to send alert notifications to any public-facing web server configured to handle HTTP callbacks. Webhooks is a convenient feature that allow the Alert Logic Incident Console to send real-time data directly to a third-party application. When Alert Logic sends you an incident notification, the webhook sends the event to the target URL you configured.

Alert Logic allows you to configure and manage incident email notifications when incidents escalate, or if incidents of specified threat levels occur for your account and accounts you manage. To learn more about incident notifications, see Manage Incident Console notifications .

Webhooks is only available for incident notifications.

Add a new webhook

You must first add a webhook in the Webhooks page in the Alert Logic console, enter a webhook target URL, and then test the JSON. For more information on webhooks JSON, see Incident notification JSON examples.

To add a webhook:

  1. To access the Webhooks page in the Alert Logic console, click the Settings icon (), and then select Webhooks.
  2. Click the add icon () to add a new webhook.
  3. In the slideout panel, enter a name for the webhook, and the target URL.
  4. You can test the default JSON provided, or you can enter a different JSON to test your webhook.
  5. Click TEST to send a test to the webhook target URL provided.
  6. If your webhook sent the test event to the target URL successfully, click SAVE.

Alert Logic does not save a test JSON you changed as part of the webhook configuration. The default test JSON is only for webhook testing purposes. Examples of incident notification JSON Alert Logic sends are below.

Incident notification JSON examples

This is an example of an escalated incident JSON Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

{

"feature": "incidents",

"subkey": "escalations/primary",

"data": {

"attack_summary": "Windows Account Locked out for User abcde",

"create_date": "13th Aug 2019 14:28:04 GMT",

"class": "brute-force",

"cid": "0123456",

"customer_name": "Test",

"incident_id": "TestIncidentID",

"long_incident_id": "TestLongIncidentID",

"status": "closed",

"threat": "Medium",

"tld": "us",

"whispir": true,

"start_date": "13th Aug 2019 14:28:04 GMT",

"end_date": "13th Aug 2019 14:28:17 GMT",

"recommendations": "Test Recommendation",

"investigation_report": "Test Investigation Report.",

"deployment_name": "Manual deployment",

"analyst_notes": "Test Analyst Notes",

"location_ip": "4.4.4.4",

"target_host": "5.5.5.5"

}

}

Log Review incident notification JSON example

This example is the Log Review incident JSON that Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

{

"threat": "Info",

"status": "closed",

"start_date": "02nd Oct 2019 10:33:54 GMT",

"long_incident_id": “abcdefghijk”,

"investigation_report": "<p>Alert Logic detected suspicious activity in logs from 10-01-2019 for the customer ABCDE. This activity was reviewed and no action is needed.</p>",

"incident_id": “abcde”,

"deployment_name": "Manual deployment",

"customer_name": “ABCDE”,

"create_date": "02nd Oct 2019 10:33:22 GMT",

"class": "log-review",

"cid": 123456,

"attack_summary": "Log Review Windows Account Changes",

"analyst_notes": "[{\"date\": \"02nd Oct 2019 10:33:22 GMT\", \"note\": \"An Alert Logic analyst reviewed this activity and determined that it is normal. No action is needed.\"}]"

}

Configure your webhook incident notifications

After you have added a webhook and your JSON was successfully sent to your webhook target URL, you must configure your webhook incident notifications in the Notifications page. To learn more about the Notifications page, including subscription management of others and grouping of the page, see Manage Incident Console notifications.

To configure your webhook incident notification:

  1. Click the Settings icon (), and then click Notifications.
  2. Click Manage Subscriptions of Others, and then click Incidents.
  3. After the list of users, under Webhooks, click on the webhook for which you want to configure notifications.
  4. In the slideout panel, make any combination of the following choices for the webhook you are configuring:
    • Escalations—Click to specify the accounts for which you want notification of incident escalations.
    • Critical—Click to specify the accounts for which you want notification when an incident with a threat rating of Critical occurs for assets within the specified accounts.
    • High—Click to specify the accounts for which you want notification when an incident with a threat rating of High occurs for assets within the specified accounts.
    • Medium—Click to specify the accounts for which you want notification when incident with a threat rating of Medium occurs for assets within the specified accounts.
    • Low—Click to specify the accounts for which you want notification when incident with a threat rating of Low occurs for assets within the specified accounts.
    • Info—Click to specify the accounts for which you want notification when an incident with a threat rating of Info occurs for assets within the specified accounts.
  5. Click SAVE.

Manage your webhooks

You can edit or delete an existing webhook.

Edit a webhook

To edit the details of a webhook:

  1. In the Alert Logic console, click the Settings icon () and select Webhooks.
  2. From the list of webhooks, click the webhook you want to edit.
  3. In the webhooks slideout panel, you can make changes to:
    • Webhook name
    • The URL target where you want to send notifications
  4. Click TEST to verify the webhook is valid, or click SAVE.

Delete a webhook

To delete a webhook:

  1. In the Alert Logic console, click the Settings icon () and select Webhooks.
  2. From the list of webhooks, click the webhook you want to delete.
  3. Click DELETE.