Webhooks

The documentation below describes the new version of the Alert Logic console, which was recently updated. This version will become the default in early 2020. For more information about the new navigation, see Managed Detection and Response Navigation Menu Updates.

You can configure webhooks in the Alert Logic console to send notifications to any public-facing web server configured to handle HTTP callbacks. Webhooks is a convenient feature that allows you to send data directly to a third-party application in near real time. When you set up a notification and subscribe a webhook, the webhook sends the event to the target URL you configured.

Alert Logic notifications alert you to threats, changes, and scheduled events in your environment so you can respond quickly. From the Alert Logic console, you can subscribe a webhook to receive:

To learn more about notifications, see Notifications and Manage Notifications.

Add a new webhook

You must first add a webhook in the Webhooks page in the Alert Logic console, enter a webhook target URL, and then test the JSON. For more information on webhooks JSON, see Escalated incident notification JSON example.

The Webhooks page is under Configure in the Alert Logic console.

To add a webhook:

  1. Access the Webhooks page in the Alert Logic console.
  2. Click the add icon () to add a new webhook.
  3. In the slideout panel, enter a name for the webhook, and the target URL.
  4. You can test the default JSON provided, or you can enter a different JSON to test your webhook.
  5. Click TEST to send a test to the webhook target URL provided.
  6. If your webhook sent the test event to the target URL successfully, click SAVE.

Alert Logic does not save a test JSON you changed as part of the webhook configuration. The default test JSON is only for webhook testing purposes. Examples of incident notification and scheduled report notification JSON that Alert Logic sends are below.

Escalated incident notification JSON example

This example is an escalated incident JSON that Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

Copy
{
  "feature": "incidents",
  "subkey": "escalations/primary",
  "data": {
    "attack_summary": "Windows Account Locked out for User abcde",
    "create_date": "13th Aug 2019 14:28:04 GMT",
    "class": "brute-force",
    "cid": "0123456",
    "customer_name": "Test",
    "incident_id": "TestIncidentID",
    "long_incident_id": "TestLongIncidentID",
    "status": "closed",
    "threat": "Medium",
    "tld": "us",
    "whispir": true,
    "start_date": "13th Aug 2019 14:28:04 GMT",
    "end_date": "13th Aug 2019 14:28:17 GMT",
    "recommendations": "Test Recommendation",
    "investigation_report": "Test Investigation Report.",
    "deployment_name": "Manual deployment",
    "analyst_notes": "Test Analyst Notes",
    "location_ip": "4.4.4.4",
    "target_host": "5.5.5.5"
  }
}

Log Review incident notification JSON example

This example is the Log Review incident JSON that Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

Copy
{
  "threat": "Info",
  "status": "closed",
  "start_date": "02nd Oct 2019 10:33:54 GMT",
  "long_incident_id": "abcdefghijk",
  "investigation_report": "Alert Logic detected suspicious activity in logs from 10-01-2019 for the customer ABCDE. This activity was reviewed and no action is needed.",
  "incident_id": "abcde",
  "deployment_name": "Manual deployment",
  "customer_name": "ABCDE",
  "create_date": "02nd Oct 2019 10:33:22 GMT",
  "class": "log-review",
  "cid": 123456,
  "attack_summary": "Log Review Windows Account Changes",
  "analyst_notes": "An Alert Logic analyst reviewed this activity and determined that it is normal. No action is needed."
}

Incident threat level notification JSON example

This example is the incident threat level JSON that Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

Copy
{
  "data": {
    "threat": "Critical",
    "status": "closed",
    "location_ip": "1.2.3.4",
    "investigation_report": "Sample report",
    "deployment_name": "A Deployment Name",
    "customer_name": "My Customer Name",
    "create_date": "18th Feb 2020 20:28:47 GMT",
    "class": "postcomp",
    "cid": 12345678,
    "attack_summary": "A short description",
    "analyst_notes": "[]",
    "target_host": "10.9.8.7",
    "start_date": "18th Feb 2020 20:29:43 GMT",
    "recommendations": "Sample recommendation",
    "long_incident_id": "1234567890123456",
    "incident_id": "abc123"
  },
  "attachments": []
}

Scheduled report notification JSON example

This example is the scheduled report JSON that Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

Copy
{
  "data": {
    "artifact_create_date": "2020-04-21 08:00",
    "cadence": "Every 15 Minutes",
    "cid": "Customer_ID",
    "customer_name": "Name of Customer",
    "report_description": "This report provides a summary of the most vulnerable hosts in your environment, including total host and vulnerability counts, hosts by CVSS severity ratings, and top 10 lists.",
    "report_id": "Report_ID",
    "report_type": "Monthly Vulnerable Hosts Explorer",
    "result_count": 1,
    "schedule_id": "schedule_ID",
    "scheduled_report_name": "Test Report"
  },
  "attachments": [
    {
      "name": "Test Report.pdf",
      "url": "https://api.product.dev.alertlogic.com/cargo/v2/CID/execution_record/schedule_ID/result"
    }
  ]
}

Correlation observation notification JSON example

This example is the correlation observation JSON that Alert Logic sends via webhooks. Configure your parsing using the JSON output below:

Copy
{
    "data" :
    {
        "cid": "2",
        "correlation_rule_id": "3290ED2E-B7AA-4AAD-BC6B-D52671A5B18C",
        "correlation_rule_name": "Correlation Name",
        "create_date": "16th May 2020 14:50:37 GMT",
        "customer_name": "Alert Logic",
        "deployment_name": "Deployment_Name",
        "location_ip": "1234567890",
        "observation_description": "<p>Windows Event ID 42</p>",
        "observation_id": "5EBFFCCC-0009-3E21-0002-8C0600000000",
        "observation_summary": "Windows Event ID 42",
        "target_host": "Long Log Message",
        "tld": "us"
    },
    "attachments": [
        { 
            "name": "Test Report.pdf", 
            "url": "https://api.product.dev.alertlogic.com/cargo/v2/CID/execution_record/schedule_ID/result" 
        } 
    ]
}

Subscribe your webhook to receive notifications

After you add a webhook and your JSON is successfully sent to your webhook target URL, you must set up your notifications to subscribe to the webhook.

You can set up and manage a notification of any type directly from the Notifications page. For more information, see Manage Notifications. You can create notifications from other pages according to notification type:

  • For incidents, you can also create a notification from the Incidents page. For more information, see Incident Notifications.
  • For observations, you can also create a notification from the Search page (Log Search tab or Correlations tab) during the process of creating the correlation or by editing an existing correlation listed on the Correlations tab. For more information, see Correlations and Notifications and Observation Notifications.
  • For scheduled reports, you can also schedule the report and subscribe notification recipients from the Reports page. For more information, see Scheduled Reports and Notifications.

Manage your webhooks

You can edit or delete an existing webhook.

Edit a webhook

To edit the details of a webhook:

  1. From the list of webhooks, click the webhook you want to edit.
  2. In the webhooks slideout panel, you can make changes to:
    • Webhook name
    • The URL target where you want to send notifications
  3. Click TEST to verify the webhook is valid, and then click SAVE.

Delete a webhook

To delete a webhook:

  1. From the list of webhooks, click the webhook you want to delete.
  2. Click DELETE.