Threat Stack Webhooks Integration

Follow

What are Webhooks ?

Threat Stack provides a Webhook API to enable customers to build custom workflows based on alerts.

Examples of such workflows could be:

  • Generating a custom AWS SNS notification based on severity 1 Threat Stack alert
  • Creating a Jira ticket from a severity 2 Threat Stack alert
  • Archive severity 3 Threat Stack alerts into a S3 bucket for long-term storage

 

Introduction to Threat Stack Webhook Functionality

What do we send?

 

Currently, the webhook sends a summary of alert information in JSON format.  Every alert will result in a separate call to the Webhook API -- we do not batch alerts together.

 

The alert JSON contains the following attribute-value pairs: :

  1. created_at : Time at which the alert was created, in milliseconds UTC
  2. id : A unique alert ID -- this can be used with our REST API to retrieve additional alert information
  3. organization_id : Unique ID of the organization on which the alert is generated (would be useful if a user belongs to multiple organizations)
  4. severity : Severity of the alert as an integer (1, 2 or 3)
  5. source: Hostname of the server on which the alert was generated
  6. title : Title of the alert as displayed in the Threat Stack UI

 

Below is an example of the JSON object -

 

{

“created_at”: “1459447024000”,

”id”: ”56fd65138c1e0c173af5a3de”,

”organization_id”: ”545d0293b620cd090d000023”,

”server_or_region”: ”Threat_Stack_Demo_Ubuntu1”,

”severity”: ”3”,

”source”: ”Host”,

”title”: ”Threat Intelligence Activity: Communication to openbl by 185.110.132.54”

}

 

Use Case - Use a third party service to integrate into your apps. 

Products like Zapier, webhooks.io, and IFTTT can wait to catch our webhook, and then push it into the product's you already use every day. 

Things like, Pushing a SEV1 alert to create a blocking JIRA ticket and have it assigned to your ops team to remediate. Another option I didn't document would be to push an alert into a Hipchat ops channel. 

 

For this use case, we utilize Zapier (http://www.zapier.com),a webhook and applications integration service.

For questions view Zapiers help section.

Step 1: Set up a trigger to webhook in Zapier:



Step 2: Pass the URL into Threat Stack webhook integration:

 

Step 3: Setup Jira as the trigger :



Additionally, if you choose to add "alerts" in the child key page you can define specific data from the JSON to include in your integrations. 

Conclusion

Leveraging webhook integrations generally requires some additional work to interpret the alert JSON and then take actions based on your needs.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.