What are Webhooks ?
Threat Stack provides a Webhook API to enable customers to build custom workflows based on alerts.
Examples of such workflows could be:
- Generating a custom AWS SNS notification based on severity 1 Threat Stack alert
- Creating a Jira ticket from a severity 2 Threat Stack alert
- Archive severity 3 Threat Stack alerts into a S3 bucket for long-term storage
Introduction to Threat Stack Webhook Functionality
What do we send?
Currently, the webhook sends a summary of alert information in JSON format. Every alert will result in a separate call to the Webhook API -- we do not batch alerts together.
The alert JSON contains the following attribute-value pairs: :
- created_at : Time at which the alert was created, in milliseconds UTC
- id : A unique alert ID -- this can be used with our REST API to retrieve additional alert information
- organization_id : Unique ID of the organization on which the alert is generated (would be useful if a user belongs to multiple organizations)
- severity : Severity of the alert as an integer (1, 2 or 3)
- server_or_region: The server name for host alerts, or the region name for CloudTrail alerts
- source: either "Host" or "CloudTrail" to indicate the type of alert being generated.
- title : Title of the alert as displayed in the Threat Stack UI
Below is an example of the JSON object -
”title”: ”Threat Intelligence Activity: Communication to openbl by 184.108.40.206”
Use Case - Use a third party service to integrate into your apps.
Things like, Pushing a SEV1 alert to create a blocking JIRA ticket and have it assigned to your ops team to remediate. Another option I didn't document would be to push an alert into a Hipchat ops channel.
For this use case, we utilize Zapier (http://www.zapier.com),a webhook and applications integration service.
For questions view Zapiers help section.
Step 1: Set up a trigger to webhook in Zapier:
Step 2: Pass the URL into Threat Stack webhook integration:
Step 3: Setup Jira as the trigger :
Additionally, if you choose to add "alerts" in the child key page you can define specific data from the JSON to include in your integrations.
Leveraging webhook integrations generally requires some additional work to interpret the alert JSON and then take actions based on your needs.