Webhooks Integration



What are Webhooks ?

Threat Stack provides a Webhook API to enable customers to build custom workflows based on alerts.

Examples of such workflows could be:

  • Generating a custom AWS SNS notification based on severity 1 Threat Stack alert
  • Creating a Jira ticket from a severity 2 Threat Stack alert
  • Archive severity 3 Threat Stack alerts into a S3 bucket for long-term storage

Introduction to Threat Stack Webhook Functionality

What do we send?

Currently, the webhook sends a summary of alert information in JSON format. Every alert will result in a separate call to the Webhook API – we do not batch alerts together.

The alert JSON contains the following attribute-value pairs:

  1. title : Title of the alert as displayed in the Threat Stack UI
  2. created_at : Time at which the alert was created, in milliseconds UTC
  3. severity : Severity of the alert as an integer (1, 2 or 3)
  4. organization_id : Unique ID of the organization on which the alert is generated (would be useful if a user belongs to multiple organizations)
  5. server_or_region: The server name for host alerts, or the region name for CloudTrail alerts
  6. source: either "Host" or "CloudTrail" to indicate the type of alert being generated.
  7. id : A unique alert ID – this can be used with our REST API to retrieve additional alert information
  8. organization_Name : The name of the user's organization

This is an example of the JSON object:


”title”: ”Threat Intelligence Activity: Communication to openbl by”,

“created_at”: “1459447024000”,

”severity”: ”3”,

”organization_id”: ”545d0293b620cd090d000023”,

”server_or_region”: ”Threat_Stack_Demo_Ubuntu1”,

”source”: ”Host”,

”id”: ”56fd65138c1e0c173af5a3de”,

"organization_Name": "My Organization"


Use Case - Use a third party service to integrate into your apps.

Products like Zapier, webhooks.io, and IFTTT can wait to catch our webhook, and then push it into the product's you already use every day. 

Things like, Pushing a SEV1 alert to create a blocking JIRA ticket and have it assigned to your ops team to remediate. Another option I didn't document would be to push an alert into a Hipchat ops channel. 

For this use case, we utilize Zapier (http://www.zapier.com),a webhook and applications integration service.

For questions view Zapiers help section.

Step 1: Set up a trigger to webhook in Zapier:

Step 2: Pass the URL into Threat Stack webhook integration:

Step 3: Setup Jira as the trigger :

Additionally, if you choose to add "alerts" in the child key page you can define specific data from the JSON to include in your integrations.


Leveraging webhook integrations generally requires some additional work to interpret the alert JSON and then take actions based on your needs.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.