Exporting Alerts via a webhook
Overview
Webhooks are one of the ways that Sophos Linux Sensor (SLS) can send alerts to other applications. Webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with alert templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are shipping alert summaries to Slack, automatically creating Jira tickets when high priority alerts are seen, or even sending alerts directly to a Splunk cloud instance.
This article shows you through how you can automatically export SLS alerts using webhooks.
Note
It's very important that before performing any of these steps that you have SLS running in your environment. See Installing Sophos Linux Sensor for instructions on installing the SLS in your environment.
Configuring SLS to log Alerts using webhook
To configure SLS to export alert data to a web server using webhook, add the following lines to /etc/sophos/runtimedetections-rules.yaml
using your preferred text editor.
Here's an example:
alert_output:
outputs:
# Send Alerts to a local web server
- type: webhook
enabled: true
url: http://localhost:8080/sophos_alerts
# Send Alerts to an arbitrary service with all settings
- type: webhook
enabled: true
url: https://api.example-company.com/sophos-alerts
template: "New Sophos Alert {{.UUID}}"
timeout: 5
method: PUT
headers:
"Content-Type": "application/json"
"Authorization": "BEARER your-generated-token"
# Send Alerts to Slack using their webhook JSON format
- type: webhook
enabled: true
url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
template:'{"text": "New Sophos Alert {{.PolicyType}} {{.Description}}"}'
Key | Required | Description |
---|---|---|
type | yes | The output type. |
enabled | yes | Enables/disables the output. |
url | yes | The URL to send the request to. |
headers | no | The headers to pass along with the request. Defaults to "Content-Type: application/json". |
method | no | The HTTP method to use. Defaults to POST. |
timeout | no | The timeout in seconds. Defaults to 30. |
For step-by-step guides on how to export alerts using webhook to S3 & SQS, Splunk, Google Cloud Storage, ELK, Azure Storage, and so on, see Exporting Alerts.