Exporting Alerts via a webhook

Overview

Webhooks are one of the ways that Sophos Linux Sensor (SLS) can send alerts to other applications. Webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with alert templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are shipping alert summaries to Slack, automatically creating Jira tickets when high priority alerts are seen, or even sending alerts directly to a Splunk cloud instance.

This article shows you through how you can automatically export SLS alerts using webhooks.

Configuring SLS to log Alerts using webhook

To configure SLS to export alert data to a web server using webhook, add the following lines to /etc/sophos/runtimedetections-rules.yaml using your preferred text editor.

Here's an example:

alert_output:
  outputs:
    # Send Alerts to a local web server
    - type: webhook
      enabled: true
      url: http://localhost:8080/sophos_alerts

    # Send Alerts to an arbitrary service with all settings
    - type: webhook
      enabled: true
      url: https://api.example-company.com/sophos-alerts
      template: "New Sophos Alert {{.UUID}}"
      timeout: 5
      method: PUT
      headers:
        "Content-Type": "application/json"
        "Authorization": "BEARER your-generated-token"

    # Send Alerts to Slack using their webhook JSON format
    - type: webhook
      enabled: true
      url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
      template:'{"text": "New Sophos Alert {{.PolicyType}} {{.Description}}"}'

For step-by-step guides on how to export alerts using webhook to S3 & SQS, Splunk, Google Cloud Storage, ELK, Azure Storage, and so on, see Exporting Alerts.