Skip to content
Last update: 2022-07-04

Exporting Alerts via a webhook


Webhooks are one of the ways that Sophos Linux Sensor (SLS) can send alerts to other applications. Webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with alert templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are shipping alert summaries to Slack, automatically creating Jira tickets when high priority alerts are seen, or even sending alerts directly to a Splunk cloud instance.

This article shows you through how you can automatically export SLS alerts using webhooks.


It's very important that before performing any of these steps that you have SLS running in your environment.  See Installing Sophos Linux Sensor for instructions on installing the SLS in your environment.

Configuring SLS to log Alerts using webhook

To configure SLS to export alert data to a web server using webhook, add the following lines to /etc/sophos/runtimedetections-rules.yaml using your preferred text editor.

Here's an example:

    # Send Alerts to a local web server
    - type: webhook
      enabled: true
      url: http://localhost:8080/sophos_alerts

    # Send Alerts to an arbitrary service with all settings
    - type: webhook
      enabled: true
      template: "New Sophos Alert {{.UUID}}"
      timeout: 5
      method: PUT
        "Content-Type": "application/json"
        "Authorization": "BEARER your-generated-token"

    # Send Alerts to Slack using their webhook JSON format
    - type: webhook
      enabled: true
      template:'{"text": "New Sophos Alert {{.PolicyType}} {{.Description}}"}'
typeyesThe output type.
enabledyesEnables/disables the output.
urlyesThe URL to send the request to.
headersnoThe headers to pass along with the request. Defaults to "Content-Type: application/json".
methodnoThe HTTP method to use. Defaults to POST.
timeoutnoThe timeout in seconds. Defaults to 30.

For step-by-step guides on how to export alerts using webhook to S3 & SQS, Splunk, Google Cloud Storage, ELK, Azure Storage, and so on, see Exporting Alerts.

Back to top