Skip to content
Last update: 2022-06-08

Exporting Alerts via a webhook

Overview

Webhooks are one of the ways that Sophos Linux Sensor (SLS) can send alerts to other applications. Webhook output type sends alerts to a webhook endpoint with an HTTP request. This output type is incredibly powerful when combined with alert templates because it allows users to create ad hoc integrations with a number of third-party services. Some common use cases are shipping alert summaries to Slack, automatically creating Jira tickets when high priority alerts are seen, or even sending alerts directly to a Splunk cloud instance.

This article shows you through how you can automatically export SLS alerts using webhooks.

Note

It's very important that before performing any of these steps that you have SLS running in your environment.  See Installing Sophos Linux Sensor for instructions on installing the SLS in your environment.

Configuring SLS to log Alerts using webhook

To configure SLS to export alert data to a web server using webhook, add the following lines to /etc/sophos/runtimedetections-rules.yaml using your preferred text editor.

Here's an example:

alert_output:
  outputs:
    # Send Alerts to a local web server
    - type: webhook
      enabled: true
      url: http://localhost:8080/sophos_alerts

    # Send Alerts to an arbitrary service with all settings
    - type: webhook
      enabled: true
      url: https://api.example-company.com/sophos-alerts
      template: "New Sophos Alert {{.UUID}}"
      timeout: 5
      method: PUT
      headers:
        "Content-Type": "application/json"
        "Authorization": "BEARER your-generated-token"

    # Send Alerts to Slack using their webhook JSON format
    - type: webhook
      enabled: true
      url: https://hooks.slack.com/services/123ABC/ab914B12eeigVh2xZ
      template:'{"text": "New Sophos Alert {{.PolicyType}} {{.Description}}"}'
KeyRequiredDescription
typeyesThe output type.
enabledyesEnables/disables the output.
urlyesThe URL to send the request to.
headersnoThe headers to pass along with the request. Defaults to "Content-Type: application/json".
methodnoThe HTTP method to use. Defaults to POST.
timeoutnoThe timeout in seconds. Defaults to 30.

For step-by-step guides on how to export alerts using webhook to S3 & SQS, Splunk, Google Cloud Storage, ELK, Azure Storage, and so on, see Exporting Alerts.

Back to top