Skip to main content

Custom Webhook Alert Channel

Create a custom webhook that receives Lacework alert notifications from a Lacework alert channel and forwards those alerts to another application.

After you configure a Lacework webhook alert channel, when Lacework generates an alert, it automatically sends that alert to the URL endpoint you configure in the webhook channel.

Create a Custom Webhook

info

The Webhook URL endpoint must be https. Lacework does not support Webhooks over http.

Lacework generates a new alert by sending an HTTP POST request with the following Lacework payload as shown in the following example.

Expand to view payload example
    {
"event_title": "Compliance Changed",
"event_link": "https://myLacework.lacework.net/ui/investigate/Event/120884?startTime=1565370000000&endTime=1565373600000",
"lacework_account": "myLacework",
"event_source": "AzureCompliance",
"event_description":"Azure Account myLacework Pay-As-You-Go: Azure_CIS_2_1 Ensure that standard pricing tier is selected changed from compliant to non-compliant",
"event_timestamp":"27 May 2021 17:00 GMT",
"event_type": "Compliance",
"event_id": "120884",
"event_severity": "4",
"rec_id": "Azure_CIS_2_1"
}

The following table describes Lacework payload elements.

Expand to view payload elements
Field NameDescription
event_titleThe title of the Lacework event.
event_linkThe link to the event in the Lacework Console.
lacework_accountThe Lacework application where the event occurred. The myLacework part of the Lacework application URL: myLacework.lacework.net.
event_sourceThe source of the event or where the event occurred.
event_descriptionA description of the event including a description of why the event occurred.
event_timestampThe timestamp of when the event occurred.
event_typeThe type (or category) of the event.
event_idThe Lacework ID for the event.
event_severityThe severity of the event between numbers 1 and 5. The number 1 is the highest severity and 5 is the lowest severity.
rec_idThe recommendation ID. Only compliance events have the recommendation ID field.

Create a webhook to receive the HTTP POST request from Lacework and then perform some action. For example, your webhook could read the payload from the Lacework HTTP POST request, parse the properties from the incoming payload, generate another alert with the properties in a different format, and send that alert to another application such as Opsgenie.

Create a Webhook Alert Channel from the Lacework Console

Do the following:

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Webhook.
  5. Click Next.
  6. Verify that you have created a webhook to receive the HTTP POST request from Lacework as described in Create a Custom Webhook.
  7. Specify a name to the channel.
  8. In the Webhook URL, enter the URL of your webhook that will receive the HTTP POST request from Lacework. If the third-party that is receiving the HTTP POST request requires an API token, enter the API Token as part of the URL. For example:
    https://mySampleEnv.live.dynatrace.com/apiZvl/time?api-token=abcdefjhij1234567890
  9. Select Save.
  10. Select Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.

Create a Lacework Webhook Alert Channel Using Terraform

You can use this resource to create a custom webhook that receives Lacework alert notifications from a Lacework alert channel and forwards those alerts to a third-party application.

note

If the third-party application receiving the HTTP POST request requires an API token, enter the API token as part of the URL eg. https://webhook.com?api-token=123

resource "lacework_alert_channel_webhook" "ops_critical" {
name = "OPS Critical Alerts"
webhook_url = "https://webhook.com?api-token=123"
}

Additional information on the lacework_alert_channel_webhook resource can be found on the Terraform Registry.