PingIntelligence

Alert notification on Slack and Email

You can configure Splunk to send alert notification to a Slack channel or through and email.

Slack

Prerequisites:

  • The Slack app should already be installed in your Splunk setup.

  • Connect Slack and Splunk using webhooks. For more information on Slack webhooks, see Incoming Webhooks

Complete the following steps to create an alert for Slack:

  1. Navigate to Settings ̶> Searches, reports and alerts

    Alert should be created for App: Search & Reporting(search)
  2. Create new alerts.

    Enter the values as described in the table below:

    Value Description

    Description

    PingIntelligence for APIs Alert

    Search

    Search: index="pi_events"

    sourcetype="pi_events_source_type"

    access_type="attack"

    Alert Type

    Scheduled → Run on Cron Schedule

    Cron Expression

    */10 * * * *

    Time Range

    600

    Expires

    24-hours

    Trigger alert when

    The alert should be triggered for results when greater than 0

    Trigger

    For each result. This would trigger a new alert for each event.

    Throttle

    Do not throttle the events

  3. Configure alert.

    Value Description

    Add Actions

    Choose the slack app to add actions

    Channel

    Use the channel which has been configured with webhook URL which starts with either # or @

    In this example, we are using channel name as:

    #PingIntelligence_alerts

    Message

    This is the message that will be posted along with the alert in Slack. We recommend using the below message:

    -------------------------------------------------------
    $result.attack_type$ has been detected on API: $result.api_name$
    -----------------------------------------------------------------
    More details :
    $result._raw$

    Attachments

    NA

    Fields

    NA

    Webhook URL

    NA

  4. Post a message in Splunk to verify that it is notified in Slack