Notification Channels

Notification Channels are destinations for Last9 to send alert notifications. We currently support Slack, PagerDuty, Opsgenie, and Email integrations.

Adding a Notification Channel

To add a notification Channel:

Navigate to Notification Channels and click Add
Provide the following details:
- Channel Name: Descriptive name to easily identify channel destination
- Channel: Choose a channel from the supported integrations list
- Webhook/API Key/Email: Provide the relevant details for the selected channel
  - Slack: See how to send messages using Incoming Webhooks
  - PagerDuty: See how to use the PagerDuty Events V2 API
- Send Resolved: Enable if you want to be notified when an alert has been resolved, useful for automation of incident management
If you’ve selected Slack as the channel, you can also send a test message to the configured channel by clicking on Test Config.
Click on Save to enable this channel. This channel can now be used in Alert Groups or Scheduled Search to start receiving notification

Usage of a NotificationChannel

Usage of a Notification Channel

In Notification Channels, you can quickly understand which configured channels are being used and by how many alert groups or scheduled searches.

To view which alert groups or scheduled searches are using a particular channel, click on the relevant channel’s Usage link to view the list. From here, you can also jump to any of the alert groups or scheduled searches.

Notification Payloads

In case you want to further use the generated JSON paylods for custom incident details, automation and workflows, alert enrichment, or integrating with other tools, refer to the following mapping for PagerDuty and Opsgenie.

PagerDuty

PagerDuty field	Type	Description
payload	object
payload.summary	string	Title for the incident
payload.timestamp	timestamp	The ending time of this alert, in ISO 8601 format
payload.severity	string	critical / warning for alerts marked as breach/threat in alert rule
payload.source	string	Dedup key for the incident
payload.component	string	Empty
payload.group	string	Dedup key for the incident
payload.class	string	Alert Rule Type
payload.custom_details	object	Described below
routing_key	string	PagerDuty integration key
event_action	string	’trigger’ for active notifications, ‘resolve’ for resolved notifications
dedup_key	string	Dedup key for the incident
client	string	”Last9 Dashboard”
client_url	string	Link to health dashboard for the alert in Last9
links	array of objects	Empty array
images	array of objects	Empty array

Custom Details

alert_condition - Condition set on alert. Static alerts, it is of the format.expr > 10 based on the threshold configured. For pattern-based alerts, it is of the format algo_type(tunable, expr). For example, for a high spike alert set with tunable 3, this would be high_spike(3, expr)
algo_type - Type of alert (static_threshold, increasing_changepoint etc)
client_url - Link to the health dashboard for this alert on Last9
description - Description of the alert. If a description is provided while configuring the rule, it appears here. Otherwise, a default description based on the algorithm, indicator, and entity is shown
start - Starting time of this alert, in ISO 8601 format
end- Ending time of this alert, in ISO 8601 format
expression - Name of the indicator
entity_name - Entity name
entity_type - Entity type
entity_team - Entity team. Is None if not assigned
entity_tier - Entity tier. Is None if not assigned
entity_workspace - Entity workspace. Is None if not assigned
entity_namespace - Entity namespace. Is None if not assigned
severity - Severity of the alert (breach/ threat)
notification_call - Whether this alert is sent for the first time or repeated (first/ repeat)
runbook - Link to the runbook for this alert (has to be configured while setting up alert). This key is omitted if the runbook isn’t configured
If the entity under alert has tags associated with it, they are included in custom details as tag_<tag_name> = true
time_in_alert - Duration for which this alert was observed. E.g., 8 in 10 minutes.

Opsgenie

Opsgenie field	Description	Type
message	Title for the incident	string
alias	Dedup key for the incident	string
description	Description of the alert. If a description is provided while configuring the rule, it appears here. Otherwise, this field is omitted.	string
tags	Tags associated with the entity	array of strings
actions	[“Debug”]	array of strings
details	Described below	object
entity	null	string
source	Last9 Dashboard	string
note	A string description of the alert, along with the health dashboard link for the alert	string
responders	Not used	array of objects
visibleTo	Not used	array of objects
priority	Not used	string
user	Not used	string

Details

alert_condition: Condition set on alert. Static alerts, it is of the format.expr > 10 based on the threshold configured. For anomaly alerts, it is of the format algo_name(tunable, expr). For example, for a high spike alert set with tunable 3, this would be high_spike(3, expr)
algorithm: Type of alert (static_threshold, increasing_changepoint etc)
component: null
last9_dashboard: Link to the health dashboard for this alert
expression: Name of the indicator
service: Name and type of the entity
source: Dedup key for this incident
entity_name: Entity name
entity_type: Entity type
entity_team: Entity team. Is None if not assigned
entity_tier: Entity tier. Is None if not assigned
entity_workspace: Entity workspace. Is None if not assigned
entity_namespace: Entity namespace. Is None if not assigned
severity: Severity of the alert (breach/ threat)
notification_call: Whether this alert is sent for the first time or repeated (first/ repeat)
runbook: Link to the runbook for this alert (has to be configured while setting up alert). This key is omitted if the runbook isn’t configured

Troubleshooting

Please get in touch with us on Discord or Email if you have any questions.