Notification Channels
How to use Slack, PagerDuty, Opsgenie, webhooks, and email for getting alert notifications.
Notification Channels are destinations for Last9 to send alert notifications. We currently support Slack, PagerDuty, Opsgenie, Webhook, and Email integrations.
Adding a Notification Channel#Copy link
-
Navigate to Notification Channels and click Add
-
Provide the following details:
- Channel Name: Descriptive name to easily identify channel destination
- Channel: Choose a channel from the supported integrations list
- Webhook/API Key/Email: Provide the relevant details for the selected channel
- Slack: See how to send messages using Incoming Webhooks
- PagerDuty: See how to use the PagerDuty Events V2 API
- Email: Enter the email IDs to be notified
- Opsgenie: Enter the API key
- Webhook: Enter the webhook to be triggered, and headers (like auth), if any
- Send Resolved: Enable if you want to be notified when an alert has been resolved, useful for automation of incident management
-
If you’ve selected Slack as the channel, you can also send a test message to the configured channel by clicking on Test Config
-
Click on Save to enable this channel. This channel can now be used in Alert Groups or Scheduled Search to start receiving notification
Usage of a Notification Channel#Copy link
In Notification Channels, you can quickly understand which configured channels are being used and by how many alert groups or scheduled searches.
To view which alert groups or scheduled searches are using a particular channel, click on the relevant channel’s Usage link to view the list. From here, you can also jump to any of the alert groups or scheduled searches.
Notification Payloads#Copy link
In case you want to further use the generated JSON payloads for custom incident details, automation and workflows, alert enrichment, or integrating with other tools, refer to the following mapping for PagerDuty and Opsgenie.
PagerDuty#Copy link
PagerDuty field | Type | Description |
---|---|---|
payload | object | |
payload.summary | string | Title for the incident |
payload.timestamp | timestamp | The ending time of this alert, in ISO 8601 format |
payload.severity | string | critical / warning for alerts marked as breach/threat in alert rule |
payload.source | string | Dedup key for the incident |
payload.component | string | Empty |
payload.group | string | Dedup key for the incident |
payload.class | string | Alert Rule Type |
payload.custom_details | object | Described below |
routing_key | string | PagerDuty integration key |
event_action | string | ’trigger’ for active notifications, ‘resolve’ for resolved notifications |
dedup_key | string | Dedup key for the incident |
client | string | ”Last9 Dashboard” |
client_url | string | Link to health dashboard for the alert in Last9 |
links | array of objects | Empty array |
images | array of objects | Empty array |
Custom Details
alert_condition
- Condition set on alert. Static alerts, it is of the format.expr > 10
based on the threshold configured. For pattern-based alerts, it is of the formatalgo_type(tunable, expr)
. For example, for a high spike alert set with tunable 3, this would behigh_spike(3, expr)
algo_type
- Type of alert (static_threshold
,increasing_changepoint
etc)client_url
- Link to the health dashboard for this alert on Last9description
- Description of the alert. If a description is provided while configuring the rule, it appears here. Otherwise, a default description based on the algorithm, indicator, and entity is shownstart
- Starting time of this alert, in ISO 8601 formatend
- Ending time of this alert, in ISO 8601 formatexpression
- Name of the indicatorentity_name
- Entity nameentity_type
- Entity typeentity_team
- Entity team. IsNone
if not assignedentity_tier
- Entity tier. IsNone
if not assignedentity_workspace
- Entity workspace. IsNone
if not assignedentity_namespace
- Entity namespace. IsNone
if not assignedseverity
- Severity of the alert (breach
/threat
)notification_call
- Whether this alert is sent for the first time or repeated (first
/repeat
)runbook
- Link to the runbook for this alert (has to be configured while setting up alert). This key is omitted if the runbook isn’t configured- If the entity under alert has
tags
associated with it, they are included in custom details astag_<tag_name>
=true
time_in_alert
- Duration for which this alert was observed. E.g., 8 in 10 minutes.
Opsgenie#Copy link
Opsgenie field | Type | Description |
---|---|---|
message | string | Title for the incident |
alias | string | Dedup key for the incident |
description | string | Description of the alert. If a description is provided while configuring the rule, it appears here. Otherwise, this field is omitted |
tags | array of strings | Tags associated with the entity |
actions | array of strings | [“Debug”] |
details | object | Described below |
entity | string | null |
source | string | Last9 Dashboard |
note | string | A string description of the alert, along with the health dashboard link for the alert |
responders | array of objects | Not used |
visibleTo | array of objects | Not used |
priority | string | Not used |
user | string | Not used |
Details
alert_condition
: Condition set on alert. Static alerts, it is of the format.expr > 10
based on the threshold configured. For anomaly alerts, it is of the formatalgo_name(tunable, expr)
. For example, for a high spike alert set with tunable 3, this would behigh_spike(3, expr)
algorithm
: Type of alert (static_threshold
,increasing_changepoint
etc)component
:null
last9_dashboard
: Link to the health dashboard for this alertexpression
: Name of the indicatorservice
: Name and type of the entitysource
: Dedup key for this incidententity_name
: Entity nameentity_type
: Entity typeentity_team
: Entity team. IsNone
if not assignedentity_tier
: Entity tier. IsNone
if not assignedentity_workspace
: Entity workspace. IsNone
if not assignedentity_namespace
: Entity namespace. IsNone
if not assignedseverity
: Severity of the alert (breach
/threat
)notification_call
: Whether this alert is sent for the first time or repeated (first
/repeat
)runbook
: Link to the runbook for this alert (has to be configured while setting up alert). This key is omitted if the runbook isn’t configured
Webhook#Copy link
Field | Type | Description |
---|---|---|
routing_key | string | The full generic webhook URL generated in Last9. This is used to send alerts to your configured endpoint |
event_action | string | The type of event. Can be trigger , acknowledge or resolve |
dedup_key | string | Deduplication key for correlating triggers and resolves. The maximum permitted length of this property is 255 characters |
payload.summary | string | A brief text summary of the event, used to generate the summaries/titles of any associated alerts |
payload.source | string | The unique location of the affected system, preferably a hostname or FQDN |
payload.severity | string | The perceived severity of the status the event is describing with respect to the affected system. This can be critical , error , warning or info |
payload.timestamp | timestamp | The time at which the emitting tool detected or generated the event |
payload.component | string | Component of the source machine that is responsible for the event, for example mysql or eth0 |
payload.group | string | Logical grouping of components of a service, for example app-stack |
payload.class | string | The class/type of the event, for example ping failure or cpu load |
payload.custom_details | object | Additional details about the event and affected system |
images | array of objects | List of images to include |
links | array of objects | List of links to include |
Sample Payloads
{ "payload": { "summary": "Scheduled Search Triggered - Dashboard logs", "timestamp": "2025-04-07T04:32:00.000+0000", "severity": "critical", "component": null, "source": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold", "group": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold", "class": "Static Threshold", "custom_details": { "description": "Scheduled Search Alert is Triggered. Please check the Last9 Dashboard for more details.", "severity": "Breach", "client_url": "https://app.last9.io/logs?logql=%7Bservice%3D%22dashboard%22%7D&from=1743999960&to=1744000320", "rule_name": "Dashboard logs", "telemetry": "logs", "query": "{service=\"dashboard\"}", "evaluation_frequency": "Every 5 Minutes", "alert_condition": "expr > 7", "metric_name": "last9_change_events" } }, "routing_key": "https://app.last9.io/api/v4/generic_webhook?email=apps@last9.io", "dedup_key": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold", "images": [], "links": [], "event_action": "trigger", "client": "Last9 Dashboard", "client_url": "https://app.last9.io/logs?logql=%7Bservice%3D%22dashboard%22%7D&from=1743999960&to=1744000320"}
{ "routing_key": "https://alpha.last9.io/api/v4/generic_webhook?email=apps@last9.io", "dedup_key": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold", "event_action": "resolve"}
Troubleshooting#Copy link
Please get in touch with us on Discord or Email if you have any questions.