Notification Channels

Notification Channels are destinations for Last9 to send alert notifications. We currently support Slack, PagerDuty, Opsgenie, Webhook, and Email integrations.

Adding a Notification Channel#Copy link

Navigate to Notification Channels and click Add
Provide the following details:
- Channel Name: Descriptive name to easily identify channel destination
- Channel: Choose a channel from the supported integrations list
- Webhook/API Key/Email: Provide the relevant details for the selected channel
  - Slack: See how to send messages using Incoming Webhooks
  - PagerDuty: See how to use the PagerDuty Events V2 API
  - Email: Enter the email IDs to be notified
  - Opsgenie: Enter the API key
  - Webhook: Enter the webhook to be triggered, and headers (like auth), if any
- Send Resolved: Enable if you want to be notified when an alert has been resolved, useful for automation of incident management
If you’ve selected Slack as the channel, you can also send a test message to the configured channel by clicking on Test Config
Click on Save to enable this channel. This channel can now be used in Alert Groups or Scheduled Search to start receiving notification

Usage of a Notification Channel#Copy link

Usage of a Notification Channel

In Notification Channels, you can quickly understand which configured channels are being used and by how many alert groups or scheduled searches.

To view which alert groups or scheduled searches are using a particular channel, click on the relevant channel’s Usage link to view the list. From here, you can also jump to any of the alert groups or scheduled searches.

Notification Payloads#Copy link

In case you want to further use the generated JSON payloads for custom incident details, automation and workflows, alert enrichment, or integrating with other tools, refer to the following mapping for PagerDuty and Opsgenie.

PagerDuty#Copy link

PagerDuty field	Type	Description
payload	object
payload.summary	string	Title for the incident
payload.timestamp	timestamp	The ending time of this alert, in ISO 8601 format
payload.severity	string	critical / warning for alerts marked as breach/threat in alert rule
payload.source	string	Dedup key for the incident
payload.component	string	Empty
payload.group	string	Dedup key for the incident
payload.class	string	Alert Rule Type
payload.custom_details	object	Described below
routing_key	string	PagerDuty integration key
event_action	string	’trigger’ for active notifications, ‘resolve’ for resolved notifications
dedup_key	string	Dedup key for the incident
client	string	”Last9 Dashboard”
client_url	string	Link to health dashboard for the alert in Last9
links	array of objects	Empty array
images	array of objects	Empty array

Custom Details

alert_condition - Condition set on alert. Static alerts, it is of the format.expr > 10 based on the threshold configured. For pattern-based alerts, it is of the format algo_type(tunable, expr). For example, for a high spike alert set with tunable 3, this would be high_spike(3, expr)
algo_type - Type of alert (static_threshold, increasing_changepoint etc)
client_url - Link to the health dashboard for this alert on Last9
description - Description of the alert. If a description is provided while configuring the rule, it appears here. Otherwise, a default description based on the algorithm, indicator, and entity is shown
start - Starting time of this alert, in ISO 8601 format
end- Ending time of this alert, in ISO 8601 format
expression - Name of the indicator
entity_name - Entity name
entity_type - Entity type
entity_team - Entity team. Is None if not assigned
entity_tier - Entity tier. Is None if not assigned
entity_workspace - Entity workspace. Is None if not assigned
entity_namespace - Entity namespace. Is None if not assigned
severity - Severity of the alert (breach/ threat)
notification_call - Whether this alert is sent for the first time or repeated (first/ repeat)
runbook - Link to the runbook for this alert (has to be configured while setting up alert). This key is omitted if the runbook isn’t configured
If the entity under alert has tags associated with it, they are included in custom details as tag_<tag_name> = true
time_in_alert - Duration for which this alert was observed. E.g., 8 in 10 minutes.

Opsgenie#Copy link

Opsgenie field	Type	Description
message	string	Title for the incident
alias	string	Dedup key for the incident
description	string	Description of the alert. If a description is provided while configuring the rule, it appears here. Otherwise, this field is omitted
tags	array of strings	Tags associated with the entity
actions	array of strings	[“Debug”]
details	object	Described below
entity	string	null
source	string	Last9 Dashboard
note	string	A string description of the alert, along with the health dashboard link for the alert
responders	array of objects	Not used
visibleTo	array of objects	Not used
priority	string	Not used
user	string	Not used

Details

alert_condition: Condition set on alert. Static alerts, it is of the format.expr > 10 based on the threshold configured. For anomaly alerts, it is of the format algo_name(tunable, expr). For example, for a high spike alert set with tunable 3, this would be high_spike(3, expr)
algorithm: Type of alert (static_threshold, increasing_changepoint etc)
component: null
last9_dashboard: Link to the health dashboard for this alert
expression: Name of the indicator
service: Name and type of the entity
source: Dedup key for this incident
entity_name: Entity name
entity_type: Entity type
entity_team: Entity team. Is None if not assigned
entity_tier: Entity tier. Is None if not assigned
entity_workspace: Entity workspace. Is None if not assigned
entity_namespace: Entity namespace. Is None if not assigned
severity: Severity of the alert (breach/ threat)
notification_call: Whether this alert is sent for the first time or repeated (first/ repeat)
runbook: Link to the runbook for this alert (has to be configured while setting up alert). This key is omitted if the runbook isn’t configured

Webhook#Copy link

Field	Type	Description
routing_key	string	The full generic webhook URL generated in Last9. This is used to send alerts to your configured endpoint
event_action	string	The type of event. Can be `trigger`, `acknowledge` or `resolve`
dedup_key	string	Deduplication key for correlating triggers and resolves. The maximum permitted length of this property is 255 characters
payload.summary	string	A brief text summary of the event, used to generate the summaries/titles of any associated alerts
payload.source	string	The unique location of the affected system, preferably a hostname or FQDN
payload.severity	string	The perceived severity of the status the event is describing with respect to the affected system. This can be `critical`, `error`, `warning` or `info`
payload.timestamp	timestamp	The time at which the emitting tool detected or generated the event
payload.component	string	Component of the source machine that is responsible for the event, for example `mysql` or `eth0`
payload.group	string	Logical grouping of components of a service, for example `app-stack`
payload.class	string	The class/type of the event, for example `ping failure` or `cpu load`
payload.custom_details	object	Additional details about the event and affected system
images	array of objects	List of images to include
links	array of objects	List of links to include

{
  "payload": {
    "summary": "Scheduled Search Triggered - Dashboard logs",
    "timestamp": "2025-04-07T04:32:00.000+0000",
    "severity": "critical",
    "component": null,
    "source": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold",
    "group": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold",
    "class": "Static Threshold",
    "custom_details": {
      "description": "Scheduled Search Alert is Triggered. Please check the Last9 Dashboard for more details.",
      "severity": "Breach",
      "client_url": "https://app.last9.io/logs?logql=%7Bservice%3D%22dashboard%22%7D&from=1743999960&to=1744000320",
      "rule_name": "Dashboard logs",
      "telemetry": "logs",
      "query": "{service=\"dashboard\"}",
      "evaluation_frequency": "Every 5 Minutes",
      "alert_condition": "expr > 7",
      "metric_name": "last9_change_events"
    }
  },
  "routing_key": "https://app.last9.io/api/v4/generic_webhook?email=apps@last9.io",
  "dedup_key": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold",
  "images": [],
  "links": [],
  "event_action": "trigger",
  "client": "Last9 Dashboard",
  "client_url": "https://app.last9.io/logs?logql=%7Bservice%3D%22dashboard%22%7D&from=1743999960&to=1744000320"
}

{
  "routing_key": "https://alpha.last9.io/api/v4/generic_webhook?email=apps@last9.io",
  "dedup_key": "3eee4fb7:241fb9df-8d31-4f69-8122-38d16bbe16df:breach-static_threshold",
  "event_action": "resolve"
}

Troubleshooting#Copy link

Please get in touch with us on Discord or Email if you have any questions.