Alert Integration
Slack Alert Integration
Slack alerting in Javelin requires a webhook for sending messages to a Slack channel.
Steps to Create a Slack Webhook
- Go to Slack API Portal: Visit Slack API and sign in.
- Create a New App: Click on "Create New App" and choose "From scratch."
- Select Features: Under "Add features and functionality," click on "Incoming Webhooks."
- Activate Incoming Webhooks: Toggle the switch to "On."
- Create a Webhook URL: Scroll down to "Webhook URLs for Your Workspace" and click "Add New Webhook to Workspace."
- Choose a Channel: Select the Slack channel where alerts should be sent.
- Copy the Webhook URL: After authorization, copy the generated webhook URL.
- Use in Javelin: Provide this webhook URL as a parameter in Javelin's Slack alert configuration.
Splunk Alert Integration
Splunk alerting in Javelin requires the HTTP Event Collector (HEC) with a base URL, a token, and a payload containing event and sourcetype (which can have a manual value).
Steps to Create an HTTP Event Collector (HEC) in Splunk
- Log in to Splunk: Sign in to your Splunk instance.
- Navigate to HEC Settings:
- Go to "Settings" > "Data Inputs."
- Click on "HTTP Event Collector."
- Create a New Token:
- Click on "New Token."
- Provide a name for the token.
- Select Input Settings:
- Choose the allowed index where the events should be stored.
- Set "Sourcetype" (can be set to "manual").
- Review and Submit: Complete the setup and copy the generated token.
- Find Base URL: The base URL follows the format:
https://<splunk-instance>:8088. - Use in Javelin:
- Provide the base URL and token in Javelin’s Splunk alert configuration.
- Ensure the
payloadcontainseventandsourcetypefields.
This setup enables Javelin to send alerts to both Slack and Splunk effectively.
Configuring Alerts in Javelin
Steps to Configure an Alert
To configure an alert in the Javelin application, follow these steps:
1. Create a New Alert
Perform a POST request to:
https://your-api-domain.com/v1/admin/alerts/config
with the following JSON body:
Important Configuration Fields
- name: The name of the alert configuration.
- receiver_type: Can be
slackorsplunk. - enabled: Boolean value (
trueorfalse) indicating if the alert is active. - configuration: Contains specific parameters based on the receiver type.
- For Slack, Javelin requires:
webhook_url: The Slack webhook URL.
- For Splunk, Javelin requires:
endpoint: The Splunk HEC endpoint.token: The authentication token.payload: Containseventandsourcetype.
- For Slack, Javelin requires:
- trigger_condition: Specifies when the alert should be triggered (e.g., matching threat types).
- The alert is triggered when any of the specified conditions match.
- Supported fields:
- account_ids: Can contain a list of account IDs to trigger alerts based on specific accounts.
- gateway_names: Can contain a list of gateway names to trigger alerts based on specific gateway.
- application_ids: Can contain a list of application IDs to trigger alerts based on specific applications.
- route_names: Can contain a list of route names to trigger alerts when specific routes are accessed.
- threats: Can contain a list of threats; the alert is triggered when any of these threats are detected.
- severity: Defines the severity level of the alert (
low,medium,high).
Example Alert Configuration (Splunk)
{
"name": "Splunk alert",
"receiver_type": "splunk",
"enabled": true,
"configuration": {
"token": "<token>",
"payload": {
"event": "Javelin trigger",
"sourcetype": "<sourcetype>"
},
"endpoint": "https://<splunk_url>:<port>/services/collector/raw"
},
"trigger_condition": {
"threats": [
"prompt_injection_detected",
"sensitive_data_replaced"
]
},
"severity": "high"
}
2. Update an Existing Alert
To update an alert configuration, perform a PUT request to:
https://your-api-domain.com/v1/admin/alerts/config/<alert_id>
with the full alert configuration including any updated fields.
Ensure you send the complete payload, not just the modified fields.
This allows Javelin to properly store and apply the updated alert settings.