Email integration with Incident Response
Integrate Incident Response with any service capable of sending email alerts. Incident Response opens and triggers an alert when it receives an email to this integration email address. Events and alerts from monitoring tools can also be sent as emails after making sure that the payload is mapped correctly.
Before you begin
Role required: Responder, Manager, or Administrator
About this task
Watch this video to see the Email integration with Incident Response.
- Log in to Lightstep Incident Response.
On the navigation pane, select Integrations.
- Click the Email integration card.
- Enter the name of the integration in the Name field.
The Status field shows the status of the integration
such as enabled or disabled.
Note: You can modify this field only after the webhook is generated.
Select the service that you want to associate with the integration.
A service represents a functional outcome like networking, payments, or HR services, that is owned by one team. You might need multiple tool integrations to monitor each technical service and receive events from those tools.
Use the Create Unique Alert toggle switch to choose
whether you want to create unique alerts for same email content or not.
- When Create Unique Alert toggle switch is
Consider the following sample payload to discuss the alert creation and grouping logic:
severity: 2 description: Issue in SDN Site 4 source: vm-siteA-APAC-1 source_id: DWER2JL12 event_time: 1643083449000 resource_name: Delta type: SDN Site metric_name: CPU Usage state: New other_info: Extra Info From Demo
Scenario 1: Metric name is empty
Condition Result When the email is sent for the first time. New alert is created. When the email is sent consecutively with the same payload. New alert is created. When the email is sent consecutively with modified parameter values. New alert is created.
Scenario 2: Metric name is not empty
Condition Result When the email is sent for the first time. New alert is created. When the email is sent consecutively with the same payload. New alert is not created. When the email is sent consecutively with modified parameter values for
New alert is created. When the email is sent consecutively with modified parameter values for
other_infofor an existing alert with the same metric name. (Issue is the same, but parameters related to the issue have changed.)
Values are updated in the existing alert.
Scenario 3: Empty payload
Condition Result All the values of the parameters in the payload are empty. New alert is created with priority P4-Low, and state Open.
- When Create Unique Alert toggle switch is
ON, new alerts are always created, for all
scenarios. This includes:
- When the email is sent consecutively with the same payload, a new alert is created.
- When the email is sent consecutively with modified parameter
other_infofor an existing alert with the same metric name, a new alert is created.
- When Create Unique Alert toggle switch is OFF:
- Add a description for your integration in the Description field.
- Add the URL of the home page of the monitoring tool that sends alerts in the Integration URL field.
- Add tags that can help users search for the integration using the Tags field.
Click Generate email.
An email address is generated. Incident Response creates an alert for each email that is sent to the generated email address.Copy the following items. You need it when configuring email alerts:
The sample payload format is as follows:
- Email address by clicking the copy icon ().
- Payload by clicking Copy payload to clipboard.
severity: $SEVERITY description: $DESCRIPTION source: $SOURCE source_id: $SOURCE_ID event_time: $EVENT_TIME resource_name: $RESOURCE_NAME type: $EVENT_TYPE metric_name: $METRIC_NAME state:$STATE other_info: $OTHER_INFONote:
- You must populate the
- If an incorrect value is provided for severity, then an alert is created with a severity of 4.
event_time, any UNIX epoch value is acceptable.
- Click Save.
What to do next
- Copy the generated email address and paste it in the destination email address field of your application.
- Copy the payload and paste it in the email notification section of your application.
- Modify the values of the payload accordingly to reflect in the alerts.
.zip, .xml, .xls, .txt, .png, .pdf, .p7s, .msg, .log, .jpe, .jpg, .jpeg, .html, .gz, .gif, .eml, .docx, .xlsx, .pptx, .csv, .bmp, .css, .doc, .ppt, .sql, .tgz, .mov, .svg, .wav, .mp3, .mp4, .tar, .gzip, and .rtf. You can send up to 13 MB in attachments in an email.
In case duplicate attachment for the same alert is sent from different emails, the latest attachment is considered.