Email integration with Incident Response
Integrate Incident Response with any service capable of sending email alerts. Incident Response opens and triggers an alert when it receives an email to this integration email address. Events and alerts from monitoring tools can also be sent as emails after making sure that the payload is mapped correctly.
Before you begin
Role required: Responder, Manager, or Administrator
About this task
Watch this video to see the Email integration with Incident Response.
- Log in to Lightstep Incident Response.
On the navigation pane, select Integrations.
- Click the Email integration card.
- Enter the name of the integration in the Name field.
The Status field shows the status of the integration
such as enabled or disabled.
Note: You can modify this field only after the webhook is generated.
Select the service that you want to associate with the integration.
A service represents a functional outcome like networking, payments, or HR services, that is owned by one team. You might need multiple tool integrations to monitor each technical service and receive events from those tools.
Use the Create Unique Alert toggle switch to choose whether you
want to create unique alerts for the same email content or not.
- When Create Unique Alert toggle switch is ON, new alerts are created for each email sent.
- When Create Unique Alert toggle switch is
The following 5 fields are considered for grouping of alerts:
source source_id resource_name type metric_name
Condition Result When an email is sent for the first time containing values for one or more of the 5 fields mentioned above A new alert is created. When subsequent emails are sent without changes to the values of the fields present in the first email The existing alert is updated. When the values for any of the 5 fields changes A new alert is created. If all the 5 fields are empty The email subject is considered for the grouping of alerts.
- For the first email containing a particular subject line, a new alert is created.
- For subsequent emails with the same subject line, the existing alert is updated.
If the email body and subject are both empty A new alert is created with priority P4-Low and state Open.
- Add a description for your integration in the Description field.
- Add the URL of the home page of the monitoring tool that sends alerts in the Integration URL field.
- Add tags that can help users search for the integration using the Tags field.
Click Generate email.
An email address is generated. Incident Response creates alerts for emails sent to the generated email address.Copy the following items. You need it when configuring email alerts:
- Email address by clicking the copy icon ().
- Payload by clicking Copy payload to clipboard.
To map custom fields to email integration, perform the following steps:
- Click the Field mapping tab.
- In the Custom field name field, enter the field name.
- In the JSON path field, enter the variable path starting with $.
- In the Default value field, enter a default value for the mapping when the payload value for the field is empty.
- Click Save.
What to do next
- Copy the generated email address and paste it in the destination email address field of your application.
- Copy the payload and paste it in the email notification section of your application.
- Modify the values of the payload accordingly to reflect in the alerts.Note:
- If an incorrect value is provided for severity, then an alert is created with a severity of 4.
event_time, any UNIX epoch value is acceptable.
.zip, .xml, .xls, .txt, .png, .pdf, .p7s, .msg, .log, .jpe, .jpg, .jpeg, .html, .gz, .gif, .eml, .docx, .xlsx, .pptx, .csv, .bmp, .css, .doc, .ppt, .sql, .tgz, .mov, .svg, .wav, .mp3, .mp4, .tar, .gzip, and .rtf. You can send up to 13 MB in attachments in an email.
In case duplicate attachment for the same alert is sent from different emails, the latest attachment is considered.