Email integration with Incident Response

Integrate Incident Response with any service capable of sending email alerts. Incident Response opens and triggers an alert when it receives an email to this integration email address. Events and alerts from monitoring tools can also be sent as emails after making sure that the payload is mapped correctly.

Before you begin

Role required: Responder, Manager, or Administrator

About this task

Watch this video to see the Email integration with Incident Response.

Procedure

  1. Log in to Lightstep Incident Response.
  2. On the navigation pane, select Integrations.
    Figure 1. Integrations landing page
    Integrations landing page.
  3. Click the Email integration card.
  4. Enter the name of the integration in the Name field.
  5. The Status field shows the status of the integration such as enabled or disabled.
    Note: You can modify this field only after the webhook is generated.
  6. Select the service that you want to associate with the integration.
    A service represents a functional outcome like networking, payments, or HR services, that is owned by one team. You might need multiple tool integrations to monitor each technical service and receive events from those tools.
  7. Use the Create Unique Alert toggle switch to choose whether you want to create unique alerts for same email content or not.
    • When Create Unique Alert toggle switch is OFF:

      Consider the following sample payload to discuss the alert creation and grouping logic:

      severity: 2
description: Issue in SDN Site 4
source: vm-siteA-APAC-1
source_id: DWER2JL12
event_time: 1643083449000
resource_name: Delta
type: SDN Site
metric_name: CPU Usage
state: New
other_info: Extra Info From Demo

      Scenario 1: Metric name is empty

      Condition Result
      When the email is sent for the first time. New alert is created.
      When the email is sent consecutively with the same payload. New alert is created.
      When the email is sent consecutively with modified parameter values. New alert is created.

      Scenario 2: Metric name is not empty

      Condition Result
      When the email is sent for the first time. New alert is created.
      When the email is sent consecutively with the same payload. New alert is not created.
      When the email is sent consecutively with modified parameter values for source, source_id, resource_name, or type. New alert is created.
      When the email is sent consecutively with modified parameter values for severity, description, event_time, state, and other_info for an existing alert with the same metric name. (Issue is the same, but parameters related to the issue have changed.) Values are updated in the existing alert.

      Scenario 3: Empty payload

      Condition Result
      All the values of the parameters in the payload are empty. New alert is created with priority P4-Low, and state Open.
    • When Create Unique Alert toggle switch is ON, new alerts are always created, for all scenarios. This includes:
      • When the email is sent consecutively with the same payload, a new alert is created.
      • When the email is sent consecutively with modified parameter values for severity, description, event_time, state, and other_info for an existing alert with the same metric name, a new alert is created.
  8. Add a description for your integration in the Description field.
  9. Add the URL of the home page of the monitoring tool that sends alerts in the Integration URL field.
  10. Add tags that can help users search for the integration using the Tags field.
  11. Click Generate email.

    An email address is generated. Incident Response creates an alert for each email that is sent to the generated email address.

    An email address and payload is generated.
    Copy the following items. You need it when configuring email alerts:
    • Email address by clicking the copy icon (Copy the webhook URL.).
    • Payload by clicking Copy payload to clipboard.
    The sample payload format is as follows:
    severity: $SEVERITY
description: $DESCRIPTION
source: $SOURCE
source_id: $SOURCE_ID
event_time: $EVENT_TIME
resource_name: $RESOURCE_NAME
type: $EVENT_TYPE
metric_name: $METRIC_NAME
state:$STATE
other_info: $OTHER_INFO
    Note:
    • You must populate the severity and event_time fields.
    • If an incorrect value is provided for severity, then an alert is created with a severity of 4.
    • For event_time, any UNIX epoch value is acceptable.
  12. Click Save.

What to do next

Configure your application to send alerts as emails to Lightstep Incident Response:
  1. Copy the generated email address and paste it in the destination email address field of your application.
  2. Copy the payload and paste it in the email notification section of your application.
  3. Modify the values of the payload accordingly to reflect in the alerts.
Note: You can attach files in an email integration. File extensions supported in an email attachment are: .zip, .xml, .xls, .txt, .png, .pdf, .p7s, .msg, .log, .jpe, .jpg, .jpeg, .html, .gz, .gif, .eml, .docx, .xlsx, .pptx, .csv, .bmp, .css, .doc, .ppt, .sql, .tgz, .mov, .svg, .wav, .mp3, .mp4, .tar, .gzip, and .rtf. You can send up to 13 MB in attachments in an email.

In case duplicate attachment for the same alert is sent from different emails, the latest attachment is considered.