Email integration with Incident Response

Integrate Incident Response with any service capable of sending email alerts. Incident Response opens and triggers an alert when it receives an email to this integration email address. Events and alerts from monitoring tools can also be sent as emails after making sure that the payload is mapped correctly.

Before you begin

Role required: Responder, Manager, or Administrator

About this task

Watch this video to see the Email integration with Incident Response.


  1. Log in to Lightstep Incident Response.
  2. From the navigation pane, select Integrations
  3. Click the Email integration card.
    Email integration card.
  4. Enter the name of the integration in the Name field.
  5. The Status field shows the status of the integration such as enabled or disabled.
    Note: You can modify this field only after the webhook is generated.
  6. Select the service that you want to associate with the integration.
    A service represents a functional outcome like networking, payments, or HR services, that is owned by one team. You might need multiple tool integrations to monitor each technical service and receive events from those tools.
  7. Use the Create Unique Alert toggle switch to choose whether you want to create unique alerts for the same email content or not.
    • When Create Unique Alert toggle switch is ON, new alerts are created for each email sent.
    • When Create Unique Alert toggle switch is OFF:

      The following 5 fields are considered for grouping of alerts:

      Condition Result
      When an email is sent for the first time containing values for one or more of the 5 fields mentioned above A new alert is created.
      When subsequent emails are sent without changes to the values of the fields present in the first email The existing alert is updated.
      When the values for any of the 5 fields changes A new alert is created.
      If all the 5 fields are empty The email subject is considered for the grouping of alerts.
      • For the first email containing a particular subject line, a new alert is created.
      • For subsequent emails with the same subject line, the existing alert is updated.
      If the email body and subject are both empty A new alert is created with priority P4-Low and state Open.
    • Alerts are created only for new emails. Alerts will not be created for reply emails or forwards.
    • While acknowledging escalation emails, clicking Accept or Reject opens up an email reply thread. For the reply to get processed, you must send the email without making any changes to the subject line. For such emails, only reply type is supported.
  8. Add a description for your integration in the Description field.
  9. Add the URL of the home page of the monitoring tool that sends alerts in the Integration URL field.
  10. Add tags that can help users search for the integration using the Tags field.
  11. Click Generate email.

    An email address is generated. Incident Response creates alerts for emails sent to the generated email address.

    An email address and payload is generated.
    Copy the following items. You need it when configuring email alerts:
    • Email address by clicking the copy icon (Copy the webhook URL.).
    • Payload by clicking Copy payload to clipboard.
  12. Optional: To map custom fields to email integration, perform the following steps:
    1. Click the Field mapping tab.
    2. In the Custom field name field, enter the field name.
    3. In the JSON path field, enter the variable path starting with $.
    4. In the Default value field, enter a default value for the mapping when the payload value for the field is empty.
    Field mapping.
  13. Click Save.

What to do next

Configure your application to send alerts as emails to Lightstep Incident Response:
  1. Copy the generated email address and paste it in the destination email address field of your application.
  2. Copy the payload and paste it in the email notification section of your application.
  3. Modify the values of the payload accordingly to reflect in the alerts.
    • If an incorrect value is provided for severity, then an alert is created with a severity of 4.
    • For event_time, any UNIX epoch value is acceptable.


You can attach files in an email integration. File extensions supported in an email attachment are: .zip, .xml, .xls, .txt, .png, .pdf, .p7s, .msg, .log, .jpe, .jpg, .jpeg, .html, .gz, .gif, .eml, .docx, .xlsx, .pptx, .csv, .bmp, .css, .doc, .ppt, .sql, .tgz, .mov, .svg, .wav, .mp3, .mp4, .tar, .gzip, and .rtf. You can send up to 13 MB in attachments in an email.

In case duplicate attachment for the same alert is sent from different emails, the latest attachment is considered.