Email integration with Incident Response

Integrate Incident Response with any service capable of sending email alerts. Events and alerts from monitoring tools are sent as emails to your desired email address. Incident Response opens and triggers an alert when it receives an email to this integration email address.

Before you begin

Role required: Responder, Manager, or Administrator


  1. Log in to Incident Response.
  2. On the navigation pane, click Integrations.
    Figure 1. Integrations landing page
    The Integrations landing page.
  3. Click the Email integration card.
  4. On the form, fill the fields.
    Field Description
    Name Name of the integration.
    Status Status of the integration such as enabled or disabled.
    Note: You can modify this field only after the webhook is generated.
    Description Brief summary about the services of the integration.
    Integration URL The URL of the home page of the monitoring tool that sends alerts.
    Tags Tags that can help users search for the integration.
    Service Name of the service that you want to associate with the integration.
  5. Click Generate Email.

    An email address is generated. Incident Response creates an alert for each email that is sent to the generated email address.

    An email address and payload is generated.
    For the following items, copy the item and paste it into a safe place because you will need it when configuring email:
    • webhook by clicking the copy icon (Copy the webhook URL.).
    • payload by clicking Copy payload to clipboard.
    The sample payload format is as follows:
    severity: $SEVERITY
    description: $DESCRIPTION
    source: $SOURCE
    source_id: $SOURCE_ID
    event_time: $EVENT_TIME
    resource_name: $RESOURCE_NAME
    type: $EVENT_TYPE
    metric_name: $METRIC_NAME
    other_info: $OTHER_INFO
    The value for the severity field is copied from the event unless the event closes the alert, in which case the previous severity is retained for reporting.
    Table 1. Allowed values for severity
    Severity Description
    Critical Immediate action is required. The resource is either not functional or critical problems are imminent.
    Major Major functionality is severely impaired or performance has degraded.
    Minor Partial, non-critical loss of functionality or performance degradation occurred.
    Warning Attention is required, even though the resource is still functional.
    OK An alert is created. The resource is still functional.
    Clear No action is required. An alert is not created from this event. Existing alerts are closed.
    The state of an alert can be one of the following:
    State Description
    Open The alert requires user action.
    Close The alert is closed and no further user action is required.
    Note: The event_time is the Unix epoch time. For more information on the Epoch time, see
  6. Send events to the newly generated email address as per the sample payload.
    By default, email integration uses the email subject as the alert description. If an email integration is disabled, emails sent to that email address are ignored by Incident Response.