scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Types of event sinks
  • Create a new event sink
  • Create event sink arguments
  • List event sinks
  • Get an event sink
  • Update an event sink
  • Update event sink arguments
  • Delete an event sink

Was this helpful?

  1. Using Scanner
  2. API

Event Sinks

Event sinks are event alert destinations. You can create, read, update, and delete event sinks with the Scanner API.

Types of event sinks

We support two types of event sinks:

  • Slack - send event alerts to a Slack channel.

  • Webhook - send event alerts to a URL webhook.

Create a new event sink

POST /v1/event_sink

Create a new event sink with the specified data.

Body

Name
Type
Description

tenant_id required

string

Unique identifier for the tenant

name required

string

Name of the event sink

description required

string

Description of the event sink

event_sink_args required

Event sink details

Create event sink arguments

To create a Slack event sink, we need the channel ID and Slack OAuth code, e.g.

{ 
    "Slack": {
        "channel_id": "C12345678",
        "slack_oauth_code": <code>,
    }
}

Note: the API still supports the channel parameter (with a channel name), but channel is deprecated in favor of channel_id.

To create a webhook event sink, we need the url, e.g.

{
    "Webhook": {
        "url": "https://webhook.com/bar/baz"
    }
}

To create a PagerDuty event sink, we need the Events API V2 integration key, e.g.

{
    "PagerDuty": {
        "integration_key": "e93facc04764012d7bfb002500d5d1a6"
    }
}

Example

curl $API_BASE/v1/event_sink \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X POST \
-d '{
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_args": { "Webhook": { "url": "https://test.com/webhook/abc" } }
}'

Response

Returns the newly created event sink.

{
  "event_sink": {
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_type": "Webhook",
    "configuration": {
      "Webhook": {
        "url": "https://test.com/webhook/abc"
      }
    },
    "created_at": "2024-05-09T20:01:32Z",
    "updated_at": "2024-05-09T20:01:32Z"
  }
}

List event sinks

GET /v1/event_sink

List all event sinks for a tenant.

Query parameters

Name
Type
Description

tenant_id required

string

Unique identifier for the tenant

Example

curl -G $API_BASE/v1/event_sink \
--data-urlencode "tenant_id=00000000-0000-0000-0000-000000000000" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json"

Response

Returns a list of event sink objects.

{
  "data": {
    "event_sinks": [
      {
        "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
        "tenant_id": "00000000-0000-0000-0000-000000000000",
        "name": "Webhook",
        "description": "Detection alerts webhook",
        "event_sink_type": "Webhook",
        "configuration": {
          "Webhook": {
            "url": "https://test.com/webhook/abc"
          }
        },
        "created_at": "2024-05-09T20:01:32Z",
        "updated_at": "2024-05-09T20:01:32Z"
      },
      ...
    ]
  },
  "pagination": null
}

Get an event sink

GET /v1/event_sink/{id}

Get the event sink with the given id.

Example

curl $API_BASE/v1/event_sink/b7e33d65-c7a1-4e54-90c3-231c97398a0c \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X GET

Response

Returns the event sink object.

{
  "event_sink": {
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_type": "Webhook",
    "configuration": {
      "Webhook": {
        "url": "https://test.com/webhook/abc"
      }
    },
    "created_at": "2024-05-09T20:01:32Z",
    "updated_at": "2024-05-09T20:01:32Z"
  }
}

Update an event sink

PUT /v1/event_sink/{id}

Update the event sink with the given id.

Body

Name
Type
Description

id required

string

Unique identifier for the event sink

name

string

Update the name of the event sink

description

string

Update the description of the event sink

event_sink_args

Update the event sink details

Update event sink arguments

To update a Slack event sink, we need the new channel ID, e.g.

{ 
    "Slack": {
        "channel_id": "C87654321",
    }
}

Note: the API still supports the channel parameter (with a channel name), but channel is deprecated in favor of channel_id.

To update a webhook event sink, we need the new url, e.g.

{
    "Webhook": {
        "url": "https://webhook.com/bar/baz"
    }
}

To update a PagerDuty event sink, we need the new Events API V2 integration key, e.g.

{
    "PagerDuty": {
        "integration_key": "e93facc04764012d7bfb002500d5d1a6"
    }
}

Example

curl $API_BASE/v1/event_sink/b7e33d65-c7a1-4e54-90c3-231c97398a0c \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X PUT \
-d '{
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "event_sink_args": { "Webhook": { "url": "https://foo.com/webhook/abc" } }
}'

Response

Returns the updated event sink object.

{
  "event_sink": {
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_type": "Webhook",
    "configuration": {
      "Webhook": {
        "url": "https://foo.com/webhook/abc"
      }
    },
    "created_at": "2024-05-09T20:01:32Z",
    "updated_at": "2024-05-09T20:10:06Z"
  }
}

Delete an event sink

DELETE /v1/event_sink/{id}

Delete the event sink with the given id.

Example

curl $API_BASE/v1/event_sink/b7e33d65-c7a1-4e54-90c3-231c97398a0c \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X DELETE

Response

Returns the id and tenant_id for the deleted event sink.

{
  "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
  "tenant_id": "00000000-0000-0000-0000-000000000000"
}
PreviousDetection RulesNextValidating YAML files

Last updated 7 days ago

Was this helpful?

See

See

Create event sink arguments
Update event sink arguments