Event Sinks

Event sinks are event alert destinations. You can create, read, update, and delete event sinks with the Scanner API.

Create a new event sink

POST /v1/event_sink

Create a new event sink with the specified data.

Body

Name
Type
Description

tenant_id required

string

Unique identifier for the tenant

name required

string

Name of the event sink

description required

string

Description of the event sink

event_sink_args required

See Create event sink arguments

Event sink details

Create event sink arguments

To create a Slack event sink, we need the channel ID and the Scanner Slack integration ID, e.g.

{ 
    "Slack": {
        "channel_id": "C12345678",
        "slack_integration_id": "00000000-0000-0000-0000-000000000001",
    }
}

Note: the API still supports the channel parameter (with a channel name), but channel is deprecated in favor of channel_id.

To create a webhook event sink, we need the url, e.g.

{
    "Webhook": {
        "url": "https://webhook.com/bar/baz"
    }
}

To create a PagerDuty event sink, we need the Events API V2 integration key, e.g.

{
    "PagerDuty": {
        "integration_key": "e93facc04764012d7bfb002500d5d1a6"
    }
}

Example

curl $API_BASE/v1/event_sink \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X POST \
-d '{
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_args": { "Webhook": { "url": "https://test.com/webhook/abc" } }
}'

Response

Returns the newly created event sink.

{
  "event_sink": {
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_type": "Webhook",
    "configuration": {
      "Webhook": {
        "url": "https://test.com/webhook/abc"
      }
    },
    "created_at": "2024-05-09T20:01:32Z",
    "updated_at": "2024-05-09T20:01:32Z"
  }
}

List event sinks

GET /v1/event_sink

List all event sinks for a tenant.

Query parameters

Name
Type
Description

tenant_id required

string

Unique identifier for the tenant

Example

curl -G $API_BASE/v1/event_sink \
--data-urlencode "tenant_id=00000000-0000-0000-0000-000000000000" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json"

Response

Returns a list of event sink objects.

{
  "data": {
    "event_sinks": [
      {
        "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
        "tenant_id": "00000000-0000-0000-0000-000000000000",
        "name": "Webhook",
        "description": "Detection alerts webhook",
        "event_sink_type": "Webhook",
        "configuration": {
          "Webhook": {
            "url": "https://test.com/webhook/abc"
          }
        },
        "created_at": "2024-05-09T20:01:32Z",
        "updated_at": "2024-05-09T20:01:32Z"
      },
      ...
    ]
  },
  "pagination": null
}

Get an event sink

GET /v1/event_sink/{id}

Get the event sink with the given id.

Example

curl $API_BASE/v1/event_sink/b7e33d65-c7a1-4e54-90c3-231c97398a0c \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X GET

Response

Returns the event sink object.

{
  "event_sink": {
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_type": "Webhook",
    "configuration": {
      "Webhook": {
        "url": "https://test.com/webhook/abc"
      }
    },
    "created_at": "2024-05-09T20:01:32Z",
    "updated_at": "2024-05-09T20:01:32Z"
  }
}

Update an event sink

PUT /v1/event_sink/{id}

Update the event sink with the given id.

Body

Name
Type
Description

id required

string

Unique identifier for the event sink

name

string

Update the name of the event sink

description

string

Update the description of the event sink

event_sink_args

See Update event sink arguments

Update the event sink details

Update event sink arguments

To update a Slack event sink, we need the new channel ID, e.g.

{ 
    "Slack": {
        "channel_id": "C87654321",
    }
}

Note: the API still supports the channel parameter (with a channel name), but channel is deprecated in favor of channel_id.

To update a webhook event sink, we need the new url, e.g.

{
    "Webhook": {
        "url": "https://webhook.com/bar/baz"
    }
}

To update a PagerDuty event sink, we need the new Events API V2 integration key, e.g.

{
    "PagerDuty": {
        "integration_key": "e93facc04764012d7bfb002500d5d1a6"
    }
}

Example

curl $API_BASE/v1/event_sink/b7e33d65-c7a1-4e54-90c3-231c97398a0c \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X PUT \
-d '{
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "event_sink_args": { "Webhook": { "url": "https://foo.com/webhook/abc" } }
}'

Response

Returns the updated event sink object.

{
  "event_sink": {
    "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
    "tenant_id": "00000000-0000-0000-0000-000000000000",
    "name": "Webhook",
    "description": "Detection alerts webhook",
    "event_sink_type": "Webhook",
    "configuration": {
      "Webhook": {
        "url": "https://foo.com/webhook/abc"
      }
    },
    "created_at": "2024-05-09T20:01:32Z",
    "updated_at": "2024-05-09T20:10:06Z"
  }
}

Delete an event sink

DELETE /v1/event_sink/{id}

Delete the event sink with the given id.

Example

curl $API_BASE/v1/event_sink/b7e33d65-c7a1-4e54-90c3-231c97398a0c \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-X DELETE

Response

Returns the id and tenant_id for the deleted event sink.

{
  "id": "b7e33d65-c7a1-4e54-90c3-231c97398a0c",
  "tenant_id": "00000000-0000-0000-0000-000000000000"
}
PreviousDetection RulesNextGitHub Sync

Last updated

Was this helpful?