ExtraHop Slack Integration

How can I integrate ExtraHop with Slack?

1 Like

The setup for Slack is super easy.

You simply generate an Incoming Webhook for a specific channel in the Slack admin UI (Slack documentation here). There are a few different options to tickle your fancy, but in it’s simplest form, the example below, just works, and includes an easy link back into the ExtraHop UI.

The slackHook variable holds the generated Webhook URL which is tied to a specific channel in Slack. So one could inspect which type of Alert fired, and choose which Slack channel to post the alert to. For example, if it’s a DNS alert, then post to the #DNS-Rules-All channel, if it’s a security alert, post to the #Security-Knows-All channel, etc.

The first conditional statement just decides whether or not this alert is worth posting to Slack or not if the alert name starts with “CRITICAL” but this can easily be changed, adding additional business logic as needed.

// Only Send Notification to Slack for Alerts starting with "CRITICAL"
if (/^CRITICAL/.test(AlertRecord.name) === false) {return}

// Slack Webhook URL (this determines which channel the alert will be posted to)
var slackHook = '/services/abcd/1234webhookToken4321';

// Send Notification to Slack
Remote.HTTP('Slack').post({
    path: slackHook,

    headers: {
        'Content-Type': 'application/json',
        'Content-Encoding': 'gzip'
    },
    payload: JSON.stringify({

        text: AlertRecord.description + ' (<https://extrahop.ip.here/extrahop/#/AlertHistory|Click here for details>)'
    })
});

Example ODS Configuration:

1 Like

This is great. Thanks for the response.

1 Like

Hi,
There is a newer version for this integration? When i try to run this eda is giving “Problem parsing test options: Unexpected token E in JSON at position 1” error.

I found a typo in the JSON payload portion of the trigger. Can you copy the code above and try again?

Hi,

I have tried again with no luck. I did compare the 2 versions but i do not find the difference.

Hi,

I was able to successfully post a simple test:

{
“path”: “/services/abcd/abcd”,
“payload”: “{‘text’: ‘test’}”,
“headers”: {}
}

But the critical event combination is failing. I have opened a ticket with support.

Hello,

Would you be able to share your complete trigger code please? This will help me ensure it’s not something in the code itself.

NOTE: be sure to obfuscate the value of your slackHook variable, along with any other sensitive information.