Alert webhook events contain the following headers:
- X-Tcell-Event-Id: Unique ID for the webhook message.
- X-Tcell-Event-Type: Type of the webhook message (always equal to "alert").
Their bodies are JSON objects containing the following keys:
- alert_type: The type of alert (login-attack, new-package, etc).
- alert_title: A human-readable title for the alert.
- alert_text: A human-readable summary for the alert.
- details_url: URL for the newsfeed item associated with the alert (meant for human consumption).
- app_id: The app-id associated with the alert.
- event_id: Unique ID for the webhook message (identical to the X-Tcell-Event-Id header).
- event_type: Type of the webhook message (identical to the X-Tcell-Event-Type header).
- timestamp: ISO 8601 timestamp for the underlying event (e.g. when an IP was flagged as suspicious, or when an app was created).
- data: Alert-type-specific data; described below.
These are details we're planning to add, per alert type.
- ips: ips involved in the attack
- user_ids: users associated with the attack
- events_url: link to login events associated with the attack (for a time interval around the alert time) (TBD)
- ip: the ip that is being suspicious
- cause: 'scanning-attack' or 'login-attack'
- events_url: link to appsensor/login events (depending on the cause) for the IP (TBD)
- user_id: the user that changed the config (TBD)
- old_config_url: link to the old config data (TBD)
- new_config_url: link to the new config data (TBD)
- name: package name
- version: package version
- details_url: link to the package details (TBD)
- route_pattern: path pattern for the route
- route_method: method name for the route
- routes_url: link to the route details (TBD)
- blocked_domain: domain for the violation
- directive: CSP directive for the violation
- events_url: link to CSP events matching the domain and directive (TBD)
- script_id: ID for the script
- details_url: link to script details (TBD)
- events_url: link to inline script events for the given ID (TBD)