Slack Example Webhook

This page describes the elements necessary to create a Centrify webhook for Slack.

Create a webhook as described in Webhooks, configuring the elements of the endpoint as follows:

  • Visit https://api.slack.com/incoming-webhooks for information on the URL to use.
  • Use the HTTP method: POST.
  • Set the content type to application/json.
  • Set the enabled state to true.
  • Set the Trigger Event Type to SecurityAlert or Analytics.Server.AdaptiveSessionRecording.
  • Select the Triggering Risk Level (Required if SecurityAlert is selected).
  • Enter the payload that will be sent as the POST body. For example:
{
  "attachments": [
    {
      "author_name" : "Centrify Analytics",
      "author_link": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics",
      "author_icon": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/favicons/favicon.png",
      "title": "Security Alert from Centrify Analytics",
      "color": "<#if intel_risk_level=='high'>danger<#else>warning</#if>",
      "fields": [
        {
          "value": "<#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#elseif event_name?ends_with('PasswordExport')>Requested Infrastructure credential checkout<#elseif event_name?ends_with('SessionStart')>Requested Infrastructure login<#elseif event_name?ends_with('CpsTileLaunch')>Infrastructure resource access to ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if>",
          "short": false
        },
        {
          "title": "Who",
          "value": "${user_name}",
          "short": true
        },
        {
          "title": "When",
          "value": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}",
          "short": true
        },
        {
          "title": "Where",
          "value": "<#if event_name?starts_with('Cloud')>${city}<#else>${target_address}</#if>",
          "short": true
        },
        {
          "title": "Operating System",
          "value": "${os_type}",
          "short": true
        },
        {
          "title": "Risk Level",
          "value": "${intel_risk_level?cap_first}",
          "short": true
        }
         <#if reason?eval.text?has_content>
        ,
        {
          "title": "Reason",
          "value": "${reason?eval.text}",
          "short": true
        }
       </#if>
      ]
    },
    {
      "title": "Investigate",
      "color": "#3AA3E3",
      "fallback": "Investigate at https://${tenant_id}-${system.podscape}.centrify.io/analytics",
      "actions": [
        {
          "type": "button",
          "text": "Analytics Portal",
          "url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=truemy-kibble.centrify.io/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Infrastructure%20Server%20Risk&ignoresession=true</#if>"
        }
      ]
    }
  ]
}