This technical deep dive highlights key capabilities released as part of Twistlock 18.11. To learn more about what’s included with Twistlock 18.11, check out our full release blog post.

Previously, I mentioned Twistlock support for Prometheus alerting. Additionally, Twistlock also integrates with Webhooks, which is also called a web callback or HTTP push API. Webhooks deliver data to other applications as it happens, meaning you get data immediately.

How does the Webhook alerting with Twistlock work?

A webhook is an HTTP callback. When an event occurs, Twistlock notifies your web service of the event with an HTTP POST request. The request contains a JSON body that you configure when you set up the webhook.

A webhook configuration consists of the following:

  • URL
  • Custom JSON body
  • Username
  • Password
  • CA Certificate

When Twistlock detects anomalies, it generates alerts. Alerts are raised when the rules that make up your policy are violated. You can integrate Twistlock alert machinery with third-party services by routing Twistlock alerts to webhooks.

Key steps in the process

The webhook POST request has a preconfigured POST body that you can customize. Specify the JSON object using predefined macros. For example:

{
  "type":"#type",
  "host":"#host",
  "details":"#message"
}

When an event occurs, Twistlock replaces the macros in your custom JSON with real values, and then submits the request.

{
  "type":"ContainerRuntime",
  "host":"host1",
  "details":"/bin/cp changed binary /bin/busybox MD5:XXXXXXX"
}

Macros can cover data around containers, images, hosts, serverless functions, and other core Twistlock data fields.

How to configure Twistlock to route alerts to webhooks

The following steps will show you how to configure Twistlock to route alerts to webhooks.

Procedure

  1. Log into Twistlock Console.
  2. Go to Manage > Alerts > Manage.
  3. Select the Webhook tab.
  4. Set Enabled to On.
  5. Click Save.

Next, let’s trigger Twistlock to send a test alert to your webhook.

Prerequisites

  • You have a service to accept Twistlock’s callback. For purely testing purposes, consider PostBin or RequestBin.

Procedure

  1. In Twistlock Console, got to Manage > Alerts > Manage.
  2. Under Alert profiles, click Add profile.
  3. Enter a profile name, such as Webhook test.
  4. Select the Webhook tab.
    • Enabled: On.
    • Webhook incoming URL: Enter the endpoint where Twistlock should submit the alert. I did setup a RequestBin service on my environment
    • Custom JSON: Enter the structure of the JSON payload that your web application is expecting. For more details about the type of data in each field, click Show macros.
    • Credential: If your endpoint requires authentication, create a new Basic auth credential.
    • CA Certificate: Enter CA cert in PEM format.
  5. Under Alert types, select the necessary alert profiles for example Container Runtime.

  6. Click Send Test Alert.

  7. Validate that your web service has received an alert. Alerts are sent immediately.

Summary

With the integration and support of native Webhooks, Twistlock enables flexible ways to set up alerting for your environment and makes it also easy to integrate it into any existing monitoring and alerting systems you already have in place. The Webhook integration enables you to custom the json file and the way how you forward the alerting messages with your own needs. If you’d like more information on this topic or want a demo then get in touch!

← Back to All Posts Next Post →