Notifications

Energy SOAR Base can send audit-driven notifications through four channels: webhook, Mattermost, email, and file append. Notifications are configured in /etc/energysoar/application.conf.d/webhook.conf.

The notification block holds one sub-block per channel:

notification {
  webhook    { ... }
  mattermost { ... }
  emailer    { ... }
  appendToFile { ... }
}

Restart Energy SOAR Base after changes:

systemctl restart energysoar

Webhook

Posts a JSON payload to one or more HTTP endpoints when an audit event occurs.

notification {
  webhook {
    endpoints: [
      {
        name: "my-siem"
        url: "https://siem.example.com/api/events"
        version: 0
        auth: {}
        wsConfig: {}
        includedTheHiveOrganisations: []
        excludedTheHiveOrganisations: []
      }
    ]
  }
}

Field

Description

name

Friendly label for the endpoint.

url

Target URL. Must accept HTTP POST.

version

Payload schema version. Use 0.

auth

Optional authentication object (bearer token or basic auth).

wsConfig

Optional HTTP client settings (TLS, proxy).

includedTheHiveOrganisations

If non-empty, send notifications only for events from these organisations.

excludedTheHiveOrganisations

Organisations to exclude from notifications.

Mattermost

Posts a formatted message to a Mattermost incoming webhook.

notification {
  mattermost {
    webhook: "http://mattermost.example.com/hooks/xxxyoursecretkeyxxx"
    username: "energysoar"
    ws: {}
    template: """
{{audit.action}} {{audit.objectType}} {{audit.objectId}}
  by {{audit._createdBy}}
Organisation: {{user.organisation}}"""
  }
}

Email

Sends a plain-text email through an SMTP relay.

notification {
  emailer {
    subject: "Notification from Energy SOAR"
    from: "notification@energysoar.local"
    template: """
{{audit.action}} {{audit.objectType}} {{audit.objectId}}
  by {{audit._createdBy}} at {{audit._createdAt}}
Organisation: {{user.organisation}}
User: {{user.login}}"""
  }
}

Configure the SMTP relay under the play.mailer key in the same file:

play.mailer {
  host: "smtp.example.com"
  port: 587
  ssl: false
  tls: true
  user: "alerts@example.com"
  password: "***"
}

Notification template variables

All channel templates support the following Mustache variables:

Variable

Value

{{audit.requestId}}

Unique ID of the audit request.

{{audit.action}}

Action performed (create, update, delete).

{{audit.objectType}}

Type of the affected object (case, alert, task, observable).

{{audit.objectId}}

ID of the affected object.

{{audit._createdBy}}

Login of the user who performed the action.

{{audit._createdAt}}

Timestamp of the action.

{{context._type}}

Type of the context object (e.g. case).

{{context._id}}

ID of the context object.

{{user.organisation}}

Organisation of the acting user.

{{user.login}}

Login of the acting user.