PDPYRAS Create an AWS Integration and pass in Correlate Events By and Derive Name From

rest-api

#1

When creating an aws integration is it possible to set the “Correlate Events by” and “Derive Name from” fields during the create? I’ve tried a few different combos and they all seem to fail, but passing these values to create the integration returns a 200 with no errors:

new_aws_integration = session.rpost(
    '/services/' + new_service['id'] + '/integrations',
    json={
        "type": "generic_events_api_inbound_integration",
        "name": "aws",
        "summary": "integration service for aws",
        "vendor": {"type": "vendor_reference", "id": "PZQ6AUS"},
        "config": {"fields": {"description": {"value": "alarm_description", "ui_order": 3}}},
        "config": {"fields": {"incident_key": {"value": "always_create_new", "ui_order": 4}}}
    }
)

new_aws_integration = session.rpost(
    '/services/' + new_service['id'] + '/integrations',
    json={
        "type": "generic_events_api_inbound_integration",
        "name": "aws",
        "summary": "integration service for aws",
        "vendor": {"type": "vendor_reference", "id": "PZQ6AUS"},
        "config": {"fields": {"description": {"value": "alarm_description"}}},
        "config": {"fields": {"incident_key": {"value": "always_create_new"}}}
    }
)

Does this need to be passed in a different way. When I look at the integration this is what it returns:
“integration_key”: “*******”,
“config”: {
“fields”: {
“incident_key”: {
“type”: “select”,
“required”: false,
“label”: “Correlate events by”,
“valid_values”: {
“alarm_name”: {
“label”: “Alarm Name”,
“ui_order”: 1
},
“always_create_new”: {
“label”: “Make a new incident/alert each time”,
“ui_order”: 4
},
“finding_id”: {
“label”: “Finding id (only for GuardDuty Findings)”,
“ui_order”: 7
},
“event_name”: {
“label”: “Event Name (only for AWS CloudWatch Events)”,
“ui_order”: 6
},
“open_attach”: {
“label”: “If there’s an open incident/alert, attach all results to it”,
“ui_order”: 5
},
“source_origin”: {
“label”: “Source”,
“ui_order”: 3
},
“region”: {
“label”: “AWS Region”,
“ui_order”: 2
}
},
“value”: “alarm_name”,
“ui_order”: 0
},
“description”: {
“type”: “select”,
“required”: false,
“label”: “Derive name from”,
“valid_values”: {
“auto_generated”: {
“label”: “Default”,
“ui_order”: 1
},
“alarm_name”: {
“label”: “Alarm Name”,
“ui_order”: 2
},
“alarm_description”: {
“label”: “Alarm Description”,
“ui_order”: 3
}
},
“value”: “auto_generated”,
“ui_order”: 1
}
}
}
}


(Demitri Morgan) #2

Hi @dm,

Special settings intrinsic to individual inbound integrations are in the config property. Note:

  • This property is not yet documented. As with all such features, we do not recommend using it for long-term supported API-based solutions because we cannot guarantee that the schema will be kept the same way indefinitely.
  • The property is a very diverse polymorph. Options can change radically between one integration vendor and another, and the way that the API expects you to format it if setting options will thus depend on the vendor type (which cannot be changed once the integration has been created)
  • The config property cannot be set when creating an integration, only when updating it.

So in short, your mileage may vary.

For what it’s worth, I created a testing CloudWatch integration and made a GET request to it, and the schema of the property is as follows:

{
  "fields": {
    "incident_key": {
      "type": "select",
      "required": false,
      "label": "Correlate events by",
      "valid_values": {
        "alarm_name": {
          "label": "Alarm Name",
          "ui_order": 1
        },
        "always_create_new": {
          "label": "Make a new incident/alert each time",
          "ui_order": 4
        },
        "finding_id": {
          "label": "Finding id (only for GuardDuty Findings)",
          "ui_order": 7
        },
        "event_name": {
          "label": "Event Name (only for AWS CloudWatch Events)",
          "ui_order": 6
        },
        "open_attach": {
          "label": "If there's an open incident/alert, attach all results to it",
          "ui_order": 5
        },
        "source_origin": {
          "label": "Source",
          "ui_order": 3
        },
        "region": {
          "label": "AWS Region",
          "ui_order": 2
        }
      },
      "value": "alarm_name",
      "ui_order": 0
    },
    "description": {
      "type": "select",
      "required": false,
      "label": "Derive name from",
      "valid_values": {
        "auto_generated": {
          "label": "Default",
          "ui_order": 1
        },
        "alarm_name": {
          "label": "Alarm Name",
          "ui_order": 2
        },
        "alarm_description": {
          "label": "Alarm Description",
          "ui_order": 3
        }
      },
      "value": "auto_generated",
      "ui_order": 1
    }
  }
}

#3

Thank you I’ll give it a try with the update and see how it goes.


(system) #4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.