Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • What are Notification Templates?
  • Using Notification Templates
  • Types:
  • Email
  • Slack
  • Webhook
  • PagerDuty
  • Placeholder Fields and Dynamic Variables
  • Understanding Placeholder Fields
  • Dereferencing Values from the Object:
  • Conclusion
  • Manage Notification Templates Using Spyctl
  • Quick Start Tutorial

Was this helpful?

Export as PDF
  1. Concepts
  2. Notifications

Notification Templates

What are Notification Templates?

Notification Templates define the format and content of notifications sent to different destinations. They allow customization of messages based on the notification type.

You create Notification Templates for email, Slack, PagerDuty, and webhook notifications. These templates can be used when configuring notifications alongside Notification Targets.

Note: Notification Templates are Optional when configuring Notifications.

Using Notification Templates

Notification Templates can be referenced while configuring notifications for Notifiable Objects using Spyctl. You can either specify a Notification Target or a Notification Template that map specific targets to templates like below.

Example usage with Spyctl:

Example:

spyctl notifications configure saved-query QUERY_UID \
  --target-map TARGET_NAME_OR_UID=TEMPLATE_NAME_OR_UID

Usage:

spyctl notifications configure saved-query query:abc \
  --target-map OperationsTeam=email-template \
  --cooldown 300

The $spyctl notifications configure command allows notifications to be sent using either Custom templates with Targets or directly via Targets (using Default Template).

Types:

Note: Below examples shows YAML Templates, but they can also be generated in JSON format.

Email

Email Notification Templates define the subject and body format for email notifications.

apiVersion: spyderbat/v1
kind: NotificationTemplate
metadata:
  name: email-template
  type: email
spec:
  subject: ''
  body_html: ''
  body_text: ''

Note: Users must populate subject, body_html, and body_text using placeholders to customize the email content.

spec:
  subject: "Spyderbat Alert: {{ severity }} Severity Detected"
  body_html: "<p>Alert triggered at {{ __hr_time__ }}</p><p>Details: {{ description }}</p>"
  body_text: "Alert triggered at {{ __hr_time__ }}. Details: {{ description }}"

Slack

Slack Notification Templates define the message structure for Slack notifications. Notification templates can be generated in YAML or JSON format as desired.

apiVersion: spyderbat/v1
kind: NotificationTemplate
metadata:
  name: slack
  type: slack
spec:
  text: ''
  blocks: []

After populating template:

apiVersion: spyderbat/v1
kind: NotificationTemplate
metadata:
  name: slack
  type: slack
spec:
  text: "Alert: {{ severity }} - {{ description }}"
  blocks:
    - type: section
      text:
        type: mrkdwn
        text: "*Alert Triggered at:* {{ __hr_time__ }}\n*Details:* {{ description }}"

Webhook

Webhook Notification Templates define the payload structure for webhook notifications.

apiVersion: spyderbat/v1
kind: NotificationTemplate
metadata:
  name: webhook-template
  type: webhook
spec:
  payload: {}
  entire_object: false

After populating template:

spec:
  payload:
    severity: "{{ severity }}"
    details: "{{ description }}"
    timestamp: "{{ __hr_time__ }}"

PagerDuty

PagerDuty Notification Templates define the format for alerts sent to PagerDuty.

apiVersion: spyderbat/v1
kind: NotificationTemplate
metadata:
  name: pg
  type: pagerduty
spec:
  class: null
  component: null
  source: ''
  summary: ''
  severity: ''
  dedup_key: null
  custom_details: {}
  group: null

After populating template:

spec:
  summary: "Spyderbat Saved Query '{{ __query_name__ }}' Matched"
  source: "{{ __source__ }}"
  severity: "{{ __pd_severity__ }}"
  custom_details: 
    "description": "{{ description }}"
    "cluster": "{{ __cluster__ }}"
    "time": "{{ __hr_time__ }}"
    "linkback": "{{ __linkback__ }}"

Use these templates to ensure consistent and structured notifications across different channels.

Placeholder Fields and Dynamic Variables

Some fields in Notification Templates are dynamically calculated and replaced at runtime using placeholders. These placeholders allow real-time data insertion into notification messages.

Understanding Placeholder Fields

Placeholder fields allow dynamic values to be inserted into notification templates. These fields are replaced with actual data when a notification is sent.

They're represent with syntax: __field__

Some Common Spyderbat Internal Placeholder Fields are:

{{ __source__ }} - Source of the event

{{ __cluster__ }} - Cluster where the event occurred

{{ __hr_time__ }} - Human-readable timestamp

{{ __linkback__ }} - Link to view the event in Spyderbat

{{ __time_int__ }} - Timestamp in integer format

{{ __origin__ }} - Origin of the event

{{ __hostname__ }} - Hostname where the event occurred

{{ __percent__ }} - Percentage value related to the event

{{ __pd_severity__ }} - Severity level formatted for PagerDuty

{{ __query_name__ }} - Name of the saved query that triggered the event

Example Usage in Email Body:

<p>Spyderbat Custom Flag "{{ custom_flag_name }}" Emitted</p>
<ul>
    <li>Cluster: {{ __cluster__ }}</li>
    <li>Source: {{ __source__ }}</li>
    <li>Time: {{ __hr_time__ }}</li>
</ul>
<p>{{ description }}</p>
<p><a href="{{ __linkback__ }}">View in Spyderbat</a></p>

Dereferencing Values from the Object:

Static fields or regular placeholders ({{ severity }}, {{ description }}) are fields that are passed directly from the model object. Static text remains unchanged and does not need placeholders.

  • {{ severity }} - Severity level of the event

  • {{ description }} - Description of the event

By customizing Notification Templates with placeholders, users can ensure notifications provide meaningful and actionable information tailored to their needs.

Conclusion

By following this guide, you can create well-structured, dynamic Notification Templates for different destinations. Using placeholders correctly ensures your notifications contain relevant, real-time data.

Manage Notification Templates Using Spyctl

Quick Start Tutorial

To quickly get started using using Spyderbat Notifications follow our tutorial using spyctl.

Last updated 3 months ago

Was this helpful?

To learn more about Placeholder fields and Constructing templates

To start creating Templates follow our tutorial using Spyctl :

Read this
Manage Notification Templates Using Spyctl
How to setup Spyderbat Notifications (Spyctl CLI)