Alerts Configuration

Webhook Alerts

Webhook Alerts are alerts that are pushed into CIPP by external resources, such as the Microsoft Audit log, or Microsoft Graph Subscriptions. CIPP receives these alerts and processes them by adding information or executing remediation tasks.

Webhook Alerts can be shipped to a PSA, Email, or sent to another webhook system to allow processing.

Webhook Alerts cannot be shipped to Slack, Discord, or Teams via CIPP, as these products do not support receiving raw JSON information webhooks.

Alert Rules

CIPP allows you to create rules based on the received alerts from these audit logs. You can either select our preset alert types, or you can add a custom alert. Our custom alert engine uses the same logic as our complex filters, with the difference that you cannot chain filters and must add them individually.

Example 1:

To alert on all audit logs where the PathName contains "RSS"

PathName like RSS

Example 2:

To alert on a specific operation

operation eq CustomLogEntry

You can find all possible keys in the Microsoft documentation, however as this documentation can get quite complex we recommend setting up an alert on "Any" log to a webhook or email, so you can easily find the fields you want to filter on without needing to read all of the Microsoft Documentation.

Feature Requests / Ideas

Please raise any feature requests on GitHub.

Last updated