Capture JSON for Alerts that are sent to SQS

APaul — Wed, 02 Sep 2020 17:16:56 GMT

I have configured Redlock to send alert to SQS queue. I am getting the below fields in JSON body when I fetch it from SQS:

However, When I try to fetch the alert details using Alert API I get the complete different schema.

SQS_JSON_Fields

Alert_API_JSON

As soon as an alert is generated, then the JSON data for that alert is sent to SQS queue. (I have lambda that captures and process the data from queue and queue is empty)

Is there any way I can get the data in JSON format which are sent to SQS for the existing alert?

My aim is to capture the JSON data from the existing alert instead of creating a new alert and use it to manipulate and process the data from SQS as per requirement

Re: Capture JSON for Alerts that are sent to SQS

kchen — Fri, 21 Jun 2019 14:52:30 GMT

The alert metadata should be under the "resource" field of the Alert API response JSON. Is the information not there? If you're looking to get the EXACT same overall schema, then I don't believe that's possible. You probably have to modify your Lambda to accommodate the Alert API format. Or alternatively, (if you don't mind doing this), you can always delete the Cloud Account to get rid of all the alerts, then recreate it to send all the alert into SQS.

topic Capture JSON for Alerts that are sent to SQS in Prisma Cloud Discussions

Capture JSON for Alerts that are sent to SQS

Re: Capture JSON for Alerts that are sent to SQS