In order to configure an outgoing Webhook integration, click Settings (Cog icon), then Integrations, then choose WebHook:

Enter the target address, test and save to activate:

Next, head to the Notifications section to configure different types of notification subscriptions.
Click Subscribe and fill out the form (if subscribing to multiple subscription types, you will need to repeat this process for each subscription):

  • choose WEBHOOK as the channel
  • for subscription type, choose either:

o  New Incident
o  Incident Updated (e.g. Active incident became Inactive, new alerts was added to      Incident, or one alert in Incident was archived)
o  Incident Resolved (e.g. the whole incident was archived or deleted)

  • select all the applications for which this subscription will apply
  • select the minimal severity of incidents for which to send a notification
  • optional: if you'd like to override the default Webhook URL, toggle Advanced mode and specify the address

For example:

Webhook payload structure:
(updated 5/2019)

    "type": "incident", /* will always be "incident" */
    "occurrenceTime": 1523909407000, /* incident occurrence, epoch millis */
    "detectionTime": 1523909407000, /* detection time, epoch millis */
    "url": "", /* incident resource API endpoint */
    "homeUrl": "", /* a link to the Web Application to view this incident */
    "incidentKey": 123, /* the ID of the incident */
    "title": "Loom - New Incident | Application: app | Service: service", /* a short summary of the incident */
    "active:" "false" /* will either be true or false */
    "state": "Created"
    "alerts": [...] /* an array of selected anomalies */

The alerts array will contain objects with the following format (note that many properties will only appear for specific anomaly types):

    "id": 123,
    "application": "app",
    "service": "service",
    "hosts": { /* a dictionary of hosts and their popularity */
        "": 100,
        "": 50
    "properties": { /* dictionary of properties in common to all of the events partaking in this anomaly */
        "datacenter": "dc1",
        "env": "prod"
    "occurrenceTime": 1543909407000,
    "severity": "HIGH", /* one of: LOW, MEDIUM, HIGH, CRITICAL */
    "trend": "NONE", /* one of: UP, DOWN, NONE */
    "detectionType": "NEW_SIGNAL", /* sub-category of the anomaly */
    "stats": {...}, /* an object listing statistical attributes of the metric in the time of the anomaly */
    "yesterdayStats": {...}, /* statistics describing the same hour, the day before */
    "lastWeekStats": {...}, /* statistics describing the same hour, a week before */
    "derivativeDetection": {...}, /* statistics of the derivative of the metric in the time of the anomaly */
    "title": "The volume of ... is above normal", /* a short human-language description of the anomaly */
    "active" : "false" /* will either be true or false */
    "hasInsights" : "true" /* will either be true or false */
    "insights": [...] /* an array of insights and recommendations */

    /* raw-metrics specific */
    "tag": "affiliateId", /* the raw metric property */
    "value": "aff123", /* the property which is anomalous */

    "signalAliveValue": 1.5, /* for signal-alive anomalies, this is the minutely-event-rate at the point of the anomaly */
    "customAlertValue": 1.5, /* for custom-alerts, this is the minutely-event-rate at the point of the anomaly */

    /* pattern anomalies */
    "patternText": "[USER] was denied access to [SERVER]",

    /* keyword anomalies */
    "keyword": "timeout" /* the keyword which is anomalous */

That's it! notifications should start being sent to your Webhook.

Did this answer your question?