Log Management
Alerting
Destinations
DingTalk

DingTalk

Reach teams on DingTalk when log patterns breach thresholds. Configure dingtalk with webhook URLs, signatures, or phone lists depending on your integration style. Add dingtalk under alert: on your rule (you can combine destinations).

Skim Options for required vs optional keys, then open Full working example for runnable YAML including index and filter.

Options

Keys below match the ElastAlert 2 alerter. Shared rule fields such as alert_subject apply as described in Subject & body. Example fragments from the ElastAlert 2 reference appear indented under the option they illustrate (add your own name, type, index, and filter to make a full rule).

Required

  • dingtalk_access_token — Dingtalk access token.

Example msgtype : text

 alert:
   - "dingtalk"
 dingtalk_access_token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 dingtalk_msgtype: "text"

Example msgtype : markdown

 alert:
   - "dingtalk"
 dingtalk_access_token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 dingtalk_msgtype: "markdown"

Example msgtype : single_action_card

 alert:
   - "dingtalk"
 dingtalk_access_token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 dingtalk_msgtype: "single_action_card"
 dingtalk_single_title: "test3"
 dingtalk_single_url: "https://xxxx.xxx"

Example msgtype : action_card

 alert:
   - "dingtalk"
 dingtalk_access_token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 dingtalk_msgtype: "action_card"
 dingtalk_btn_orientation: "0"
 dingtalk_btns: [{"title": "a", "actionURL": "https://xxxx1.xxx"}, {"title": "b", "actionURL": "https://xxxx2.xxx"}]

  • dingtalk_msgtype — Dingtalk msgtype, default to text. markdown, single_action_card, action_card. dingtalk_msgtype single_action_card Required:

  • dingtalk_single_title — The title of a single button..

  • dingtalk_single_url — Jump link for a single button. dingtalk_msgtype action_card Required:

  • dingtalk_btns — Button. dingtalk_msgtype action_card Optional:

  • dingtalk_btn_orientation — "0": Buttons are arranged vertically "1": Buttons are arranged horizontally.

Optional

  • dingtalk_proxy — By default ElastAlert 2 will not use a network proxy to send notifications to Dingtalk. Set this option using hostname:port if you need to use a proxy. only supports https.

  • dingtalk_proxy_login — The DingTalk proxy auth username.

  • dingtalk_proxy_pass — The DingTalk proxy auth username.

  • dingtalk_sign — DingTalk HMAC secret, used for message authentication. See DingTalk custom robot security settings (opens in a new tab) for more information. Note that the algorithm provides authentication that some message was recently sent (within an hour) but does not authenticate the integrity of the current message itself.

Full working example

name: Example alert for DingTalk
type: any
index: "*-*"
filter:
  - query:
      query_string:
        query: "level:error OR log.level:error"
alert:
  - "dingtalk"
dingtalk_access_token: "REPLACE_TOKEN"
dingtalk_msgtype: "text"
DFIR-IRISDiscord