Skip to main content

Automation Payload Variables

Automated playbooks can be invoked by a monitor, as described in Automated Playbooks in Monitors. A payload is passed from the alert to the playbook. The variables in the payload can be assigned to parameters and used as inputs for different actions in the playbook.

Payload variables

The below variables are passed in the payload from an alert to a playbook. The fields specific to the query that triggered the alert can be referenced by using customPlaceholderMap. For example, if the result of the query includes a field named user_name, this can be referenced by called customPlaceholderMap[].user_name.

​​IdThe unique identifier for alert that triggered the playbook.
NameThe name of the monitor.
QueryThe query used in the monitor.
QueryURLThe URL to the logs or metrics query within Sumo Logic.
AlertNameThe name of the alert.
SourceURLThe URL to the configuration or status page of the monitor in Sumo Logic.
AlertGroupThe alert grouping that triggered the alert, including associated values for that field.
DescriptionThe description of the monitor.
MonitorTypeThe type of alert, either Logs or Metrics.
ResultsJsonJSON object containing the query results that triggered the alert.
TriggerTimeThe date and time the query triggered the alert.
TriggerTypeThe status of the alert or recovery. Alert will have either Normal, Critical, Warning, or Missing Data. Recovery will have either ResolvedCritical, ResolvedWarning, or ResolvedMissingData.
TriggerValueThe value that triggered the alert.
NotificationsThe details for the notifications configured in the monitor.
NumRawResultsNumber of results returned by the search.
DetectionMethodThe type of detection method used to detect alerts. Values are based on static or outlier triggers and data type, either logs or metrics. The value will be either LogsStaticCondition, MetricsStaticCondition, LogsOutlierCondition, MetricsOutlierCondition, LogsMissingDataCondition, or MetricsMissingDataCondition.
NumQueryResultsThe number of results the query returned.
SloDashboardURLThe URL to the SLO dashboard.
TriggerQueryURLThe URL to the log search for the query that triggered the alert.
AlertResponseURLThe URL to the alert page for the corresponding alert ID.
TriggerConditionThe condition that triggered the alert.
TriggerTimeRangeThe time range of the query that triggered the alert.
ResultsJsonParsedThe parsed fields from ResultsJson.
AggregateResultsJsonJSON object containing the query results that triggered the alert, along with aggregate values such as message count.
customPlaceholderMapThe parsed fields from ResultsJson and the aggregate values returned from the query.
AggregateResultsJsonParsedThe parsed fields from AggregateResultsJson.

Example payload

"Id": "00000000016CCCDD",
"Name": "Amazon Guard Duty Brute Force",
"Query": "_sourceCategory=Labs/AWS/GuardDuty_V3 | parse \"{\\\"key\\\":\\\"Owner\\\",\\\"value\\\":\\\"*\\\"}\" as owner_key | json field=_raw \"service.action.networkConnectionAction.remotePortDetails.portName\"as port_name | json field=_raw \"service.action.networkConnectionAction.remotePortDetails.port\" as port | json field=_raw \"service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\" as ip_address | json field=_raw \"accountId\", \"region\", \"partition\", \"id\", \"arn\", \"type\",\"service.serviceName\",\"service.detectorId\",\"service.action\",\"severity\",\"title\",\"description\", \"vpcId\", \"subnetId\", \"groupId\" , \"tags\", \"groupName\", \"resource.instanceDetails.instanceId\" as account_id, region, partition, id, arn, type, service_name, detector_id, action, severity, title, description, vpcId, subnetId , securityGroupId, tags, securityGroupName, instanceid nodrop | where type matches \"*BruteForce*\" | count by instanceid, ip_address, port, port_name, owner_key",
"QueryURL": "",
"AlertName": "Amazon GuardDuty Brute Force Finding",
"SourceURL": "",
"AlertGroup": "instanceid=i-F56tg45tty5gfgd45",
"Description": "",
"MonitorType": "Logs",
"ResultsJson": "[{\"Count\":1,\"instanceid\":\"i-F56tg45tty5gfgd45\",\"ip_address\":\"\",\"owner_key\":\"\",\"port\":\"22\",\"port_name\":\"SSH\"}]",
"TriggerTime": "05/01/2024 02:08:46 PM CDT",
"TriggerType": "Critical",
"TriggerValue": 1,
"Notifications": [
"notification": {
"images": [],
"subject": "Monitor Alert: {{TriggerType}} on {{AlertName}}",
"actionId": -4194941809035894000,
"jsonClass": "EmailAction",
"ccRecipients": [],
"templateName": "Default Unified Monitor Email With Alert Response Variables",
"toRecipients": [
"bccRecipients": [],
"relatedContent": [],
"emailBodyMessage": ""
"runForTriggerTypes": [
"NumRawResults": "45",
"DetectionMethod": "LogsStaticCondition",
"NumQueryResults": "1",
"SloDashboardURL": "",
"TriggerQueryURL": "",
"AlertResponseURL": "",
"TriggerCondition": "ResultCount is Greater than 0.0 in the last 1440 minutes",
"TriggerTimeRange": "04/30/2024 02:06:46 PM CDT to 05/01/2024 02:06:46 PM CDT",
"ResultsJsonParsed": [
"port": "22",
"Count": 1,
"owner_key": "",
"port_name": "SSH",
"instanceid": "i-F56tg45tty5gfgd45",
"ip_address": ""
"AggregateResultsJson": "[{\"Count\":1,\"instanceid\":\"i-F56tg45tty5gfgd45\",\"ip_address\":\"\",\"owner_key\":\"\",\"port\":\"22\",\"port_name\":\"SSH\"}]",
"customPlaceholderMap": [
"port": "22",
"Count": "1",
"_count": "1",
"owner_key": "",
"port_name": "SSH",
"instanceid": "i-F56tg45tty5gfgd45",
"ip_address": ""
"AggregateResultsJsonParsed": [
"port": "22",
"Count": 1,
"owner_key": "",
"port_name": "SSH",
"instanceid": "i-F56tg45tty5gfgd45",
"ip_address": ""

View playbook payload

To view the variables available from an alert that triggered a playbook:

  1. View the automated playbooks for an alert.
  2. Expand the playbook name to view the payload.
    <View playbook payload>
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.