Documentation
Alerts

Set up an alert with a new Slack integration

Created:
March 15, 2024
Updated:
July 22, 2024

When you create an alert, you can choose how you want to receive the alert notification. The FireTail platform offers several notification integrations, and the information included in the alert notification is fully customizable in the form of a payload.

Below are instructions on how to create an alert with a new Slack integration and customize a payload. Customizing the payload follows the same process for other notification integrations.

Note: To set up a Slack Webhook integration, you first need to create a channel in Slack. This is where the triggered alerts will be sent. For information on creating a Slack channel, visit the Slack help center.

Create an alert in the FireTail platform

For detailed instructions on creating different types of alerts, refer to the following:

1. Navigate to Posture Management in the FireTail platform. Click the Alerting tab, select Static or Anomaly alert.

2. Name the alert .

3. Add any necessary Filters, Conditions and other required settings.

5. Under Notification Integration, click Create to set up a new integration. This selects how you will get your alert notifications.

6. Select Slack Webhook.

7. Select the channel in Slack alert notifications will be sent to.

8. Click Allow.

A test message is immediately sent to the Slack channel.

When the connection with Slack has been set up you can make any required edits to the notification, you can:

  • Change the integration name.
  • Click Change Connection to change the Slack channel the notifications are sent to.
  • Edit the Slack payload if required. This is the information that is populated in the Slack notification when an alert is triggered. For a list of all tokens, go to Dynamic variables. Learn how to Customize notifications.
  • Click Submit.

The integration is created and listed under the existing integrations tab You can now select this integration as a notification method when you create an alert or create an incident.

Customize the Slack Payload

The payload contains tokens that are dynamic variables, the content in these tokens is generated from the information contained in the triggered alert. For instance, if the token {alert_timestamp} is in the payload, when the alert is sent to your Slack channel, the time in UTC format, that the alert was generated is displayed. For example, 21/04/2023T12:35:36

Example payload:



{
    "blocks": [
        {
            "type": "header",
            "text": {
                "type": "plain_text",
                "text": "Firetail Alert",
                "emoji": true
            }
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Name:*\n{alert_name}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Trigger Time:*\n{alert_timestamp}"
                }
            ]
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Condition:*\n{alert_static_triggered_value} 
                    {alert_operand} {alert_static_threshold_value}"
                }
            ]
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "<{alert_link}|View Alert>"
            }
        }
    ]
}

Results in an alert being sent to Slack that will look similar to this:

You can add, remove and change tokens and text in the payload. For example:



{
    "blocks": [
        {
            "type": "header",
            "text": {
                "type": "plain_text",
                "text": "My Demo Alert",
                "emoji": true
            }
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Name:*\n{alert_name}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Trigger Time:*\n{alert_timestamp}"
                },
                {
                   "type": "mrkdwn",
                   "text": "*Alert Type:*\n{alert_type}"
               }

            ]
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Condition:*\n{alert_static_triggered_value} 
                    {alert_operand} {alert_static_threshold_value}"
                },
               {
                   "type": "mrkdwn",
                   "text": "*Alert UUID:*\n{alert_uuid}"
               }

            ]
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "<{alert_link}|View Alert>"
            }
        }
    ]
}

The alert that is triggered will now look similar to this:

Note: For a list of all tokens, go to Dynamic variables.

Getting started
Organizations
Applications
APIs
Posture management
Specifications
Integrations
Code Libraries
Alerts
Reporting
Python documentation
FAQs
Related Docs
Update an anomaly alert
View doc
Create an anomaly alert
View doc
Update a static alert
View doc
Delete an alert
View doc
Recently Updated
Update an anomaly alert
View doc
How do I log in to the platform?
View doc
Why create an organization?
View doc
AWS Application Load Balancer logging
View doc
Findings overview
View doc