Set up and customize alerts with a Slack integration

Created:
March 15, 2024
Updated:
March 26, 2025

When you create an alert, you can choose how you want to receive the alert notification. FireTail offers multiple notification integrations, and the alert payload is fully customizable.

This guide walks you through setting up a new Slack integration and customizing the payload. The same process applies to other notification integrations.

Note: To set up a Slack Webhook integration, you first need to create a channel in Slack. This is where the triggered alerts will be sent. For instructions, visit  the Slack help center.

Create an alert in the FireTail platform

For detailed instructions on creating different types of alerts, refer to the following:

1. Navigate to Posture Management in the FireTail platform. Click the Alerting tab, select Static or Anomaly alert.

2. Name the alert.

3. Add any necessary Filters, Conditions and other required settings.

4. Under Notification Integration, click Create to set up a new integration. This selects how you will get your alert notifications.

5. Select Slack Webhook.

6. Choose the Slack channel that alert notifications will be sent to.

7. Click Allow.

A test message is sent to the selected Slack channel to verify the connection.

When the connection with Slack has been set up you can make any required edits to the notification, you can:

  • Change the integration name.
  • Click Change Connection to change the Slack channel the notifications are sent to.
  • Edit the Slack payload if required. This is the information that is populated in the Slack notification when an alert is triggered. Tokens, which are placeholders embedded in the payload, dynamically insert relevant data such as alert details, timestamps, or severity levels. You can edit these tokens to customize the information displayed in the notification. For a list of all tokens, go to Dynamic variables. Learn how to Customize notifications.
  • Click Submit.

The integration is created and listed under the existing integrations tab You can now select this integration as a notification method when you create an alert or create an incident.

Customize the Slack Payload

The payload contains tokens that are dynamic variables, the content in these tokens is generated from the information contained in the triggered alert. For instance, if the token {alert_timestamp} is in the payload, when the alert is sent to your Slack channel, the time in UTC format, that the alert was generated is displayed. For example, 21/04/2023T12:35:36

Example payload:



{
    "blocks": [
        {
            "type": "header",
            "text": {
                "type": "plain_text",
                "text": "Firetail Alert",
                "emoji": true
            }
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Name:*\n{alert_name}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Trigger Time:*\n{alert_timestamp}"
                }
            ]
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Condition:*\n{alert_static_triggered_value} 
                    {alert_operand} {alert_static_threshold_value}"
                }
            ]
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "<{alert_link}|View Alert>"
            }
        }
    ]
}

Results in an alert being sent to Slack that will look similar to this:

You can add, remove and change tokens and text in the payload. For example:



{
    "blocks": [
        {
            "type": "header",
            "text": {
                "type": "plain_text",
                "text": "My Demo Alert",
                "emoji": true
            }
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Name:*\n{alert_name}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Trigger Time:*\n{alert_timestamp}"
                },
                {
                   "type": "mrkdwn",
                   "text": "*Alert Type:*\n{alert_type}"
               }

            ]
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Condition:*\n{alert_static_triggered_value} 
                    {alert_operand} {alert_static_threshold_value}"
                },
               {
                   "type": "mrkdwn",
                   "text": "*Alert UUID:*\n{alert_uuid}"
               }

            ]
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "<{alert_link}|View Alert>"
            }
        }
    ]
}

The alert that is triggered will now look similar to this:

Note: For a list of all tokens, go to Dynamic variables.