Documentation
Alerting

How to set up and customize alerts with a Slack integration

Created:
March 15, 2024
Updated:
September 6, 2024

When you create an alert, you can choose how you want to receive the alert notification. The FireTail platform offers several notification integrations, and the information included in the alert notification is fully customizable in the form of a payload.

Below are instructions on how to create an alert with a new Slack integration and customize the payload. Customizing the payload follows the same process for other notification integrations.

Note: To set up a Slack Webhook integration, you first need to create a channel in Slack. This is where the triggered alerts will be sent. For information on creating a Slack channel, visit the Slack help center.

Create an alert in the FireTail platform

For detailed instructions on creating different types of alerts, refer to the following:

1. Navigate to Posture Management in the FireTail platform. Click the Alerting tab, select Static or Anomaly alert.

2. Name the alert.

3. Add any necessary Filters, Conditions and other required settings.

5. Under Notification Integration, click Create to set up a new integration. This selects how you will get your alert notifications.

6. Select Slack Webhook.

7. Select the channel in Slack that alert notifications will be sent to.

8. Click Allow.

A test message is immediately sent to the Slack channel.

When the connection with Slack has been set up you can make any required edits to the notification, you can:

  • Change the integration name.
  • Click Change Connection to change the Slack channel the notifications are sent to.
  • Edit the Slack payload if required. This is the information that is populated in the Slack notification when an alert is triggered. Tokens, which are placeholders embedded in the payload, dynamically insert relevant data such as alert details, timestamps, or severity levels. You can edit these tokens to customize the information displayed in the notification. For a list of all tokens, go to Dynamic variables. Learn how to Customize notifications.
  • Click Submit.

The integration is created and listed under the existing integrations tab You can now select this integration as a notification method when you create an alert or create an incident.

Customize the Slack Payload

The payload contains tokens that are dynamic variables, the content in these tokens is generated from the information contained in the triggered alert. For instance, if the token {alert_timestamp} is in the payload, when the alert is sent to your Slack channel, the time in UTC format, that the alert was generated is displayed. For example, 21/04/2023T12:35:36

Example payload:



{
    "blocks": [
        {
            "type": "header",
            "text": {
                "type": "plain_text",
                "text": "Firetail Alert",
                "emoji": true
            }
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Name:*\n{alert_name}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Trigger Time:*\n{alert_timestamp}"
                }
            ]
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Condition:*\n{alert_static_triggered_value} 
                    {alert_operand} {alert_static_threshold_value}"
                }
            ]
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "<{alert_link}|View Alert>"
            }
        }
    ]
}

Results in an alert being sent to Slack that will look similar to this:

You can add, remove and change tokens and text in the payload. For example:



{
    "blocks": [
        {
            "type": "header",
            "text": {
                "type": "plain_text",
                "text": "My Demo Alert",
                "emoji": true
            }
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Name:*\n{alert_name}"
                },
                {
                    "type": "mrkdwn",
                    "text": "*Trigger Time:*\n{alert_timestamp}"
                },
                {
                   "type": "mrkdwn",
                   "text": "*Alert Type:*\n{alert_type}"
               }

            ]
        },
        {
            "type": "section",
            "fields": [
                {
                    "type": "mrkdwn",
                    "text": "*Condition:*\n{alert_static_triggered_value} 
                    {alert_operand} {alert_static_threshold_value}"
                },
               {
                   "type": "mrkdwn",
                   "text": "*Alert UUID:*\n{alert_uuid}"
               }

            ]
        },
        {
            "type": "section",
            "text": {
                "type": "mrkdwn",
                "text": "<{alert_link}|View Alert>"
            }
        }
    ]
}

The alert that is triggered will now look similar to this:

Note: For a list of all tokens, go to Dynamic variables.

Getting Started
Organizations
Dashboard
APIs
Applications
AI
Integrations
Actions
Specifications
Posture Management
Alerting
Code Libraries
Reporting
Python Documentation
FAQs
Related Docs
Alerting overview
View doc
Managed alerts
View doc
Update an anomaly alert
View doc
Create an anomaly alert
View doc
Recently Updated
Dashboard filters
View doc
API risk dashboard
View doc
Actions history
View doc
AI
View doc
How do I view and analyze AI logs?
View doc