Slack Integration
Receive instant security alerts in your Slack workspace.
Real-Time Alerts
Connect CastellanAI to Slack to get security alerts where your team communicates, with rich formatting and interactive buttons.
Why Slack Integration?
| Feature | Description |
|---|---|
| Real-Time | Alerts delivered instantly to channels |
| Threaded | Keep conversations organized |
| Rich Format | Color-coded blocks with actionable buttons |
Setup Steps
- 1️⃣ Create Webhook
- 2️⃣ Add to Portal
- 3️⃣ Configure Alerts
- 4️⃣ Test
Step 1: Create a Slack Incoming Webhook
Set up an incoming webhook in your Slack workspace:
- Go to api.slack.com/apps
- Click "Create New App" → "From scratch"
- Name it "CastellanAI Alerts" and select your workspace
- Navigate to "Incoming Webhooks" and activate it
- Click "Add New Webhook to Workspace"
- Select your #security-alerts channel (or create one)
- Copy the generated Webhook URL
Security
Keep your webhook URL private—anyone with this URL can post messages to your Slack channel.
Step 2: Add Webhook to Portal
Configure the webhook in CastellanAI:
- Login to your CastellanAI portal
- Navigate to Dashboard → Profile
- Scroll to Notification Settings
- Click "Add Slack Webhook"
- Paste your webhook URL and give it a name
- Click Save
Step 3: Configure Alert Preferences
Recommended Settings:
| Setting | Value | Reason |
|---|---|---|
| Minimum Severity | High | Prevent alert fatigue |
| Use Threads | Enabled | Keep conversations organized |
| Quiet Hours | Optional | Suppress Low/Medium outside hours |
Step 4: Test the Integration
- Click "Send Test Alert" button in the portal
- Check your Slack channel for the test message
- Verify buttons and links work
All Set!
You'll now receive security alerts in Slack based on your configured filters.
Alert Format
- 📋 Components
- 🎨 Colors
- 🔘 Buttons
Alert Components
| Component | Description |
|---|---|
| Color-coded sidebar | Red (Critical), Orange (High), Yellow (Medium), Blue (Low) |
| Event title | AI-generated summary of the threat |
| Details block | Hostname, timestamp, event type, user/process |
| MITRE ATT&CK | Mapped tactics (e.g., "Initial Access, Execution") |
| Action buttons | "View in Portal", "Mark as Reviewed", "Take Action" |
Severity Colors
| Severity | Color | Sidebar |
|---|---|---|
| Critical | 🔴 Red | #ff0000 |
| High | 🟠 Orange | #ff9900 |
| Medium | 🟡 Yellow | #ffcc00 |
| Low | 🔵 Blue | #0066ff |
Interactive Buttons
| Button | Action |
|---|---|
| View in Portal | Opens event in dashboard |
| Mark as Reviewed | Acknowledges the alert |
| Take Action | Opens response actions |
Authentication Required
Button links require users to be logged into the portal.
Advanced Configuration
- 📍 Multiple Channels
- 🧵 Threading
Multiple Channel Setup
Configure different channels for different alert types:
| Channel | Purpose | Configuration |
|---|---|---|
| #security-critical | Emergencies | Critical only |
| #security-all | SOC team | High and above |
| #security-digest | Daily summary | Low + Medium batched |
Thread Configuration
| Option | Behavior |
|---|---|
| Enabled | Related events posted as replies |
| Disabled | Each event as separate message |
Busy Channels
Enable threads for high-volume channels to reduce noise.
Troubleshooting
- ❌ No Message
- 📢 Too Noisy
- 🔘 Buttons Don't Work
No Test Message Received
| Check | Solution |
|---|---|
| Webhook URL | Verify correct in portal settings |
| Test directly | Use curl or Postman to test URL |
| App installation | Check Slack app still installed |
Alerts Are Too Noisy
| Solution | Implementation |
|---|---|
| Increase severity | Set to High or Critical only |
| Use multiple webhooks | Different channels by priority |
| Enable digest mode | Batch similar events |
Buttons Don't Work
| Cause | Solution |
|---|---|
| Interactive components | Enable in Slack app settings |
| Authentication | Users must be logged into portal |
| URL accessibility | Portal must be accessible from browser |
Best Practices
| Practice | Description |
|---|---|
| Use Dedicated Channels | Create #security-critical and #security-all |
| Enable Notifications | Set "All messages" for critical channels |
| Pin Important Alerts | Use Slack's pin for ongoing incidents |
| Create Workflows | Use Slack workflow builder for automation |
📝 Slack Integration Checklist
- Create Slack app and webhook
- Select appropriate channel
- Add webhook to CastellanAI portal
- Configure severity filters
- Enable thread mode if needed
- Test webhook delivery
- Set channel notification preferences
- Train team on alert response
What's Next?
| Guide | Description |
|---|---|
| Microsoft Teams Integration | Also using Teams? Set up parallel alerting |
| Taking Action | Respond to alerts from the portal |
| Advanced Webhooks | Custom webhook configurations |