Slack Integration
Receive instant security alerts in your Slack workspace.
Why Slack Integration?
Connect CastellanAI to Slack to get security alerts where your team communicates. Configure custom filters, use threads for discussions, and respond faster to threats.
| Feature | Description |
|---|---|
| Real-Time | Alerts delivered instantly to your channels |
| Threaded | Keep conversations organized with threads |
| Rich Format | Color-coded blocks with actionable buttons |
Setup Steps
Step 1: Create a Slack Incoming Webhook
Set up an incoming webhook in your Slack workspace:
- Go to api.slack.com/apps
- Click "Create New App" → "From scratch"
- Name it "CastellanAI Alerts" and select your workspace
- Navigate to "Incoming Webhooks" and activate it
- Click "Add New Webhook to Workspace"
- Select your #security-alerts channel (or create one)
- Copy the generated Webhook URL
Security: Keep your webhook URL private - anyone with this URL can post messages to your Slack channel.
Step 2: Add Webhook to Portal
Configure the webhook in CastellanAI:
- Login to your CastellanAI portal
- Navigate to Dashboard → Profile
- Scroll to Notification Settings
- Click "Add Slack Webhook"
- Paste your webhook URL and give it a name (e.g., "Security Team Channel")
- Click Save
Step 3: Configure Alert Preferences
Customize which alerts get sent to Slack:
Recommended Settings:
| Setting | Value | Reason |
|---|---|---|
| Minimum Severity | High | Prevent alert fatigue - only send important events |
| Use Threads | Enabled | Keep conversations organized (recommended for busy channels) |
| Quiet Hours | Optional | Suppress Low/Medium alerts outside business hours |
Step 4: Test the Integration
Send a test message to confirm everything works:
- Click "Send Test Alert" button in the portal
- Check your Slack channel for the test message
- Verify buttons and links work
All Set! You'll now receive security alerts in Slack based on your configured filters.
Alert Format
Slack alerts include rich formatting:
- Color-coded sidebar - Red (Critical), Orange (High), Yellow (Medium), Blue (Low)
- Event title - Clear, AI-generated summary of the threat
- Details block - Hostname, timestamp, event type, user/process info
- MITRE ATT&CK - Mapped tactics (e.g., "Initial Access, Execution")
- Action buttons - "View in Portal", "Mark as Reviewed", "Take Action"
Best Practices
- Use Dedicated Channels - Create #security-critical and #security-all for different severity levels
- Enable Notifications - Set Slack channel notifications to "All messages" for critical channels
- Pin Important Alerts - Use Slack's pin feature for ongoing incidents
- Create Workflows - Use Slack's workflow builder to automate responses (e.g., create tickets)
Troubleshooting
No test message received
Verify the webhook URL is correct in your portal settings. Test it directly using curl or Postman. Check if the Slack app is still installed in your workspace.
Alerts are too noisy
Increase minimum severity to High or Critical. Use multiple webhooks for different channels based on severity.
Buttons don't work
Ensure your Slack app has interactive components enabled. Links to the portal require users to be logged in.
What's Next?
- Microsoft Teams Integration - Also using Microsoft Teams? Set up parallel alerting
- Taking Action - Learn how to take action on alerts directly from the portal
- Advanced Webhooks - Configure custom webhooks and integrations