Set Up Slack Alerts¶

Get notified in Slack when AgenticAudit detects high-risk events or PII exposure.

Step 1: Create a Slack webhook¶

Go to Slack App Management
Create a new app (or use an existing one)
Enable Incoming Webhooks
Add a webhook to your target channel
Copy the webhook URL (starts with https://hooks.slack.com/services/)

Step 2: Add an alert rule¶

Update your organization policy via the API:

curl -X PUT http://localhost:8000/v1/org/policy \
  -H "Authorization: Bearer aa_live_xxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "alert_rules": [
      {
        "name": "High risk events",
        "condition": {
          "risk_level_gte": "high"
        },
        "notify": {
          "slack_webhook_url": "https://hooks.slack.com/services/T.../B.../xxx"
        }
      }
    ]
  }'

Or configure via the dashboard at http://localhost:8000/dashboard/policy.

Step 3: Test the alert¶

Trigger a high-risk event. For example, log an event with a credential pattern:

curl -X POST http://localhost:8000/v1/events \
  -H "Authorization: Bearer aa_live_xxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "test-agent",
    "action": "shell_command",
    "data": {"command": "echo sk_live_abc123def456"}
  }'

This triggers a critical risk event. Check your Slack channel — you should see a formatted alert with the event details.

Webhook URL validation

Webhook URLs must use HTTPS and point to hooks.slack.com. Webhook URLs with other hosts are silently rejected for security. If you need to integrate with other webhook providers, you can modify the ALLOWED_WEBHOOK_HOSTS set in the source code.

Alert message format¶

The Slack message includes:

Event action and agent ID
Risk level (color-coded)
PII detection status
Matched compliance frameworks
Timestamp

Multiple alert rules¶

You can configure multiple rules for different channels or conditions:

{
  "alert_rules": [
    {
      "name": "Critical to #security-incidents",
      "condition": {
        "risk_level_gte": "critical"
      },
      "notify": {
        "slack_webhook_url": "https://hooks.slack.com/services/.../security"
      }
    },
    {
      "name": "PII events to #compliance",
      "condition": {
        "pii_detected": true
      },
      "notify": {
        "slack_webhook_url": "https://hooks.slack.com/services/.../compliance"
      }
    },
    {
      "name": "Production shell commands to #devops",
      "condition": {
        "action_contains": "shell_command",
        "risk_level_gte": "high"
      },
      "notify": {
        "slack_webhook_url": "https://hooks.slack.com/services/.../devops"
      }
    }
  ]
}

Condition reference¶

All conditions use AND logic — every specified condition must match for the alert to fire.

Condition	Type	Example
`risk_level_gte`	`string`	`"high"` — matches high and critical
`action_contains`	`string`	`"shell"` — matches shell_command
`pii_detected`	`bool`	`true` — only PII events
`agent_id_eq`	`string`	`"claude-code"` — only this agent

Next steps¶

Configure paranoid mode — block risky actions, not just alert
Policy system — full policy reference