Integrations Receive real-time alerts in:
Slack (webhook integration)Webhooks (custom integrations)
Example Slack Alert 🚨 Critical Detection: python connected to attacker-c2.com Cluster: k8s-prod • Policy: DropDomain Severity: High • Auto-blocked in 0s Real-time alerting ensures your security team can respond immediately to incidents, even before they appear in the dashboard.
Slack Integration Receive security alerts directly in your Slack channels.
Setup
Create Slack Webhook
Go to Slack API Apps
Create a new app or select existing
Enable Incoming Webhooks
Click Add New Webhook to Workspace
Select the channel (e.g., #security-alerts)
Copy the webhook URL
Configure in Garnet
Via Dashboard:
Navigate to Settings → Integrations
Click Add Integration → Slack
Paste your webhook URL
Select alert types to receive
Click Save
Via CLI: garnetctl integrations add slack \ --webhook https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX \ --channel "#security-alerts" \ --severity critical,high Via API: curl -X POST https://api.garnet.ai/v1/integrations/slack \ -H "Authorization: Bearer $GARNET_TOKEN " \ -H "Content-Type: application/json" \ -d '{ "webhook_url": "https://hooks.slack.com/services/...", "channel": "#security-alerts", "alert_severities": ["critical", "high"], "include_metadata": true }'
Test the Integration
garnetctl integrations test slack You should see a test message in your Slack channel: ✅ Garnet Integration Test This is a test message from Garnet Security. If you see this, your Slack integration is working correctly! Alert Examples Critical: Blocked Connection 🚨 Critical Security Alert Type: Network Connection Blocked Policy: DropDomain Action: BLOCKED Details: • Destination: pool.xmrig.com • Process: python3 • Repository: yourorg/api • Workflow: build-and-test • Commit: a1b2c3d Time to Detect: 47s Time to Respond: 0s 🔗 View Incident: https://dashboard.garnet.ai/incidents/inc_abc123 High: Supply Chain Attack ⚠️ High Severity Alert Type: Supply Chain Attack Detected Policy: Interpreter Shell Spawn Action: BLOCKED Details: • Package: malicious-package@1.2.3 • Attempted: Spawn bash from postinstall script • Repository: yourorg/frontend • Branch: feature/new-dependency 🧠 AI Insight: This package was published 2 days ago and has no download history. Recommend removing from package.json. 🔗 View Details: https://dashboard.garnet.ai/incidents/inc_def456 Medium: Suspicious Activity ℹ️ Medium Severity Alert Type: Suspicious File Access Policy: Protect Secrets Action: OBSERVED (not blocked) Details: • File: /etc/passwd • Process: cat • Pod: api-server-7f8c9d6b5-xk2j4 • Namespace: production 📊 This is the 1st occurrence in the last 7 days. 🔗 View Event: https://dashboard.garnet.ai/events/evt_ghi789 Customizing Slack Alerts Filter by Severity # Only critical alerts garnetctl integrations update slack --severity critical # Critical and high garnetctl integrations update slack --severity critical,high # All severities garnetctl integrations update slack --severity critical,high,medium,low Filter by Policy # Only specific policies garnetctl integrations update slack \ --policies "DropDomain,Block Mining Pools" Filter by Repository # Only specific repositories garnetctl integrations update slack \ --repositories "yourorg/api,yourorg/worker" { "webhook_url" : "https://hooks.slack.com/services/..." , "format" : { "include_metadata" : true , "include_ai_insights" : true , "include_remediation_steps" : true , "color_by_severity" : true }, "filters" : { "severities" : [ "critical" , "high" ], "scopes" : [ "cluster" , "global" ] } } Advanced Configuration Multiple Channels Route different alert types to different channels:
# Critical to #security-critical garnetctl integrations add slack \ --name "critical-alerts" \ --webhook $CRITICAL_WEBHOOK \ --channel "#security-critical" \ --severity critical # High/Medium to #security-alerts garnetctl integrations add slack \ --name "standard-alerts" \ --webhook $STANDARD_WEBHOOK \ --channel "#security-alerts" \ --severity high,medium # Low/Info to #security-logs garnetctl integrations add slack \ --name "info-logs" \ --webhook $INFO_WEBHOOK \ --channel "#security-logs" \ --severity low Alert Aggregation Reduce noise with aggregation:
{ "aggregation" : { "enabled" : true , "window" : "5m" , "group_by" : [ "policy" , "repository" ], "threshold" : 3 } } Result : Instead of 10 separate alerts, receive one aggregated alert:🚨 10 Similar Alerts in the last 5 minutes Policy: DropDomain Repository: yourorg/api Destination: pool.xmrig.com All attempts were blocked automatically. 🔗 View All: https://dashboard.garnet.ai/incidents?policy=DropDomain&time=5m Quiet Hours Suppress non-critical alerts during off-hours:
{ "quiet_hours" : { "enabled" : true , "schedule" : "22:00-08:00" , "timezone" : "America/Los_Angeles" , "suppress_severities" : [ "low" , "medium" ], "allow_critical" : true } } Webhook Integration For custom integrations (PagerDuty, OpsGenie, etc.):
garnetctl integrations add webhook \ --url https://your-webhook-endpoint.com/alerts \ --secret your-webhook-secret \ --severity critical,high Payload format: { "event_type" : "incident.created" , "timestamp" : "2024-01-15T10:23:47Z" , "incident" : { "id" : "inc_abc123" , "severity" : "critical" , "policy" : "DropDomain" , "status" : "blocked" , "details" : { "destination" : "pool.xmrig.com" , "process" : "python3" , "repository" : "yourorg/api" , "workflow" : "build-and-test" }, "metrics" : { "ttd" : 47 , "ttr" : 0 }, "dashboard_url" : "https://dashboard.garnet.ai/incidents/inc_abc123" } } Verify webhook signature:
import hmac import hashlib def verify_signature ( payload , signature , secret ): expected = hmac.new( secret.encode(), payload.encode(), hashlib.sha256 ).hexdigest() return hmac.compare_digest(signature, f "sha256= { expected } " ) Testing Integrations Send test alerts to verify configuration:
# Test Slack garnetctl integrations test slack # Test webhook garnetctl integrations test webhook --url https://your-endpoint.com Troubleshooting
Slack: Not receiving alerts
Checklist: Debug: garnetctl integrations list garnetctl integrations test slack --debug
Webhook: 401 Unauthorized
Issue: Webhook signature verification failingSolution: # Regenerate webhook secret garnetctl integrations update webhook --regenerate-secret # Update your endpoint with the new secret Next Steps 
