Skip to main content

Notifications

CHAD can notify external systems when alerts fire. This guide covers webhook configuration for Slack, Discord, and custom endpoints.

Webhook Overview

Webhooks send HTTP POST requests when events occur:
  • Alert fired - New detection triggered
  • Alert status changed - Status updated
  • System events - Health alerts, rule changes

Configuring Webhooks

Create a Webhook

  1. Navigate to Settings > Notifications
  2. Click Add Webhook
  3. Configure the webhook
  4. Save and test

Webhook Settings

SettingDescriptionRequired
NameFriendly nameYes
URLWebhook endpointYes
FormatPayload format (JSON, Slack, Discord)Yes
EventsWhich events trigger the webhookYes
HeadersCustom HTTP headersNo
SecretSigning secret for verificationNo

Payload Formats

JSON (Generic)

Standard JSON payload for custom integrations: 
{
  "event": "alert.created",
  "timestamp": "2024-01-15T14:32:17Z",
  "alert": {
    "id": "abc-123",
    "rule_title": "Failed Login Attempt",
    "severity": "medium",
    "status": "new",
    "matched_at": "2024-01-15T14:32:15Z"
  },
  "rule": {
    "id": "def-456",
    "title": "Failed Login Attempt",
    "severity": "medium"
  },
  "context": {
    "source_ip": "192.168.1.50",
    "user": "admin",
    "host": "SERVER01"
  }
}

Slack Format

Formatted for Slack incoming webhooks: 
{
  "text": "🚨 Alert: Failed Login Attempt",
  "blocks": [
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*Failed Login Attempt*\nSeverity: Medium\nSource: 192.168.1.50"
      }
    },
    {
      "type": "actions",
      "elements": [
        {
          "type": "button",
          "text": {"type": "plain_text", "text": "View Alert"},
          "url": "https://chad.example.com/alerts/abc-123"
        }
      ]
    }
  ]
}

Discord Format

Formatted for Discord webhooks: 
{
  "content": "🚨 Security Alert",
  "embeds": [
    {
      "title": "Failed Login Attempt",
      "color": 16744448,
      "fields": [
        {"name": "Severity", "value": "Medium", "inline": true},
        {"name": "Source IP", "value": "192.168.1.50", "inline": true}
      ],
      "timestamp": "2024-01-15T14:32:17Z"
    }
  ]
}

Setting Up Slack

Create Incoming Webhook

  1. Go to your Slack workspace settings
  2. Navigate to Apps > Manage > Custom Integrations
  3. Click Incoming Webhooks
  4. Click Add to Slack
  5. Choose a channel
  6. Copy the webhook URL

Configure in CHAD

  1. Add webhook with Slack URL
  2. Select Slack format
  3. Choose events to notify
  4. Test the webhook

Setting Up Discord

Create Webhook

  1. Open Discord server settings
  2. Go to Integrations > Webhooks
  3. Click New Webhook
  4. Name it and choose channel
  5. Copy the webhook URL

Configure in CHAD

  1. Add webhook with Discord URL
  2. Select Discord format
  3. Choose events
  4. Test

Per-Rule Notifications

Disable Webhook per Rule

Some rules may be too noisy for notifications:
  1. Open the rule
  2. Click Settings
  3. Disable Send to webhook
  4. Save
The rule still detects and creates alerts, but won’t trigger webhook notifications.

Severity Filtering

Configure webhooks to only fire for certain severities:
  1. Edit the webhook
  2. Set Minimum Severity
  3. Only alerts at or above this level trigger notifications

Custom Headers

For authenticated endpoints: 
Authorization: Bearer your-api-token
X-Custom-Header: your-value
Add headers in the webhook configuration.

Webhook Signing

Verify webhook authenticity with HMAC signing:
  1. Set a Secret in webhook config
  2. CHAD includes X-CHAD-Signature header
  3. Verify signature in your endpoint
Signature calculation: 
HMAC-SHA256(secret, request_body)

Retry Logic

Failed webhooks are retried:
AttemptDelay
1st retry30 seconds
2nd retry2 minutes
3rd retry10 minutes
Final retry1 hour
After 4 failures, the notification is dropped and logged.

Event Types

EventDescription
alert.createdNew alert fired
alert.status_changedAlert status updated
alert.comment_addedComment added to alert
rule.deployedRule deployed
rule.undeployedRule undeployed
health.alertHealth threshold exceeded
system.errorSystem error occurred

Testing Webhooks

Before relying on webhooks:
  1. Click Test on the webhook
  2. CHAD sends a test payload
  3. Verify receipt in your system

Monitoring Webhooks

View webhook delivery status:
  1. Go to Settings > Notifications
  2. Click the webhook
  3. View Delivery Log
  4. See success/failure history

Troubleshooting

Webhook not firing

  1. Check webhook is enabled
  2. Verify event type is selected
  3. Check rule has notifications enabled
  4. Review delivery log for errors

Authentication errors

  1. Verify URL is correct
  2. Check custom headers
  3. Test endpoint with curl

Timeout errors

  1. Your endpoint may be slow
  2. Webhook timeout is 30 seconds
  3. Optimize your endpoint

Invalid payload

  1. Check format matches endpoint expectations
  2. Try generic JSON format
  3. Verify field mappings

Best Practices

Don’t send low-severity alerts to high-visibility channels.
Always test webhooks before relying on them.
Regularly check delivery logs for failures.
Enable webhook signing for security.

Next Steps

Jira Integration

Create tickets for alerts

Rule Management

Configure per-rule notifications