Notification Channels
The central place to configure automated security alert delivery across Slack, Microsoft Teams, API Webhook, and Email, with a shared event subscription model.
Notification Channels is the central hub for automated security alerts. It lives at Alerts → Notification Channels in the portal.
Manage the channels used to send automated security alerts.
Four channel types ship by default. Each is configured independently and subscribes to the same event taxonomy, so you can route different event classes to different destinations.
The four channels
| Channel | Delivery |
|---|---|
| Slack | Incoming webhook to a Slack workspace, optional channel override. |
| Microsoft Teams | Incoming webhook to a Teams channel, optional channel override. |
| API Webhook | Signed JSON to any HTTPS endpoint, optional Authorization header. |
| One or more recipient email addresses. |
Channel lifecycle
Each channel card has three actions:
| Action | What it does |
|---|---|
| Configure | Open the channel modal to set the destination and the event subscriptions. |
| Test | Send a synthetic alert to confirm delivery before relying on it. Available once configured. |
| Enable | Activate the channel. A configured-but-disabled channel keeps its settings but does not deliver. |
A channel shows Not Configured until you complete the Configure step.
Event taxonomy
Every channel subscribes to the same set of events. Check the events you want delivered to that channel. The tag in brackets is the category label shown in the portal.
| Event | Tag | Fires when |
|---|---|---|
| Scan Result | Scan |
A scan completes (API Webhook channel). |
| New subdomain | New subdomain |
Subdomain monitoring records a new subdomain. |
| New subdomain | Discovery |
The discovery pipeline surfaces a new asset. |
| Sensitive Port | Security |
A monitored sensitive port is detected open. |
| SSL Expiration | SSL |
A monitored certificate crosses an expiry threshold. |
| Supply Chain Advisory | Supply Chain |
Continuous Watch matches an advisory to a live SBOM. |
| Edge Threat Intelligence | Edge Intel |
Edge Threat Radar raises a correlated event above the alert threshold. |
| Credential Exposure | Credential Exposure |
Exposure Intelligence matches a leaked credential to a monitored domain. |
Route events deliberately. A common pattern:
| Channel | Subscribed events |
|---|---|
#sec-ops Slack |
Everything. |
#sec-criticals Slack |
Credential Exposure, Sensitive Port. |
| Email to the on-call DL | SSL Expiration, Supply Chain Advisory. |
| SIEM API Webhook | Scan Result, Edge Threat Intelligence, Credential Exposure, Supply Chain Advisory. |
Per-channel configuration
Slack
| Field | Notes |
|---|---|
| Webhook URL | The Slack incoming webhook URL. Masked; click Show to reveal. |
| Channel (optional) | Override the channel the webhook posts to. |
| Events to notify | Event subscription checkboxes. |
See Slack and Teams for the workspace setup.
Microsoft Teams
| Field | Notes |
|---|---|
| Webhook URL | The Teams incoming webhook URL. Masked; click Show. |
| Channel (optional) | Override the channel. |
| Events to notify | Event subscription checkboxes. |
API Webhook
| Field | Notes |
|---|---|
| Webhook Endpoint URL | Any HTTPS endpoint, e.g., https://example.com/webhook. |
| Authorization Header (optional) | A scheme dropdown (Bearer) plus a token. Sent on every delivery so your endpoint can authenticate WASViking. |
| Events to notify | Includes Scan Result, which the chat channels do not. |
Deliveries are signed. See Webhooks for the payload schema and signature verification, and SIEM for SIEM-specific receivers.
| Field | Notes |
|---|---|
| Recipient Email(s) | One or more addresses, comma-separated ([email protected], [email protected]). |
| Events to notify | Event subscription checkboxes. |
Email is routed through the canonical email pipeline (audited delivery), not raw SMTP.
Test before you rely on it
Every channel modal has a Test Integration button. Use it after Configure and after any subscription change. The test sends a synthetic payload shaped like a real event so your receiver logic (Slack format, webhook signature verification, email filters) actually runs against it.
Smart re-notify
Supply chain and edge correlation events re-fire only on meaningful state changes (KEV bump, severity escalation, fix availability for supply chain; threshold crossing for edge). This keeps the channel signal-only. See Supply Chain Intel and Edge Threat Radar.
Where it lives in the portal
- Alerts → Notification Channels: configure, test, enable the four channels.
- Alerts → History: delivery history per channel.
- Settings → System Settings → Notifications & Alerts: global thresholds (sensitive ports, SSL expiry advance windows, edge alert rules). See Sensitive Port Monitoring, Certificate Monitoring, and Edge Threat Radar for what each threshold controls.