Slack Integration
Receive real-time detection alerts in your Slack channels to keep your security team informed.
Prerequisites
Section titled “Prerequisites”- A Slack workspace
- Permission to create apps or incoming webhooks
- A channel for alerts
Setting Up Slack Webhook
Section titled “Setting Up Slack Webhook”Option 1: Incoming Webhook (Simplest)
Section titled “Option 1: Incoming Webhook (Simplest)”- Go to Slack API: Incoming Webhooks
- Click Create your Slack app
- Choose From scratch
- Name your app (e.g., “WebDecoy Alerts”)
- Select your workspace
- Go to Incoming Webhooks in the sidebar
- Toggle Activate Incoming Webhooks to On
- Click Add New Webhook to Workspace
- Select the channel for alerts
- Copy the webhook URL
Option 2: Slack App (More Control)
Section titled “Option 2: Slack App (More Control)”- Go to Slack API
- Click Create New App
- Choose From scratch
- Name it “WebDecoy” and select workspace
- Go to OAuth & Permissions
- Add scopes:
chat:writechat:write.public(optional, for any channel)
- Install to workspace
- Copy the Bot User OAuth Token
Configuring in WebDecoy
Section titled “Configuring in WebDecoy”-
Go to Integrations → Slack
-
Click Add Slack Integration
-
Enter:
Field Description Name Integration name (e.g., “Security Alerts”) Webhook URL Slack webhook URL Channel Target channel name (for display only) -
Configure notifications:
Setting Description Alert on all detections Every detection Alert on high risk only Score >= 70 Alert on blocks When IPs are blocked -
Click Create
Notification Settings
Section titled “Notification Settings”Alert Levels
Section titled “Alert Levels”| Level | Score Range | Default Notification |
|---|---|---|
| MINIMAL | 0-20 | No alert |
| LOW | 21-40 | No alert |
| MEDIUM | 41-60 | Optional |
| HIGH | 61-80 | Yes |
| CRITICAL | 81-100 | Yes |
Recommended Settings
Section titled “Recommended Settings”For active monitoring:
- Alert on high risk only (reduces noise)
- Enable block notifications
For high-security environments:
- Alert on all detections
- Enable all notification types
Slack Message Format
Section titled “Slack Message Format”Detection Alert
Section titled “Detection Alert”🚨 WebDecoy Alert
Threat Detected: Decoy Link Triggered
• IP: 192.168.1.100• Score: 85 (CRITICAL)• Source: Admin Backup Trap• Path: /admin/backup.zip• Location: New York, US• MITRE: Reconnaissance (TA0043)• Bot Score: 92%
[View Detection] [Block IP]Block Notification
Section titled “Block Notification”🛡️ IP Blocked
An IP has been blocked by Cloudflare integration.
• IP: 192.168.1.100• Reason: High-risk detection• Duration: 24 hours• Detection: det_abc123
[View Details] [Unblock]Multiple Channels
Section titled “Multiple Channels”You can create multiple Slack integrations for different purposes:
| Integration | Channel | Settings |
|---|---|---|
| Security Alerts | #security-alerts | High risk only |
| All Detections | #webdecoy-all | All detections |
| Blocks | #ip-blocks | Block notifications only |
Interactive Messages
Section titled “Interactive Messages”Slack messages include action buttons:
View Detection
Section titled “View Detection”Opens the detection details in WebDecoy dashboard.
Block IP
Section titled “Block IP”Quickly block an IP without leaving Slack:
- Click Block IP
- Select duration (1h, 24h, 7d, 30d)
- IP is blocked via Cloudflare integration
Note: Block IP button requires Cloudflare integration to be configured.
Customizing Messages
Section titled “Customizing Messages”Message Components
Section titled “Message Components”| Component | Included |
|---|---|
| Threat level emoji | ✅ |
| IP address | ✅ |
| Threat score | ✅ |
| Detection source | ✅ |
| Request path | ✅ |
| GeoIP location | ✅ |
| MITRE tactic | ✅ |
| Bot score | ✅ |
| Action buttons | ✅ |
Rate Limiting
Section titled “Rate Limiting”To prevent alert fatigue, WebDecoy implements:
- Deduplication: Same IP won’t trigger multiple alerts within 5 minutes
- Batching: High-volume periods may batch alerts
- Throttling: Max 60 messages per minute per integration
Best Practices
Section titled “Best Practices”- ✅ Use a dedicated channel for alerts
- ✅ Start with “high risk only” and adjust
- ✅ Set up multiple integrations for different alert levels
- ✅ Include relevant team members in the channel
- ✅ Configure channel notifications appropriately
Don’ts
Section titled “Don’ts”- ❌ Send all detections to a busy channel
- ❌ Ignore alert fatigue (reduce noise)
- ❌ Use a personal DM (use a channel)
- ❌ Forget to test the integration
Troubleshooting
Section titled “Troubleshooting”Messages Not Appearing
Section titled “Messages Not Appearing”- Verify webhook URL is correct
- Check integration is enabled in WebDecoy
- Verify channel exists and app has access
- Test with WebDecoy’s test button
- Check Slack app permissions
”channel_not_found” Error
Section titled “”channel_not_found” Error”- Ensure the app is in the channel
- For private channels, invite the app first
- Verify channel name is spelled correctly
Rate Limited
Section titled “Rate Limited”- Check Slack API rate limits
- Reduce notification frequency
- Use “high risk only” setting
- Consider batching alerts
Buttons Not Working
Section titled “Buttons Not Working”- Ensure you’re logged into WebDecoy
- Check browser allows popups
- Verify WebDecoy session is active
Next Steps
Section titled “Next Steps”- Cloudflare - Automatic IP blocking
- Webhooks - Custom event processing
- Overview - All integrations