Table of Contents
Creating a Slack Webhook
- Navigate to Slack API – Your Apps (https://api.slack.com/apps)
- Select Create New App → From scratch, then provide an application name and choose the appropriate workspace.
- Once the application is created, open the Incoming Webhooks section and enable the feature by toggling the switch to On.
- Click Add New Webhook to Workspace, then select the channel where alerts should be posted.
- After the webhook is created, copy the generated URL. It will look similar to: https://hooks.slack.com/services/T00000/zzzzzzzzzz
Sending a Basic Test Message
You can test the webhook using curl:
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"Hello from Sycope 👋"}' \
https://hooks.slack.com/services/T00000/zzzzzzzzzz
The above test will be immediately visible on the chosen channel:
Formatting Alerts with Blocks and Dividers
Slack messages can be structured with Block Kit, which supports headers, sections, fields, context, and buttons. This allows us to present Sycope alerts in a clean, human-friendly format. To make alerts instantly recognizable, we recommend mapping severity levels to emoji icons:
| Sycope Threshold Level | Emoji | Example in Slack |
|---|---|---|
| Critical | :red_circle: | 🔴 Critical |
| Major | :warning: | ⚠️ Major |
| Minor | :large_blue_circle: | 🔵 Minor |
The example below demonstrates an alert message that includes the Rule Type, Alert Name, Client IP, Server IP, Timestamp, and Severity, along with a “View in Sycope” button for direct access to the alert details within Sycope.
Within Slack, users can create threads on an alert message to collaborate, acknowledge the alert, and assign responsibility to a specific team member. This approach leverages the strengths of both Sycope and Slack, enhancing team efficiency and improving incident response workflows.
Creating a New External Action for Alerts
You can configure a new external action in Sycope, which may be triggered manually (by right-clicking an active alert) or automatically (by assigning it to a specific rule).
- Navigate to Settings → Integrations → External Destination in the Sycope web interface.
- Click Add External Destination.
- Select Type: Rest Client.
- Complete the configuration form using the example provided below (including Custom Payload).
- Click Save to finalize the setup.
A complete example of a custom payload in payload_example.json file is available in the slack folder. You can copy and paste it directly or adjust it to meet your specific requirements. In the Edit External Destination form, you can select Placeholders to view all available dynamic values. These placeholders are automatically populated with data when the action is executed. https://github.com/SycopeSolutions/Integrations/blob/main/webhooks/slack/payload_example.json
In addition to the built-in placeholders, users also have access to custom result values from triggered alerts. For example, to reference the serverIp value from an active alert, use the following placeholder: [(${result.serverIp})]
Users can reference any available value through the result object. The corresponding field names can be identified in the Alerts dashboards by enabling the “Show raw field names” option.
To view the full details of an active alert, users can click “View in Sycope”, which redirects them to the Alerts dashboard with the corresponding AlertId automatically applied as a filter. Please note that the button can be configured to open any dashboard or view, depending on your requirements.
Best Practices
We recommend below best practices to achieve the best workflow in the team.
- Use dedicated channels (e.g. #security-alerts, #network-ops) to avoid noise.
- Choose the right fields for the specific team to make it easy for engineers to triage alerts directly inside Slack
- Group related fields into columns using fields blocks.
- Always include a link back to Sycope for quick root-cause analysis.
- Use emojis for severity and system type to increase readability.
Conclusion
By integrating Sycope with Slack via webhooks, you bring network observability into your collaboration hub. Alerts are delivered in real time, formatted with context, and linked back to Sycope dashboards for investigation.
This setup enhances responsiveness, improves incident handling, and helps teams act on behavioral threat detections, rogue device alerts, and anomaly detection without delay.
FAQ
Navigate to Slack API – Your Apps, select Create New App → From scratch, provide an application name and choose the appropriate workspace. Once the application is created, open the Incoming Webhooks section and enable it by toggling the switch to On. Click Add New Webhook to Workspace and select the channel where alerts should be posted. Copy the generated URL.
You can test the webhook using curl with the following command: curl -X POST -H 'Content-type: application/json' --data '{"text":"Hello from Sycope 👋"}' https://hooks.slack.com/services/T00000/zzzzzzzzzz
Use dedicated channels to avoid noise, choose the right fields for specific teams, group related fields into columns, always include a link back to Sycope, and use emojis for severity and system type to increase readability.
Block Kit is a UI framework for Slack that allows structuring messages with headers, sections, fields, context, and buttons, making alerts more organized and easily understandable. It enables users to map severity levels to emoji icons for better recognition.
Navigate to Settings → Integrations → External Destination in Sycope, click Add External Destination, select Type: Rest Client, complete the configuration form using the provided example, and click Save. You can also use custom payloads and reference dynamic values using placeholders to tailor the alerts.
