Getting Started with Notifications

Overview: This guide walks you through setting up notifications in RunReveal, from creating notification channels to testing them and adding them to your detection rules so that you are notified when alerts are triggered.

What You’ll Learn

In this guide, you’ll learn how to:

Create notification channels in the UI
Test your notifications
View alert history
Add notifications to detection rules:
- Managed Detections - Out-of-the-box detections with default detection rules enabled. You can now add notification channels directly by clicking edit and choosing a channel from the dropdown.
- Custom Detections - Detections that you create or cloned detections.
- Sigma Streaming Detections - Add notification channels to your sigma streaming in YAML syntax.
- Detection as Code - Notifications for detection as code rules are not managed through the UI. See Detection as Code for information on managing notifications in your detection code.

Prerequisites

Before you begin, make sure you have:

Access to the RunReveal dashboard
Admin permissions (for creating notification channels)
The necessary credentials for your chosen notification platform (Slack, PagerDuty, etc.)

Steps:

1. Create a Notification Channel

Notification Channels Overview

Navigate to Notification Channels
1. Go to the RunReveal dashboard
2. Click on Notification Channels in the left sidebar
3. Click Create Notification Channel
Choose Your Notification Type
- Email: Simple email delivery
- Slack: Send to Slack channels
- PagerDuty: Incident management integration
- Jira: Issue tracking integration
- Webhooks: Custom HTTP endpoints
- Tines: Security automation platform
Configure the Notification Type
1. Give your channel a descriptive name (e.g., “DevOps Security Alerts - Slack”)
2. Input the required information (webhook URL, email address, integration keys, etc.)
Save the Notification Channel
1. Click Create Notification to save your notification channel
2. The channel will appear in your notifications list

2. Test Your Notification Channel

Send Test Notification
1. Click Send Test to trigger a test notification
2. This will send a sample alert to your notification channel to verify your configuration
Verify Delivery
1. Check your notification platform to confirm receipt of test notification

Test Notification

3. Add Notifications to Detections

When detection rules trigger alerts in RunReveal, they automatically send notifications to all configured notification channels associated with that detection. Each detection type has a different method for adding notification channels:

Managed Detections

Managed Detections Overview

You can now add notification channels directly to managed detections without cloning them first.

Edit the Managed Detection
1. Go to Detections → Detection Queries
2. Find the managed detection you want to add notifications to
3. Click Edit to modify the detection
Add Notification Channels
1. In the detection editor, scroll to Notification Channels section
2. Click to view a dropdown of available channels
3. Select your desired notification channel(s)
Save Changes
1. Click Save Detection to store your changes
2. The managed detection will now send notifications to your selected channel(s) when alerts are triggered

Managed detections can now be edited directly to add or remove notification channels without needing to clone them first.

Sigma Streaming Detections

Sigma detections use the notificationnames field in the YAML configuration to specify which notification channels should receive alerts.

Create or Edit Sigma Detection
1. Go to Detections → Sigma Streaming
2. Create a new sigma detection or edit an existing one
3. Open your sigma detection YAML file
Add Notification Channels to YAML
1. Add the notificationnames field to your sigma detection
2. List the exact names of your notification channels as an array
3. Ensure the channel names match exactly (case-sensitive)

Example Sigma Detection with Notifications

title: Detect Okta Authentication Failures
description: Detects failed Okta sign-in attempts
level: high
 
logsource:
  product: okta
 
detection:
  filter:
    eventType: user.session.start
    outcome.result: FAILURE
  condition: filter
 
# Add notification channels here
notificationnames:
  - "Security Alerts - Slack"
  - "Critical Alerts - Email"

Upload and Deploy
1. Save your sigma detection YAML file
2. Upload the file to RunReveal via the Sigma Streaming interface
3. The detection will now send notifications to the specified channels when triggered
Verify Configuration
1. Check that your notification channel names are spelled correctly
2. Test the sigma detection to ensure notifications are sent
3. Review the alert history to confirm delivery

🚫

The notificationnames field in sigma detections must exactly match the names of your notification channels (including case sensitivity). If the channel name doesn’t match, no notifications will be sent.

4. View Alert History

Alert History Overview

Note: Alert history shows notifications from real detection alerts, not test notifications sent from the notification channel test function.

Access History
1. In the Notification Channels page in the UI, click Alert History
2. Or utilize the History API for programmatic access
Review Notifications
1. View all sent notifications with timestamps
2. See delivery status (success/failed)
3. Check notification content and recipients
Troubleshoot Issues
1. Failed notifications will show error details
2. Use this information to fix configuration issues

Next Steps

Now that you have notifications set up, explore the detailed configuration guides:

Email Notifications - Simple email delivery setup
Slack Integration - Send alerts to Slack channels
PagerDuty Integration - Incident management integration
Jira Integration - Issue tracking integration
Webhooks - Custom HTTP endpoint integration
Tines Integration - Security automation platform
Notification Templates - Custom message formatting
History API - Programmatic access to notification history

Troubleshooting

Notifications Not Sending

Check channel configuration
Test Notification Channel
Verify platform credentials
Review alert history for error messages

Duplicate Notifications

Check rule notification settings
Ensure no overlapping rules
Review notification frequency settings

Sigma Rule Notifications Not Working

Verify notificationnames field spelling matches channel names exactly
Check that notification channels are active and tested
Ensure sigma rule is enabled and properly configured
Review sigma rule logs for any processing errors

Notifications Email Notifications