Slack & Teams Notifications¶
ARX integrates with Slack and Microsoft Teams to deliver real-time notifications for approval requests, drift alerts, and agent status changes. This guide covers configuring notification channels, supported event types, interactive approval buttons, webhook handlers, and Slack signature verification.
Supported Platforms¶
| Platform | channel_type |
Connection Methods |
|---|---|---|
| Slack | slack |
Bot token + channel ID, or incoming webhook URL |
| Microsoft Teams | teams |
Incoming webhook URL |
Configuring Notification Channels¶
All notification channel endpoints require the admin role and are accessed under /v1/settings/notifications.
List Channels¶
GET /v1/settings/notifications
Returns all configured notification channels for the organization.
Create a Channel¶
POST /v1/settings/notifications
Update a Channel¶
PUT /v1/settings/notifications/{channel_id}
Delete a Channel¶
DELETE /v1/settings/notifications/{channel_id}
Test a Channel¶
POST /v1/settings/notifications/{channel_id}/test
{
"message": "This is a test notification from ARXsec."
}
Configuring Slack¶
Option 1: Bot Token (Recommended)¶
Bot tokens provide richer functionality, including interactive messages and the ability to post to multiple channels.
- Create a Slack App at api.slack.com/apps.
- Under OAuth & Permissions, add the following bot scopes:
chat:write-- post messageschat:write.public-- post to channels the bot hasn't joined- Install the app to your workspace and copy the Bot User OAuth Token (
xoxb-...). - Note the Channel ID of the target channel (right-click the channel name in Slack and select "Copy link" -- the ID is in the URL).
{
"channel_type": "slack",
"name": "Security Alerts",
"config": {
"bot_token": "xoxb-your-bot-token",
"channel_id": "C0123456789"
},
"events": ["approval_request", "drift_alert", "agent_status"]
}
Option 2: Incoming Webhook¶
Incoming webhooks are simpler to set up but do not support interactive messages (approve/deny buttons).
- In your Slack workspace, navigate to Apps > Incoming Webhooks (or create a Slack App with incoming webhooks enabled).
- Create a webhook for the target channel and copy the webhook URL.
{
"channel_type": "slack",
"name": "Alerts Webhook",
"config": {
"webhook_url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXX"
},
"events": ["drift_alert", "agent_status"]
}
Note: At least one of bot_token + channel_id or webhook_url is required. If neither is provided, the channel creation request is rejected.
Configuring Microsoft Teams¶
Incoming Webhook¶
- In Microsoft Teams, navigate to the target channel.
- Click the ... menu next to the channel name and select Connectors (or Manage channel > Connectors).
- Find Incoming Webhook and click Configure.
- Name the webhook (e.g., "ARX Notifications") and copy the webhook URL.
{
"channel_type": "teams",
"name": "Teams Security Alerts",
"config": {
"webhook_url": "https://outlook.office.com/webhook/..."
},
"events": ["approval_request", "drift_alert", "agent_status"]
}
A webhook_url is required for Teams channels.
Event Types¶
| Event | Description | Typical Use |
|---|---|---|
approval_request |
A new approval request requires review | Notify reviewers to approve or deny agent actions |
drift_alert |
Configuration drift detected | Alert security teams to investigate |
agent_status |
Agent status change (deployed, stopped, errored) | Keep operations teams informed |
Configure which events a channel receives using the events array. By default, new channels receive all three event types.
Interactive Approval Buttons¶
When an approval_request notification is sent to Slack (via bot token) or Teams, the message includes interactive approve/deny buttons. Reviewers can approve or deny the request directly from the messaging platform without opening the ARX console.
How It Works¶
- ARX sends a notification with approve and deny buttons attached.
- The reviewer clicks a button.
- Slack or Teams sends a callback to the ARX webhook endpoint.
- ARX processes the decision using the same validation logic as the REST API:
- Checks if the approval request is still pending (not already reviewed).
- Checks if the approval request has expired.
- Records the decision with the reviewer's name and source (Slack or Teams).
- Logs the action in the audit trail.
- The original message is replaced with the decision result.
Webhook Handlers¶
Slack Interactions¶
POST /v1/webhooks/slack/interactions
Slack sends interactive message callbacks as a URL-encoded payload field. ARX processes the following action IDs:
| Action ID | Decision |
|---|---|
approve_action / platform_approve |
Approved |
deny_action / platform_deny |
Denied |
view_console / platform_view_console |
No server action (URL button) |
After processing, ARX returns a replacement message showing the decision result:
- Approved:
:white_check_mark: **APPROVED** by <username> - Denied:
:x: **DENIED** by <username> - Error:
:warning: <error message>(e.g., "Already approved", "Approval request has expired")
Teams Interactions¶
POST /v1/webhooks/teams/interactions
Teams sends adaptive card Action.Submit callbacks as JSON. The action data includes:
| Field | Description |
|---|---|
action |
approve or deny |
approval_id |
The ID of the approval request |
After processing, ARX returns an updated Adaptive Card showing the decision result with appropriate color coding (green for approved, red for denied).
Slack Signature Verification¶
When SLACK_SIGNING_SECRET is configured, ARX verifies the authenticity of incoming Slack webhook requests using Slack's v0 signing scheme:
- ARX reads the
X-Slack-Request-TimestampandX-Slack-Signatureheaders. - If the timestamp is more than 5 minutes old, the request is rejected (replay protection).
- ARX computes
v0:<timestamp>:<body>and generates an HMAC-SHA256 signature using the signing secret. - The computed signature is compared against the provided
X-Slack-Signatureusing constant-time comparison. - If the signatures do not match, the request is rejected with
401 Unauthorized.
Set the signing secret via environment variable:
SLACK_SIGNING_SECRET=your-slack-signing-secret
The signing secret is found on your Slack App's Basic Information page under App Credentials.
Approval Processing Logic¶
Both Slack and Teams handlers route through a shared approval processing function that enforces:
- Existence check: Returns an error if the approval request is not found.
- Status guard: Returns an error if the request has already been reviewed.
- Expiry check: If the request has expired, it is marked as
expiredand an error is returned. - Decision recording: The status is updated to
approvedordenied, with the reviewer's name and source recorded inreview_notes. - Audit logging: The decision is logged with the
approval.reviewedaction type, including the risk score, reviewer name, and source platform.
Troubleshooting¶
| Symptom | Cause | Resolution |
|---|---|---|
400 channel_type must be 'slack' or 'teams' |
Invalid channel type | Use slack or teams. |
400 Slack channels require either bot_token + channel_id or webhook_url |
Missing Slack configuration | Provide either a bot token with channel ID or a webhook URL. |
| Test message fails | Invalid webhook URL or expired token | Verify the webhook URL is correct and the token has not been revoked. |
401 Invalid signature on Slack webhook |
Signing secret mismatch or clock skew | Verify SLACK_SIGNING_SECRET matches your Slack app. Ensure server clock is synchronized. |
| Approval button returns "Already approved" | Request was reviewed before button click | Inform the reviewer that the request was handled by another reviewer. |