# Alerts

### Slack Alert Integration <a href="#slack-alert-integration" id="slack-alert-integration"></a>

To enable Slack alerting in Highflame, you'll need to configure a Slack webhook to allow Highflame to send messages to your Slack channel.

> Need help creating a Slack webhook? Refer to the [Slack documentation](https://api.slack.com/messaging/webhooks) for step-by-step instructions on creating an incoming webhook.

**1. Navigate to the Integrations Page**

From the side navigation, select `Integrations`.

<figure><img src="/files/0YzOWrc86ooc7g73TkRm" alt=""><figcaption></figcaption></figure>

**2. Configure the Slack Integration**

Click on the Slack integration card and provide the required details, such as the webhook URL.

<figure><img src="/files/J3yBVXGUMYbpgxLYFBjb" alt=""><figcaption></figcaption></figure>

**3. Enable Slack in Threat Alerts**

To start receiving alerts in Slack:

* Go to the `Threat Alerts` page.
* Click `Manage Notification` for your desired gateway.
* Enable `Slack` to send alerts for that gateway.

<figure><img src="/files/BRPBE9huHJa3Gu72l3gC" alt=""><figcaption></figcaption></figure>

### Splunk Alert Integration <a href="#splunk-alert-integration" id="splunk-alert-integration"></a>

To enable Splunk alerting in Highflame, you must configure the HTTP Event Collector (HEC) in Splunk. You'll need the following:

* Base URL of your HEC endpoint
* Authentication token
* A payload including required fields like `event` and `sourcetype`

send messages to your Slack channel.

> Need help setting up HEC in Splunk? Refer to the [Splunk HEC documentation](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector) for detailed instructions.

**1. Visit the Integrations Page:**

In the left-hand navigation panel, click on `Integrations`.

**2. Select the Splunk integration**

Click on the Splunk Integration card and fill in the following required fields: Endpoint, Token, Event, and Sourcetype.

* Endpoint: `https://<mysplunkserver.example.com>:<port>/services/collector/raw` (By default, the port is 8088.)
* Token: Your splunk token generated after configuring HEC.
* Event: You may set this to any descriptive value, for example: Highflame Trigger.
* Sourcetype: Your sourcetype configured during HEC setup (can be `manual`).

note

Ensure that the sourcetype value matches the one configured in your Splunk HEC setup.

**3. Move to Threat-Alert Page:**

* Navigate to the `Threat Alerts` section.
* Click `Manage Notification` for your chosen gateway
* Enable `Splunk` as the alert destination.

<figure><img src="/files/0559JXBnz7rTSftj4mbl" alt=""><figcaption></figcaption></figure>

#### Advanced Configuration for Alert

By default, alerts in Highflame are generated per gateway. However, for more granular control over when alerts should be triggered, Highflame also supports advanced configurations via the `trigger_condition` field in the alert integration configuration.

Supported `trigger_condition` Fields

The following fields are supported for fine-tuned alerting:

| Field             | Type  | Description                                                                                                                              |
| ----------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| `threats`         | array | Specify one or more threat types (e.g., `["prompt_injection_detected", "jailbreak_detected"]`) to trigger alerts only for those threats. |
| `route_names`     | array | Specify one or more route names to restrict alerting to specific routes.                                                                 |
| `gateway_ids`     | array | Specify one or more gateway IDs. This is the default behavior in the UI.                                                                 |
| `application_ids` | array | Specify one or more application IDs to limit alerts to specific applications.                                                            |

Refer to the Shield API reference for the full list of supported threat types that can be used in the `trigger_condition.threats` array.

#### How to Configure <a href="#how-to-configure" id="how-to-configure"></a>

To apply trigger\_condition filters, you must perform the following operation, passing the desired `trigger_condition` in request body.

**1. Fetch Integration Details (GET Request)**

Retrieve the integration configuration for which you want to add a trigger specification. Note the `alert-id` from the response.

```
curl --location '<your_domain_url>/v1/admin/integrations/config' \
--header 'x-highflame-apikey: <highflame-api-key>'
```

**2. Update Integration with Trigger Condition (PUT Request)**

Use the `alert-id` obtained from the GET call and the full existing JSON configuration. Add or modify the `trigger_condition` field as needed.

note

Ensure you copy the full existing config and only append the `trigger_condition` block as required.

```
curl --location --request PUT '<your_domain_url>/v1/admin/integrations/config/<alert-id>' \
--header 'x-highflame-apikey: <highflame-api-key>' \
--header 'Content-Type: application/json' \
--data '{
    ...your_existing_config,
   "trigger_condition": {
    "threats": ["prompt_injection_detected", "jailbreak_detected"],
    "route_names": ["openai_gpt4_chat", "anthropic_claude"],
    "gateway_ids": ["gwy1"],
    "application_ids": ["app_xyz"]
  }
}'

```

note

1. All fields in `trigger_condition` are optional and can be used independently or in combination.

#### Example Event Payload (Splunk) <a href="#example-event-payload-splunk" id="example-event-payload-splunk"></a>

```
{
    "Account ID": "<account-id>",
    "Gateway ID": "<gateway-id>",
    "Severity": "<severity>",
    "Route Name": "<route-name>",
    "Application ID": "<app-id>",
    "Threat ID": "<threat-id>",
    "Alert ID": "<alert-id>",
    "Detected Threats": [
        "Sensitive Data: Yes",
        "Restricted Keywords: Yes",
        "Regex Matches: [^.h.$]",
        "Data Blocked: Yes",
        "Sensitive Data Masked: Yes",
        "Prompt Injection: Yes",
        "Entropy Score: 0.93"
    ],
    "event": "<event-name>",
    "sourcetype": "<sourcetype>"
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.highflame.ai/integrations/alerts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.