Notifications & Integrations
Route enforcement events and policy violations to Slack, SIEM, PagerDuty, Jira, or any HTTP endpoint — triggered per policy rule, so the right team gets the right alerts.
Supported Channels
| Channel | Description |
|---|---|
| Slack | Post violation alerts to channels with configurable message format |
| Microsoft Teams | Send cards to Teams channels or webhooks |
| SIEM | Push events in CEF or JSON format to Splunk, Sentinel, or any SIEM |
| PagerDuty | Create incidents for critical and high severity violations |
| ServiceNow | Create ITSM incidents and change requests |
| Jira | Create tickets in any Jira project |
| Send violation alerts by email | |
| Webhook | POST to any HTTP endpoint with a configurable payload |
How Notifications Work
Notifications are attached to policy rules, not to detection types globally. This gives you fine-grained control: you can fire a PagerDuty alert when CREDENTIALS_API_KEY is detected at egress, while only logging PII_EMAIL at ingress.
The workflow is:
- Create a notification channel instance (e.g. "Security Slack #alerts")
- When creating or editing a policy rule, attach the notification channel
- When that rule fires, Rivaro sends the event to the channel
Creating a Notification Channel
Go to Settings > Notifications and click Add Channel, or use the API:
POST /api/notifications
{
"name": "Security Alerts - Slack",
"type": "SLACK",
"contentStrategy": "METADATA_ONLY",
"configuration": {
"webhookUrl": "https://hooks.slack.com/services/...",
"channel": "#ai-security-alerts"
}
}
Content strategy
Controls how much of the detection data is included in the notification:
| Strategy | What's sent | Use when |
|---|---|---|
METADATA_ONLY | Detection type, severity, actor ID, timestamp — no content | Sensitive environments where raw content must not leave the platform |
PROCESSED_CONTENT | Metadata + redacted/masked version of the detected content | When you need enough context to triage without exposing raw data |
RAW_CONTENT | Full metadata + the original detected content | SIEM integrations or internal security tools with appropriate access controls |
SIEM Integration
Configure a SIEM channel to stream enforcement events directly to your security operations platform.
Supported formats
| Format | Description |
|---|---|
| CEF | Common Event Format — industry standard for SIEM ingestion, compatible with Splunk, Sentinel, QRadar |
| JSON | Structured JSON payload — use with custom log shippers or log aggregators |
SIEM event fields
Every event sent to your SIEM includes:
- Detection type and risk category
- Severity (CRITICAL / HIGH / MEDIUM / LOW)
- Policy action taken (BLOCK / REDACT / LOG)
- Actor ID, agent ID, session ID
- Organization and tenant context
- Timestamp and request metadata
- Content (subject to content strategy)
Example SIEM config
POST /api/notifications
{
"name": "Splunk SIEM",
"type": "SIEM",
"contentStrategy": "RAW_CONTENT",
"configuration": {
"endpoint": "https://your-splunk.example.com/services/collector/event",
"api_key": "your-hec-token",
"format": "json"
}
}
Webhook Integration
Use webhooks to integrate with any system that accepts HTTP POST requests.
POST /api/notifications
{
"name": "Internal Security API",
"type": "WEBHOOK",
"contentStrategy": "PROCESSED_CONTENT",
"configuration": {
"url": "https://your-api.example.com/ai-security/events",
"headers": {
"Authorization": "Bearer your-token",
"X-Source": "rivaro"
}
}
}
Attaching Notifications to Policy Rules
Once you've created a notification channel, attach it to a policy rule:
POST /api/policy/organizations/rules
{
"detectionType": "CREDENTIALS_API_KEY",
"lifecycle": "EGRESS",
"action": "BLOCK",
"notificationInstanceId": "notif_abc123"
}
Now every time CREDENTIALS_API_KEY is detected in egress traffic and blocked, the "Security Alerts - Slack" channel fires.
A single notification channel can be attached to multiple rules, and a single rule can have one notification channel.
Testing a Channel
Before attaching a notification channel to production rules, send a test event:
POST /api/notifications/test
{
"notificationInstanceId": "notif_abc123"
}
Notification Channel Fields
| Field | Description |
|---|---|
id | Notification channel identifier |
name | Display name |
type | Channel type: SLACK, TEAMS, SIEM, PAGERDUTY, SERVICENOW, WEBHOOK, JIRA, EMAIL |
active | Whether the channel is enabled |
contentStrategy | METADATA_ONLY, PROCESSED_CONTENT, or RAW_CONTENT |
rulesCount | Number of policy rules using this channel |
configuration | Channel-specific config (endpoints, API keys). Sensitive fields are encrypted and displayed as placeholders. |
Managing Channels
| Endpoint | Description |
|---|---|
GET /api/notifications | List all notification channels |
GET /api/notifications/types | Get available types with their configuration schemas |
POST /api/notifications | Create a new channel |
PUT /api/notifications/{id} | Update a channel |
DELETE /api/notifications/{id} | Delete a channel |
POST /api/notifications/test | Send a test event |
Next steps
- Enforcement & Policies — Create the rules that trigger notifications
- Policy Templates — Apply notification channels to template-based rules
- Actor Governance — Governance events can also trigger notifications