Set up Slack & Teams alert routing

Create the webhook.

1. Create a Slack app (or use an existing one)

Open api.slack.com/apps → Create New App → From scratch.
App Name: Agent Audit alerts. Workspace: pick yours.
On the app's home → Incoming Webhooks → Activate.
Add New Webhook to Workspace.
Pick the channel that should receive alerts (e.g. #soc-alerts).
Slack shows a Webhook URL beginning https://hooks.slack.com/services/T…/B…/…. Copy it.

Per-channel webhooks are intentional. One webhook = one Slack channel. To split critical alerts to #soc and lower-severity ones to #noc, create two webhooks and configure two integrations in Agent Audit with different min severities.

1. Add an Incoming Webhook connector to a Teams channel

Open Microsoft Teams. Right-click the channel you want alerts in → Connectors.
Find Incoming Webhook → Configure.
Name: Agent Audit alerts. Optionally upload an icon.
Click Create. Teams shows the webhook URL.
Copy the URL — it begins https://<tenant>.webhook.office.com/webhookb2/....

Connectors are being phased out in some Teams plans in favour of Workflows. If your tenant doesn't expose the classic Incoming Webhook connector, create a Workflow with the "Post to a channel when a webhook request is received" template and use the workflow URL — the payload format we send is the MessageCard schema which both connector and workflow accept.

Save in Agent Audit.

Sign in to /dashboard/ as an admin.
Open Settings → Integrations.
Pick Kind (Slack or Microsoft Teams).
Paste the webhook URL.
Label: something memorable (e.g. #soc-alerts for Slack).
Min severity: see the next section.
Save.

Send a test message.

On the saved row, click Test. We send a test payload with severity equal to the channel's configured min severity, so the test always clears the threshold and proves the webhook is reachable.

Severity threshold.

Each channel has a min severity. Alerts below it are silently dropped. Recommended starting points:

Slack #soc / Teams SOC channel: medium — chain breaks, class escalations, drift
Pager-on-call channel: high — chain breaks and high-severity drift only
Audit-trail channel: low — everything, for the compliance team to skim weekly

You can change the threshold at any time on the integration row — past alerts are not re-delivered.

Troubleshooting.

Test sends but no message appears in Slack — check the webhook is enabled (Incoming Webhooks → Activate) and that the channel still exists.
HTTP 404 on test — the webhook URL was revoked. Mint a new one in Slack and update the integration in Agent Audit.
Teams shows "Workflow received a request that did not match its trigger" — your tenant disabled classic connectors; recreate as a Workflow per the warning above.
Alerts firing but not arriving — the alert may be below the channel's min severity. Open Settings → Integrations, lower the threshold, fire a test alert by manually triggering one of the rule types.