Skip to main content

Alert Integration

Slack Alert Integration

To enable Slack alerting in Javelin, you'll need to configure a Slack webhook to allow Javelin to send messages to your Slack channel.

Need help creating a Slack webhook?

Refer to the Slack Webhook Setup Guide for step-by-step instructions.

1. Navigate to the Integrations Page

From the side navigation, select Integrations.

Integration Page Image

2. Configure the Slack Integration

Click on the Slack integration card and provide the required details, such as the webhook URL.

Slack Config Page Image

3. Enable Slack in Threat Alerts

To start receiving alerts in Slack:

  • Go to the Threat Alerts page.
  • Click Manage Notification for your desired gateway.
  • Enable Slack to send alerts for that gateway.

Threat Alert Overview Image

Splunk Alert Integration

To enable Splunk alerting in Javelin, you must configure the HTTP Event Collector (HEC) in Splunk. You'll need the following:

  • Base URL of your HEC endpoint
  • Authentication token
  • A payload including required fields like event and sourcetype
Need help setting up HEC in Splunk?

Refer to the Splunk HEC Setup Guide for detailed instructions.

1. Visit the Integrations Page:

In the left-hand navigation panel, click on Integrations.

Integration Page Image

2. Select the Splunk integration

Click on the Splunk integration card and complete the required fields: Endpoint, Token, Event, and Sourcetype.

The Event field can be set to any descriptive value, such as Javelin Trigger.

note

Ensure that the sourcetype value matches the one configured in your Splunk HEC setup.

Splunk Config Page Image

3. Move to Threat-Alert Page:

  • Navigate to the Threat Alerts section.
  • Click Manage Notification for your chosen gateway
  • Enable Splunk as the alert destination.

Threat Alert Overview Image

Advanced Configuration for Alert in Javelin

note

This feature is currently not supported on the web application. Please use the API directly to access this functionality.

By default, alerts in Javelin are generated per gateway. However, for more granular control over when alerts should be triggered, Javelin also supports advanced configurations via the trigger_condition field in the alert integration configuration.

🛠️ Supported trigger_condition Fields

The following fields are supported for fine-tuned alerting:

FieldTypeDescription
threatsarraySpecify one or more threat types (e.g., ["prompt_injection_detected", "jailbreak_detected"]) to trigger alerts only for those threats.
route_namesarraySpecify one or more route names to restrict alerting to specific routes.
gateway_idsarraySpecify one or more gateway IDs. This is the default behavior in the UI.
application_idsarraySpecify one or more application IDs to limit alerts to specific applications.

Click here to view the full list of supported threat types that can be used in the trigger_condition.threats array.

How to Configure

To apply trigger_condition filters, you must perform the following operation, passing the desired trigger_condition in request body.

1. Fetch Integration Details (GET Request)

Retrieve the integration configuration for which you want to add a trigger specification. Note the alert-id from the response.

curl --location '<your_domain_url>/v1/admin/integrations/config' \
--header 'x-javelin-apikey: <javelin-api-key>'

2. Update Integration with Trigger Condition (PUT Request)

Use the alert-id obtained from the GET call and the full existing JSON configuration. Add or modify the trigger_condition field as needed.

note

Ensure you copy the full existing config and only append the trigger_condition block as required.

curl --location --request PUT '<your_domain_url>/v1/admin/integrations/config/<alert-id>' \
--header 'x-javelin-apikey: <javelin-api-key>' \
--header 'Content-Type: application/json' \
--data '{
    ...your_existing_config,
   "trigger_condition": {
    "threats": ["prompt_injection_detected", "jailbreak_detected"],
    "route_names": ["openai_gpt4_chat", "anthropic_claude"],
    "gateway_ids": ["gwy1"],
    "application_ids": ["app_xyz"]
  }
}'

note
  1. All fields in trigger_condition are optional and can be used independently or in combination.

Example Event Payload (Splunk)

{
    "Account ID": "<account-id>",
    "Gateway ID": "<gateway-id>",
    "Severity": "<severity>",
    "Route Name": "<route-name>",
    "Application ID": "<app-id>",
    "Threat ID": "<threat-id>",
    "Alert ID": "<alert-id>",
    "Detected Threats": [
        "Sensitive Data: Yes",
        "Restricted Keywords: Yes",
        "Regex Matches: [^.h.$]",
        "Data Blocked: Yes",
        "Sensitive Data Masked: Yes",
        "Prompt Injection: Yes",
        "Entropy Score: 0.93"
    ],
    "event": "<event-name>",
    "sourcetype": "<sourcetype>"
}