Slack Alerts
4 min read
Pro’s Slack integration sends Card-Testing Defense alerts and automation-rule notifications to Slack channels. Email is fine for daily summaries; Slack is better for real-time alerts that need attention now. This page covers how to set up Slack, what alerts use it, and how to format channel routing for distributed teams.
What Triggers Slack Alerts #
| Event | When | Default Channel Target |
|---|---|---|
attack_detected |
Card-Testing velocity threshold tripped | Configured Slack webhook |
auto_escalated |
Auto-escalation triggers Panic Freeze | Configured webhook |
panic_button_activated |
Manual Panic Freeze | Configured webhook |
| Any custom rule with Slack action | Per rule definition | Per-rule webhook |
Setting Up the Slack Webhook #
- In Slack, create an Incoming Webhook for the channel where you want alerts
- Copy the webhook URL (looks like
https://hooks.slack.com/services/T.../B.../...) - In TrustLens: Settings → Notifications → Slack Webhook URL
- Paste the URL and save
- Click “Send Test Alert” to verify connectivity
You should see a test message appear in the channel within seconds.
Card-Testing Alerts in Slack #
The three Card-Testing event types post to Slack with specific formats:
attack_detected #
“⚠️ Card-testing velocity threshold tripped. Fingerprint locked for 60 seconds. {decline_count} declines in {window}.”
Includes a button to view the Card Testing page.
auto_escalated #
“🚨 Card-testing attack auto-escalated. Panic Freeze active for 15 minutes. {n} fingerprints contributed; geographic distribution: {summary}.”
Most critical alert. Use a dedicated on-call channel; consider pairing with PagerDuty for paging.
panic_button_activated #
“🛑 Panic Freeze manually activated by {admin}. All checkouts halted for 15 minutes.”
Useful for distributed teams — the ops engineer who hits the button might not be the same person investigating, and the alert keeps everyone aligned.
Automation Rule Slack Actions #
The automation engine’s “Fire Webhook” action can target Slack directly. Use the same Slack webhook URL pattern. The payload can be customized — by default it’s a generic JSON object, but Slack’s incoming webhooks accept a specific format with rich formatting:
{
"text": "Chargeback filed for ${order.total}",
"attachments": [
{
"color": "#cc0000",
"fields": [
{ "title": "Customer", "value": "${customer.email}" },
{ "title": "Score", "value": "${customer.score}" },
{ "title": "Brand", "value": "${dispute.brand}" }
]
}
]
}
For automation rules targeting Slack, configure the webhook action with this payload structure for richer formatting.
Channel Routing #
TrustLens supports per-event-type Slack channel targeting:
| Event Class | Recommended Channel |
|---|---|
| Card-testing attacks | #security or #ops-alerts |
| Chargeback filings | #fraud or #finance |
| Segment changes (VIP up/down) | #customer-success |
| Bulk action audits | #trustlens-audit (low-volume archival) |
To route different events to different channels, create separate Slack webhooks (one per channel) and configure each TrustLens event type with the appropriate webhook in Settings → Notifications → Slack Routing.
Slack Message Format #
TrustLens uses Slack’s Block Kit format for rich messages. Default formatting includes:
- Header block with event type and severity emoji
- Section block with key fields (customer, score, amount, etc.)
- Action buttons linking to TrustLens admin pages
- Color sidebar matching event severity (red / yellow / green)
The format is fixed for built-in events. Custom automation rules use the payload you configure.
Rate Limiting #
Slack imposes its own rate limits on incoming webhooks (~ 1 message/second per webhook). TrustLens respects this and queues messages if needed. Burst-heavy events (e.g. a rapid card-testing attack producing many alerts) may see slight delays in delivery.
To avoid Slack throttling, use cooldowns on automation rules that target Slack, and consider routing burst events to a digest channel rather than per-event channels.
Multiple Workspaces #
TrustLens supports a single primary Slack workspace per store. For multi-workspace routing (e.g. internal vs partner workspaces), use the automation engine with separate webhook actions targeting different workspaces.
Security #
Slack webhook URLs are essentially passwords — anyone with the URL can post to the channel. TrustLens stores webhook URLs encrypted at rest and only exposes them in the admin UI to authorized users (manage_woocommerce capability).
If a webhook URL leaks:
- Regenerate it in Slack immediately
- Update the URL in TrustLens settings
- Review channel history for unauthorized messages
Testing #
The Send Test Alert button at Settings → Notifications posts a test message to verify connectivity. Useful for:
- Confirming initial setup
- Verifying after Slack changes its webhook URL
- Troubleshooting silent failures
The test message has a distinctive format so it’s obvious it’s a test, not a real alert.
Alerts Log #
Every Slack delivery (attempted and successful) is logged in the Notifications log with timestamp, recipient channel, message body, and Slack’s response. Useful for confirming critical alerts were actually sent.
Beyond Slack #
Slack is one channel; the same automation webhook action can target:
- Microsoft Teams (similar incoming webhook format with adaptation)
- Discord (different webhook format; configure payload accordingly)
- PagerDuty (different API)
- Any custom HTTP receiver with HMAC verification
The automation engine treats all webhook receivers identically. Slack is documented separately because the most common use case is operational alerting, and Slack is the most common destination.
