Guides
Start typing to search…

Alert Destinations

Alert destinations define where detection alerts are sent when a detection triggers

Alert Destinations

Alert destinations define where detection alerts are sent when a detection triggers. Query supports multiple destination types for integration with your existing security workflow.

Overview

When a detection outcome is MATCHED or ERROR, the system:

  1. Persists the outcome to the database
  2. Retrieves enabled alert destinations for the detection
  3. Processes secrets from AWS Secrets Manager
  4. Dispatches alerts to each configured destination

Available Destinations

Query.ai supports the following alert destination types:

Managing Destinations

Creating Destinations

  1. Navigate to DetectionsManage Destinations
  2. Click Create New Destination
  3. Select destination type
  4. Configure destination settings
  5. Save destination

Destinations can also be created during detection configuration by clicking Create New Destination in the Alert Configuration tab.

Editing Destinations

  1. Navigate to DetectionsManage Destinations
  2. Click destination name or edit icon
  3. Modify settings
  4. Save changes

Changes take effect immediately for all detections using the destination.

Deleting Destinations

  1. Navigate to DetectionsManage Destinations
  2. Click delete icon for destination
  3. Confirm deletion

Note: Deleting a destination does not delete detections using it. Detections will continue to run but alerts will not be sent to the deleted destination.

Destination Status

Destinations have an Active status:

  • Active: Destination will receive alerts
  • Inactive: Destination will not receive alerts (detections continue to run)

Destination Types

Amazon SNS

Send alerts to Amazon SNS topics for flexible message routing.

Use Cases:

  • Route to multiple subscribers (email, SQS, Lambda, etc.)
  • Fan-out alerts to multiple systems
  • Integrate with AWS services

Configuration:

  • IAM Role ARN for cross-account access
  • External ID for secure role assumption
  • AWS region
  • SNS Topic ARN
  • Optional subject line template

Message Format:

  • JSON body with all detection fields
  • Message attributes for filtering (severity, outcome, run_type)
  • Optional subject for email subscriptions

View detailed setup guide →

Azure Sentinel

Create incidents in Microsoft Sentinel for investigation and response.

Use Cases:

  • Centralize security incidents in Sentinel
  • Trigger Sentinel playbooks
  • Integrate with Microsoft security stack

Configuration:

  • Azure AD Tenant ID
  • App Registration Client ID and Secret
  • Azure Subscription ID
  • Resource Group name
  • Sentinel Workspace name

Incident Details:

  • Title, description, severity
  • Activity timestamps
  • Deterministic incident ID (prevents duplicates)

View detailed setup guide →

Google Pub/Sub

Publish alerts to Google Cloud Pub/Sub topics for event-driven processing.

Use Cases:

  • Stream to BigQuery, Dataflow, or Cloud Functions
  • Build custom alert processing pipelines
  • Integrate with Google Cloud services

Configuration:

  • Google Cloud Project ID
  • Pub/Sub Topic ID
  • Service Account Key (JSON)

Message Format:

  • Base64-encoded JSON body
  • Message attributes for filtering

View detailed setup guide →

Google SecOps

Create cases with alerts in Google SecOps (formerly Chronicle SOAR).

Use Cases:

  • Centralize security cases in SecOps
  • Trigger SecOps playbooks
  • Integrate with Google security platform

Configuration:

  • SecOps instance URL
  • API Key
  • Environment name

Case Details:

  • Alert name, priority, description
  • Event timeline
  • Deduplication by alert identifier

View detailed setup guide →

Jira

Create Jira issues for tracking and workflow management.

Use Cases:

  • Track security incidents in Jira
  • Integrate with existing ticketing workflow
  • Assign to security team members

Configuration:

  • Jira instance URL
  • Email and API token
  • Project key
  • Issue type
  • Optional priority and labels

Issue Details:

  • Summary, description
  • Detection metadata
  • Replay link

View detailed setup guide →

Microsoft Teams

Send rich formatted messages to Microsoft Teams channels.

Use Cases:

  • Real-time team notifications
  • Collaborative incident response
  • Integration with Microsoft 365

Configuration:

  • Incoming Webhook URL

Message Format:

  • Adaptive Card with detection details
  • Color-coded by severity
  • Action button to view in Query.ai

View detailed setup guide →

PagerDuty

Send alert events to PagerDuty services for on-call notification.

Use Cases:

  • Page on-call engineers
  • Escalate critical alerts
  • Integrate with incident response workflow

Configuration:

  • Integration Key (routing key)
  • Optional component, group, class
  • Custom details

Alert Details:

  • Summary, severity, source
  • Custom details with all detection fields
  • Deduplication by detection name

View detailed setup guide →

ServiceNow

Create incidents in ServiceNow for ITSM workflow.

Use Cases:

  • Integrate with ITSM processes
  • Track security incidents in ServiceNow
  • Trigger ServiceNow workflows

Configuration:

  • ServiceNow instance URL
  • Username and password

Incident Details:

  • Short description, description
  • Impact and urgency based on severity
  • Category: Security

View detailed setup guide →

Slack

Post rich formatted messages to Slack channels.

Use Cases:

  • Real-time team notifications
  • Collaborative incident response
  • Quick access to replay links

Configuration:

  • Bot User OAuth Token
  • Channel ID or name
  • Optional username and icon

Message Format:

  • Block Kit formatted message
  • Severity and outcome emojis
  • Color-coded sidebar
  • Action button to view in Query.ai

View detailed setup guide →

Tines Webhook

Send alerts to Tines Story webhooks for automation.

Use Cases:

  • Trigger Tines automation workflows
  • Build custom response playbooks
  • Integrate with Tines ecosystem

Configuration:

  • Webhook URL
  • Webhook secret

Payload:

  • JSON with all detection fields
  • Accessible in Tines story actions

View detailed setup guide →

Tines Cases

Create cases in Tines for case management and automation.

Use Cases:

  • Centralize security cases in Tines
  • Trigger case-based automation
  • Integrate with Tines workflows

Configuration:

  • Tines tenant domain
  • API Key
  • Team ID
  • Optional author and assignee emails

Case Details:

  • Name, priority, description
  • Metadata and tags
  • Markdown-formatted description

View detailed setup guide →

Generic Webhook

Send HTTP POST requests to any webhook endpoint.

Use Cases:

  • Integrate with custom systems
  • Send to unsupported platforms
  • Build custom alert processing

Configuration:

  • Webhook URL

Payload:

  • JSON with all detection fields

View detailed setup guide →

Alert Payload

All destinations receive a payload containing detection information:

Detection Metadata

  • detection_id - Detection configuration ID
  • detection_name - Detection name
  • description - Detection description
  • severity - Detection severity (CRITICAL, HIGH, MEDIUM, LOW)

Execution Details

  • run_id - Unique execution run ID
  • run_type - Type of run (SCHEDULED or MANUAL)
  • outcome - Detection outcome (MATCHED, NOT_MATCHED, ERROR)
  • match_count - Number of matches found

Threshold Configuration

  • match_operator - Comparison operator (e.g., GREATER_THAN)
  • match_threshold - Threshold value
  • match_eagerness - Search mode (EAGER or EXHAUSTIVE)

Execution Metadata

  • match_exhaustiveness - Whether search COMPLETED or STOPPED_EARLY (if available)
  • search_id - FSQL API search identifier for debugging (if available)
  • trace_id - AWS X-Ray trace identifier for debugging (if available)

Timestamps

  • ran_at - When the detection ran (ISO 8601 format)
  • range_start - Query time range start (ISO 8601 format)
  • range_end - Query time range end (ISO 8601 format)

Additional Fields

  • replay_link - Link to replay the query in Query.ai UI
  • errors - Array of error objects (if any)

Secrets Management

Sensitive configuration values (API keys, passwords, tokens) are stored in AWS Secrets Manager:

Secret Storage

  1. Secrets are stored separately from configuration
  2. Each destination has a secret path
  3. Secrets are retrieved at alert dispatch time
  4. Secrets are never logged or exposed

Secret Format

Secrets are stored as JSON objects:

{
  "api_key": "your-api-key",
  "password": "your-password"
}

Configuration Reference

In destination configuration, secret fields are marked:

{
  "api_key": {"is_secret": true},
  "instance_url": {"value": "https://example.com"}
}

Multiple Destinations

Detections can send alerts to multiple destinations simultaneously:

Use Cases

Severity-Based Routing:

  • CRITICAL/HIGH → PagerDuty + Slack
  • MEDIUM → Slack + Jira
  • LOW → Jira only

Team-Based Routing:

  • Security Operations → Slack channel + ServiceNow
  • Incident Response → PagerDuty + Tines
  • Compliance → Jira + Email

Platform Integration:

  • SIEM → Azure Sentinel or Google SecOps
  • Ticketing → Jira or ServiceNow
  • Communication → Slack or Microsoft Teams
  • Automation → Tines or Webhook

Configuration

  1. Create multiple destinations
  2. In detection configuration, select all desired destinations
  3. Alerts dispatch to all selected destinations when detection triggers

Destination Testing

Test During Setup

Most destinations can be tested during configuration:

  1. Configure destination settings
  2. Click Test Destination (if available)
  3. Verify test alert is received
  4. Save destination

Test with Detection

Test end-to-end alert flow:

  1. Create or edit detection
  2. Add destination
  3. Click Run Now to manually trigger detection
  4. Verify alert is received at destination

Troubleshooting

If alerts are not received:

  1. Check Destination Status: Verify destination is Active
  2. Check Detection Link: Verify destination is linked to detection
  3. Check Detection Outcome: Only MATCHED and ERROR outcomes send alerts
  4. Check Credentials: Verify API keys, tokens, passwords are correct
  5. Check Logs: Review CloudWatch logs for error messages
  6. Test Connectivity: Verify network connectivity to destination
  7. Check Permissions: Verify API user has required permissions

Best Practices

Destination Configuration

  1. Use Descriptive Names: Name destinations clearly (e.g., "SOC Team Slack", "Critical PagerDuty")
  2. Separate by Environment: Create separate destinations for prod/dev/test
  3. Document Purpose: Use destination descriptions to document intended use
  4. Test Before Production: Test destinations with low-severity detections first

Secret Management

  1. Rotate Regularly: Rotate API keys and passwords every 90 days
  2. Use Least Privilege: Grant minimum required permissions
  3. Separate Secrets: Use different credentials for different environments
  4. Monitor Usage: Review audit logs for secret access

Alert Routing

  1. Avoid Alert Fatigue: Don't send all alerts to all destinations
  2. Route by Severity: Send critical alerts to paging systems
  3. Route by Type: Send different detection types to appropriate teams
  4. Provide Context: Ensure alerts include replay links and descriptions

Performance

  1. Limit Destinations: Don't configure excessive destinations per detection
  2. Monitor Latency: Track alert delivery times
  3. Handle Failures: Configure retry logic in destination platforms
  4. Use Async Processing: Destinations process alerts asynchronously

Next Steps

Updated 2 days ago