ThreatReaction
🛡Threat Reaction|Documentation

Notifications

The Notifications page lets you configure where Threat Reaction sends alerts when a threat is detected, when a containment action fires, or when a block is lifted. Notifications are delivered via Amazon SNS, which can fan out to email, SMS, HTTP endpoints, Lambda functions, and more.

In the app: /notifications

Notification Rules

Each notification rule has three components:

  • Trigger — what event fires the notification: a finding of a specific severity, a specific action type (BLOCK, REVOKE), or an unblock event.
  • Filter — optional additional filters: specific finding type, specific AWS account, or specific entity.
  • Destination — the SNS topic ARN to publish to.

SNS Integration

Enter the ARN of an SNS topic in the same AWS region as your Threat Reaction stack. The Lambda execution role must have sns:Publish permission on that topic. Threat Reaction publishes a structured JSON payload containing the finding type, severity, actor, resource, timestamp, and the action that was taken.

Email Notifications

To receive email alerts, create an SNS topic and subscribe your email address to it. AWS will send a confirmation email — click the confirmation link before notifications will be delivered. Once confirmed, every matching event published to that topic will arrive as a plain-text email.

Webhook / HTTP Notifications

To send alerts to Slack, PagerDuty, or any HTTP endpoint, subscribe the endpoint to your SNS topic. For Slack, use the SNS → Lambda → Slack pattern: a small Lambda function formats the SNS message and posts it to a Slack Incoming Webhook URL.

Unblock Notifications

When an entity is manually unblocked (via the Actions page), an optional notification can be sent to the same destinations as the original block alert. Enable this if your SOC process requires an auditable record of every block/unblock cycle delivered to a ticketing system.

Testing Notifications

After configuring a rule, trigger a test notification by publishing a test message directly to the SNS topic from the AWS Console (SNS → Topics → Publish message). This verifies the subscription is active and the destination is reachable before a real finding occurs.

💡 Tip

Use SNS → Lambda for rich notification workflows: create a Jira ticket per Critical finding, post to a Slack channel with formatted blocks, or trigger a PagerDuty incident. The SNS payload from Threat Reaction includes all the context needed to build these integrations.

⚠️ Warning

SNS topics must be in the same AWS region as your Threat Reaction stack. Cross-region SNS publishing requires additional IAM configuration and is not supported by default.

ℹ️ Note

SNS deliveries are best-effort. For guaranteed delivery (especially for Critical findings), consider subscribing an SQS queue to the SNS topic and processing from the queue with retry logic.