Alerting channels
Permafrost surfaces a new finding wherever your team already works — email, Slack, Microsoft Teams, a generic webhook, PagerDuty, Opsgenie, or an ITSM ticket in ServiceNow or Jira. Every channel is opt-in and off by default, so a destination only fires once you turn it on.
The channels
A finding is the unit Permafrost alerts on: a permission risk detected across all of this customer’s connected Azure tenants. When a new finding lands, the channels you have turned on deliver it. Chatops messages and the generic webhook carry a deep link back into the dashboard; the ITSM path opens a ticket an analyst can track to closure.
| Channel | What triggers it | Where to configure |
|---|---|---|
| New critical findings and sync-failure alerts, one message per opted-in recipient. | Settings → Notifications (master switch) and Settings → Team (per-user). | |
| Slack | New findings at the severities the webhook subscribes to, as a Block Kit message with a deep link. | Settings → Webhooks (type: Slack). |
| Microsoft Teams | New findings at the subscribed severities, as an Adaptive Card with a deep link. | Settings → Webhooks (type: Teams). |
| Generic webhook | New findings at the subscribed severities, as a signed JSON POST any receiver can consume. | Settings → Webhooks (type: Generic). |
| PagerDuty | New findings raised as Events API v2 incidents on the routing key you provide. | Settings → Webhooks (type: PagerDuty). |
| Opsgenie | New findings raised as Opsgenie alerts on the API key you provide. | Settings → Webhooks (type: Opsgenie). |
| ITSM ticket | A finding an analyst chooses to escalate becomes a ServiceNow or Jira ticket. | Settings → ITSM integrations. |
Off by default, opt-in only
No channel sends until you turn it on. Email delivery is gated on a master switch under Settings → Notifications and a per-recipient opt-in under Settings → Team; a recipient who has not opted in receives nothing. Webhooks, chatops, and on-call channels stay silent until you add a destination and subscribe it to the severities you care about, and they inherit the same master opt-in — a destination you have not opted into stays off.
The default-off posture is deliberate. Permafrost adds notification surfaces conservatively: a new channel never starts paging your team the moment it ships.
Lifecycle-aware suppression
When an account is winding down — scheduled for deletion within the grace window, suspended, or already purged — Permafrost stops paging on findings across every channel, not just email. Existing open findings linger in the data after a tenant is deprovisioned, and without this gate the alert paths would keep re-firing on them. Lifecycle and account-process messages (deletion warnings, the offboarding runbook) are unaffected and still reach you.
Delivery integrity
Webhook destinations are validated against the server-side request guard at both configuration time and send time, so a destination cannot be pointed at an internal or metadata address. Generic, Slack, and Teams payloads carry an HMAC-SHA-256 signature header so a receiver can verify origin and integrity. Each webhook row stamps its last delivery time and last error; the Webhooks settings page shows a per-row health badge and a one-click test send so a misconfigured destination surfaces before a real finding is missed.
SIEM export
For long-term retention or correlation, the alert timeline also exports on demand as NDJSON for Microsoft Sentinel ingestion or CEF for any CIM-compatible SIEM. This is a pull/export path rather than a push notification — see the SIEM integration page for field mappings and ingestion notes.
Next stop
SIEM integration
Export the alert timeline as NDJSON (Microsoft Sentinel) or CEF (any CIM-compatible SIEM), with field mappings and chain-of-custody hashing.
Next stop
Security posture
Read-only by default, the operator boundary, the partition-by-customer rule, and what Permafrost does not store.