Integrations and Notifications
Guardimesh can send real-time alerts when malware or suspicious activity is detected in your cluster. Notifications are configured per-channel in the web console and support filtering by namespace, cluster, and signature.
Availability by Tier
| Integration | Minimum Tier |
|---|---|
| Trial | |
| Webhook | Startup |
| Slack | Startup |
| PagerDuty | Startup |
| Jira | Team |
| ServiceNow | Team |
Setting Up a Notification Channel
- Log in to the web console
- Navigate to Notifications in the sidebar
- Click Add Channel
- Select the channel type
- Fill in the configuration (see below for each type)
- Optionally configure filters
- Click Save
- Click Test to verify delivery
Webhook
Generic HTTP webhooks allow integration with any system that accepts HTTP requests.
Configuration
| Field | Required | Description |
|---|---|---|
| URL | Yes | HTTPS endpoint that will receive the POST request |
| Method | No | HTTP method (default: POST) |
| Headers | No | Custom headers (e.g., Authorization: Bearer token123) |
| TLS verify | No | Whether to verify the server's TLS certificate (default: enabled) |
| Timeout | No | Request timeout in seconds (default: 30) |
Payload Schema
When a malware detection occurs, Guardimesh sends the following JSON payload:
{
"event_type": "malware_detected",
"timestamp": "2026-05-26T10:30:00Z",
"customer": "user@example.com",
"cluster_id": "production-us-east-1",
"namespace": "default",
"pod_name": "app-deployment-7d8f9c6b4-x2k9p",
"host_ip": "10.0.1.15",
"pod_ip": "10.244.0.42",
"total_findings": 1,
"findings": [
{
"signature_name": "Trojan.Linux.Generic-9876543-0",
"file_name": "/var/tmp/payload.bin",
"description": "Trojan detected in container writable layer"
}
],
"scan_details": {
"api_version": "1.0",
"node_name": "worker-node-3",
"container_id": "abc123def456..."
}
}
Payload Fields
| Field | Type | Description |
|---|---|---|
event_type | string | Always malware_detected |
timestamp | string | ISO 8601 timestamp of the detection |
customer | string | Account email |
cluster_id | string | Cluster identifier (from Helm clusterID value) |
namespace | string | Kubernetes namespace of the affected pod |
pod_name | string | Name of the pod containing the detection |
host_ip | string | IP address of the node |
pod_ip | string | Pod IP address |
total_findings | integer | Number of malware findings in this scan |
findings | array | List of individual findings |
findings[].signature_name | string | ClamAV signature that matched |
findings[].file_name | string | Path to the detected file (relative to container root) |
findings[].description | string | Human-readable description |
scan_details | object | Additional scan metadata |
scan_details.api_version | string | Scanner API version |
scan_details.node_name | string | Kubernetes node name |
scan_details.container_id | string | Container runtime ID |
Retry Behavior
Failed webhook deliveries are retried with exponential backoff:
- 1st retry: 30 seconds
- 2nd retry: 2 minutes
- 3rd retry: 10 minutes
- Maximum retries: 3
Delivery history (success/failure, response codes, timestamps) is available in the console under the channel's History tab.
Slack
Send alerts to a Slack channel via an incoming webhook.
Setup
- In Slack, go to Apps → Incoming Webhooks (or create a new Slack app with incoming webhook permission)
- Choose a channel and copy the webhook URL
- In Guardimesh, create a notification channel with type Slack
- Paste the webhook URL
- Click Test to verify
Message Format
Slack notifications include:
- Detection summary (signature name, pod, namespace)
- Cluster and node information
- Link to the finding in the web console
PagerDuty
Trigger PagerDuty incidents on malware detection using the Events API v2.
Setup
- In PagerDuty, create a new service or use an existing one
- Add an Events API v2 integration to the service
- Copy the Integration Key (also called routing key)
- In Guardimesh, create a notification channel with type PagerDuty
- Paste the integration key
- Click Test to verify
Behavior
- Each detection creates a new trigger event
- PagerDuty deduplicates based on cluster + namespace + pod + signature
- Severity is set to
criticalfor all detections
Jira (Team tier and above)
Automatically create Jira issues when malware is detected.
Setup
- In Jira, create an API token at id.atlassian.com/manage-profile/security/api-tokens
- In Guardimesh, create a notification channel with type Jira
- Provide:
- Jira instance URL (e.g.,
https://yourcompany.atlassian.net) - Email address associated with the API token
- API token
- Project key (e.g.,
SEC) - Issue type (e.g.,
Bug,Task, or a custom type)
- Jira instance URL (e.g.,
- Click Test to verify
Issue Content
Created issues include:
- Summary:
[Guardimesh] Malware detected: {signature} in {namespace}/{pod} - Description: Full detection details, file path, cluster, node, timestamp
- Labels:
guardimesh,malware-detection
ServiceNow (Team tier and above)
Create ServiceNow incidents for malware detections.
Setup
- In ServiceNow, create a user with permission to create incidents (or use an integration user)
- In Guardimesh, create a notification channel with type ServiceNow
- Provide:
- Instance URL (e.g.,
https://yourcompany.service-now.com) - Username and password (or OAuth credentials)
- Assignment group (optional)
- Category (optional)
- Instance URL (e.g.,
- Click Test to verify
Email
Email notifications are available on all tiers including Trial.
Setup
- In Guardimesh, create a notification channel with type Email
- Enter the recipient email address(es)
- Click Test to verify
Emails are sent from notifications@guardimesh.com.
Filtering
Each notification channel supports filters to control when alerts are sent. Filters reduce noise and ensure the right team receives relevant alerts.
| Filter | Description | Example |
|---|---|---|
| Namespace include | Only notify for findings in these namespaces | production, staging |
| Namespace exclude | Never notify for findings in these namespaces | kube-system, default |
| Cluster IDs | Only notify for specific clusters (multi-cluster setups) | prod-us-east-1 |
| Minimum findings | Minimum number of findings in a scan to trigger notification | 1 |
| Signature include | Only notify for these signature patterns (supports wildcards) | Trojan.*, Ransomware.* |
| Signature exclude | Ignore these signatures (e.g., test files) | Eicar-Test-Signature |
Common Signatures to Exclude
If you run regular scan validation tests, exclude these test signatures:
Eicar-Test-SignatureEicar-SignatureEICAR_TEST
Rate Limiting
Each channel has a configurable rate limit (maximum notifications per hour) to prevent alert fatigue during large-scale incidents. Default: 100 notifications per hour.
If the rate limit is reached, a summary notification is sent indicating that additional findings were suppressed, with a count of suppressed alerts.
Delivery History
View the delivery history for any channel:
- Go to Notifications in the web console
- Click the channel name
- Select the History tab
Each entry shows:
- Timestamp
- HTTP status code (for webhooks)
- Delivery status (success/failure)
- Error message (if failed)
- Payload summary
Testing Notifications
Use the Test button on any channel to send a sample notification. The test payload uses:
- A synthetic EICAR test detection
- Namespace:
guardimesh-test - Pod:
test-notification-pod
This verifies end-to-end connectivity without requiring an actual malware detection.
Next Steps
- Custom Signatures — Add your own detection rules
- API Reference — Manage notifications programmatically
- Troubleshooting — Debug delivery issues