Alerts API

The Alerts API allows you to configure automated notifications when specific security events or patterns are detected.

Overview

Alerts define:

Conditions: What triggers the alert (e.g., blocked requests, specific data types detected)
Thresholds: How many occurrences within what time period
Notifications: Where to send alerts (email, Slack, Teams, webhook)
Recipients: Who receives the alert

Alerts help you monitor for policy violations, suspicious activity, and compliance events in real-time.

Authentication

Requires API Key with:

Read access: GET operations (all keys)
Policy Definition permission: POST, PUT, PATCH, DELETE operations

Available Endpoints

The Alerts API provides the following endpoints:

Core Operations

POST /api/alerts - Create a new alert
GET /api/alerts - List all alerts with pagination
GET /api/alerts/:id - Get a specific alert by ID
PUT /api/alerts/:id - Update an entire alert
PATCH /api/alerts/:id - Partially update an alert
DELETE /api/alerts/:id - Delete an alert

Additional Operations

PUT /api/alerts/:id/enable - Enable or disable an alert

Alert Logs

GET /api/alertlogs - Query alert execution history

Key Concepts

Alert Conditions

Conditions define what triggers an alert:

{
  "conditions": [
    {
      "type": "blocked",
      "values": ["true"],
      "isNot": false
    }
  ]
}

Common condition types: - detected - Sensitive data was found - obfuscated - Data was masked - blocked - Request was blocked - datatypes_detected - Specific data types found - apps - Application matched - rules - Rule matched

Thresholds

Define the time window for evaluating alert conditions:

{
  "thresholdTime": "5",
  "thresholdType": "minutes"
}

Field	Description
`thresholdTime`	Time interval value (numeric string) or CRON expression
`thresholdType`	Time unit: `"minutes"`, `"hours"`, `"days"`, or `"CRON"`

Notification Types

Send alerts to multiple channels:

{
  "notificationTypes": ["email", "slack"],
  "emailRecipients": ["security@company.com"],
  "slackChannels": ["channel-uuid"]
}

Supported channels: - Email - Slack - Microsoft Teams - Webhooks

Common Use Cases

Security Monitoring

Alert on blocked requests or potential data exfiltration:

{
  "name": "Blocked Request Alert",
            "thresholdTime": "15",
            "thresholdType": "minutes",
  "conditions": [
    {"type": "blocked", "values": ["true"]}
  ]
}

Compliance Monitoring

Alert when specific PII types are detected:

{
  "name": "PII Detection Alert",
            "thresholdTime": "1",
            "thresholdType": "minutes",
  "conditions": [
    {"type": "datatypes_detected", "values": ["ssn-uuid", "credit-card-uuid"]}
  ]
}

Operational Monitoring

Alert on high-volume activity or anomalies:

{
  "name": "High-Volume Activity",
      "thresholdTime": "5",
      "thresholdType": "minutes",
  "conditions": [
    {"type": "detected", "values": ["true"]}
  ]
}

Best Practices

Set appropriate thresholds - Too sensitive = alert fatigue, too high = missed incidents
Combine conditions - Multiple conditions create more specific alerts
Monitor alert logs - Review triggered alerts regularly to tune thresholds
Name descriptively - Clear names help identify alert purpose in notifications

Create Alert - Create new alert configurations
Enable/Disable Alerts - Control alert activation
Alert Condition Types - Detailed condition documentation
Activities API - Query activities that triggered alerts
Rules API - Create rules that generate alertable events