Skip to main content
Alerting in the external API follows the internal physical event alert model.

Alert rules

Rules define which threats should emit alerts. Each rule can include:
  • enabled
  • title
  • severity_threshold
  • asset_ids
  • threat_types
  • max_distance_km
  • mute_interval_hours
  • delivery toggles such as email_enabled, sms_enabled, and slack_enabled

Triggered alerts

Triggered alerts are persisted rows with their own lifecycle state. Important fields include:
  • alert ID
  • related threat_id
  • alert type
  • severity
  • state
  • matched rule ID and title
  • distance bounds
  • created/updated timestamps

Alert states

Triggered alerts move through these states:
  • new
  • seen
  • acked
  • dismissed

Backfill behavior

When alert rules are updated, the internal system can backfill existing active threats against the new rules. The external API is documented the same way so clients can expect alert feeds to reflect newly-saved rules, not only future threats.