Alerting
The Audit Service provides rule-based alerting on audit events through the AuditAlertRule entity and associated alert evaluation logic. Alert rules can detect security threats, policy violations, and anomalous behavior by matching event patterns, monitoring thresholds, and analyzing activity windows.
Alert Rule Types
| Rule Type | Description |
|---|---|
EVENT_MATCH | Triggers when specific event types or actions occur |
THRESHOLD | Triggers when event count exceeds a threshold within a time window |
ANOMALY | Detects anomalous patterns against established baselines |
FAILED_AUTH | Multiple failed authentication attempts |
SENSITIVE_DATA_ACCESS | Monitors access to sensitive resources |
AFTER_HOURS | Activity outside configured business hours |
RATE_LIMIT | Rate limiting violation patterns |
Alert Severity Levels
| Severity | Description |
|---|---|
LOW | Informational, no immediate action required |
MEDIUM | Should be investigated within business hours |
HIGH | Requires prompt attention |
CRITICAL | Requires immediate response |
AuditAlertRule Entity
| Field | Type | Description |
|---|---|---|
id | UUID | Rule identifier |
tenantId | UUID | Owning tenant |
name | String | Human-readable rule name |
description | String | Rule description |
ruleType | RuleType | Type of alert rule |
severity | AlertSeverity | Alert severity level |
conditions | JSON | Rule-specific conditions (event types, actions, resource types) |
thresholdCount | Integer | Event count threshold for threshold-based rules |
thresholdWindowMinutes | Integer | Time window for threshold evaluation (in minutes) |
notificationChannels | String | Comma-separated channels: email, slack, webhook |
notificationRecipients | String | Comma-separated emails or webhook URLs |
cooldownMinutes | Integer | Minimum minutes between repeated alerts |
lastTriggeredAt | Instant | Timestamp of last trigger |
triggerCount | Integer | Total number of times the rule has triggered |
isActive | Boolean | Whether the rule is enabled |
Example Alert Rules
Failed Login Threshold
{
"name": "Multiple Failed Logins",
"ruleType": "FAILED_AUTH",
"severity": "HIGH",
"conditions": {
"eventTypes": ["LOGIN_FAILED"]
},
"thresholdCount": 5,
"thresholdWindowMinutes": 15,
"notificationChannels": "email,slack",
"notificationRecipients": "security@acme.com",
"cooldownMinutes": 30
}After-Hours Access
{
"name": "After Hours Data Access",
"ruleType": "AFTER_HOURS",
"severity": "MEDIUM",
"conditions": {
"eventTypes": ["DATA_ACCESS", "DATA_EXPORT"],
"businessHoursStart": "09:00",
"businessHoursEnd": "18:00",
"timezone": "America/New_York"
},
"notificationChannels": "email",
"notificationRecipients": "security@acme.com",
"cooldownMinutes": 60
}Security Event Match
{
"name": "Access Denied Alert",
"ruleType": "EVENT_MATCH",
"severity": "MEDIUM",
"conditions": {
"eventTypes": ["ACCESS_DENIED", "RATE_LIMIT_EXCEEDED"]
},
"notificationChannels": "slack,webhook",
"notificationRecipients": "https://hooks.slack.com/xxx",
"cooldownMinutes": 15
}Notification Channels
| Channel | Delivery Method |
|---|---|
email | Sends alert details to the notification recipients via email |
slack | Posts to a Slack webhook URL |
webhook | Sends a JSON payload to a custom HTTP endpoint |
Cooldown Mechanism
The cooldown mechanism prevents alert fatigue by enforcing a minimum interval between repeated triggers of the same rule. When a rule is triggered:
- The alert is created and notifications are sent
- The
lastTriggeredAttimestamp is updated - Subsequent events matching the rule within the
cooldownMinuteswindow are suppressed - After the cooldown expires, the rule can trigger again
Database Indexes
| Index | Columns | Purpose |
|---|---|---|
idx_alert_rules_tenant | tenant_id | Efficient tenant-scoped rule queries |
idx_alert_rules_active | is_active | Filter active rules for evaluation |