LOGRULE: Alert Rule
A SIEM alert rule that watches LOG events for a condition and creates LOGALERT records when it fires. Rules are scoped to specific log sources, severities, or to every source on a given platform. Notifications are dispatched via a linked Integration Flow so existing Slack / Teams / email connectors handle delivery without per-rule plumbing.
Default definition. This article describes the default
LOGRULE definition shipped with DemandFlow. Administrators can add, remove, rename, or re-type fields, change which ones are required, and alter the layout from the Definitions screen in Settings. Your tenant's current schema may differ from what is shown here. To read the current definition at any time, GET the DEFINITION object whose id matches LOGRULE.Entity properties
| Property | Value |
|---|---|
| Entity code | LOGRULE |
| Display name | Alert Rule |
| Plural | Alert Rules |
| Level | 9140 |
Use cases
Three rule types are supported (chosen via ruleType field, with visibility-gated parameter blocks per type): (1) Threshold. fire when the count of matching events in a rolling window exceeds a number, optionally grouped by host/user/action so each group has its own counter; (2) Pattern Match. fire on any event whose specified field contains a substring or regex; (3) Absence.
Fields
Rule
| Field | Type | Required | Notes |
|---|---|---|---|
name | text | Yes | Rule Name |
description | text (multi-line) | Description | |
active | enum | Inactive rules are skipped by the evaluator. Use this to silence a noisy rule without deleting it. Valid ids: 1 (Yes), 0 (No). | |
severity | enum | Yes | Severity stamped on every alert this rule produces. Used to colour-code the alert inbox and to drive notification routing in the linked integration flow. Valid ids: info (Info), notice (Notice), warn (Warning), error (Error), critical (Critical). |
ruleType | enum | Yes | Rule type Valid ids: threshold (Threshold . count of matching events in a window), pattern (Pattern Match . any event matching a field value), absence (Absence . source produced no events within its heartbeat). |
Scope
| Field | Type | Required | Notes |
|---|---|---|---|
platform | reference → NWPLATINST | Optional. When set, the rule auto-applies to every LOGSOURCE associated with this platform. including sources added later. Combine with the sources field to widen the scope further. | |
sources | array of references → LOGSOURCE | Optional. Specific log sources this rule applies to. Pick one or many. If empty AND no Platform is set, the rule applies to every source in the tenant. Combine with Platform to widen scope further (both lists are unioned). | |
severityFilter | enum | Optional. Only consider events with these severities. Leave empty to evaluate events at every severity. Valid ids: debug (Debug), info (Info), notice (Notice), warn (Warning), error (Error), critical (Critical). |
Status
| Field | Type | Required | Notes |
|---|---|---|---|
lastEvaluated | datetime | The last time the rule evaluator Lambda checked this rule's condition against fresh log data. System-maintained. you don't set this. Read only. | |
lastTriggered | datetime | The most recent moment this rule fired and produced an Alert. Used together with Cooldown so the same rule doesn't fire repeatedly while the condition persists. System-maintained. you don't set this. Read only. | |
triggerCount | number | Lifetime count of how many Alerts this rule has produced since it was created. System-maintained by the rule evaluator. Incremented every time the rule fires; reflected directly in the Recent Alerts panel. Read only. | |
cooldownMinutes | number | Minimum minutes between repeated alerts from this rule. Prevents a sustained condition from creating one alert per evaluation cycle. 0 disables cooldown. | |
autoClose | enum | When Yes, Open alerts from this rule are automatically set to Resolved once the evaluator confirms the triggering condition is no longer true. Useful for transient conditions so operators don't have to tidy up the alert inbox after the fact. Valid ids: 1 (Yes), 0 (No). | |
autoCloseGraceMinutes | number | Minimum age of an Open alert before it's eligible for auto-close. Prevents flapping. a condition that clears and re-triggers within this window keeps the same alert Open rather than closing and reopening. Ignored when Auto-close is No. |
Threshold parameters
| Field | Type | Required | Notes |
|---|---|---|---|
thresholdField | text | Optional. If set, only events whose this field matches Threshold value are counted. Leave empty to count every event in scope. | |
thresholdValue | text | Required if Field is set. Case-insensitive substring match against the field value. | |
thresholdCount | number | Fire the alert when the matching event count is greater than this number within the window. | |
thresholdWindowMinutes | number | Rolling time window the count is evaluated over. Smaller windows give faster alerting but can be noisier. | |
thresholdGroupBy | enum | Optional. When set, each unique value of the chosen field has its own counter. '5 failed logins per host' instead of '5 failed logins anywhere'. Valid ids: none (No grouping . single global counter), host (Per host), user (Per user), action (Per action), source (Per source). |
Pattern parameters
| Field | Type | Required | Notes |
|---|---|---|---|
patternField | text | Top-level envelope field or dotted nested path into the raw payload. | |
patternValue | text | Case-insensitive substring matched against the field. Any matching event creates an alert (subject to cooldown). |
Absence parameters
| Field | Type | Required | Notes |
|---|---|---|---|
absenceUseSourceHeartbeat | enum | When Yes, the rule fires per source if (now − LOGSOURCE.lastUsedAt) > LOGSOURCE.heartbeatIntervalMinutes. This delegates the threshold to each source's own configured heartbeat so global rules don't need to know per-source baselines. Valid ids: 1 (Yes), 0 (No). | |
absenceWindowMinutes | number | Optional. Override the per-source heartbeat with a single window. Used when 'Use each source's own heartbeat' is unchecked, OR alongside it as a global maximum (whichever is shorter wins). |
Notification dispatch
| Field | Type | Required | Notes |
|---|---|---|---|
notifyUsers | array of references → user | DemandFlow users to notify in-app (and via their default email) when the rule fires. | |
notifyIntegrationFlow | reference → INTFLOW | Optional. An Integration Flow triggered with the alert payload when the rule fires. Use this to dispatch to Slack, Teams, PagerDuty, a webhook, or any other channel. the flow handles transport. |
Activity. Activity timeline panel attached.
Relationships
- Lookups:
platformpoints at aNWPLATINSTrecord.sourcespoints at aLOGSOURCErecord.notifyIntegrationFlowpoints at aINTFLOWrecord. - Related lists:
LOGALERT(formatSUB|LOGRULE|LOGALERT).
Creating a Alert Rule via the API
POST /v1/objects
Authorization: Bearer <your-pat>
Content-Type: application/json
{
"entity": "LOGRULE",
"level": 9140,
"comboKey": "SUB:<your-sub-id>|ENT:",
"name": "Example",
"severity": "info",
"ruleType": "threshold"
}Listing Alert Rules records
# All alert rules in your tenant
GET /v1/entities/LOGRULE/SUB