Skip to main content

Overview

Alert rules monitor your event stream in real time and trigger notifications when specific conditions are met. Configure rules from Settings > Alerts in the dashboard.

Rule Types

Immutable provides five built-in alert rule types:

new_country

Triggers when an actor performs an action from a country they have never been seen in before. Requires geolocation enrichment. Use case: Detect potential account compromise. A user who normally logs in from the US suddenly appears from an unrecognized country.

high_volume_destructive

Triggers when a high volume of destructive actions (e.g. *.deleted, *.removed) occurs within a short time window. Use case: Detect mass deletion attacks or accidental bulk operations.

ingestion_spike

Triggers when event ingestion volume exceeds a configurable threshold relative to the workspace’s normal baseline. Use case: Detect unusual API activity that may indicate a compromised API key or a misconfigured integration.

repeated_action

Triggers when the same action is performed repeatedly by the same actor within a short time window. Use case: Detect brute-force login attempts, automated scraping, or retry loops.

off_hours

Triggers when actions occur outside of configured business hours. Use case: Detect suspicious activity during nights, weekends, or holidays.

Alert Delivery

Alerts are delivered through two channels:

Email

Alert notifications are sent to workspace members with admin or owner roles.

Webhook

Alerts are POSTed to your configured endpoint as JSON with HMAC-SHA256 signature verification. Headers:
  • Content-Type: application/json
  • X-Immutable-Signature: sha256={hmac_hash}
Payload: 
{
  "event_type": "alert.triggered",
  "alert_id": "alt_4f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1c",
  "rule_name": "Suspicious Login",
  "rule_type": "new_country",
  "reason": "Actor user_2hG9kLm logged in from DE for the first time",
  "event": {
    "id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
    "action": "user.login",
    "actor_id": "user_2hG9kLm",
    "ip_country": "DE"
  },
  "workspace_id": "ws_1a2b3c4d",
  "triggered_at": "2026-03-26T08:45:12.000000Z"
}
See Webhook Signatures for how to verify the X-Immutable-Signature header.

Querying Alerts

Retrieve triggered alerts via the API: 
curl "https://getimmutable.dev/api/v1/alerts?rule_type=new_country&limit=25" \
  -H "Authorization: Bearer imk_your_api_key_here"
See the Alerts API reference for all query parameters.

Plan Quotas

PlanAlert Rule Limit
Free2
Starter10
Pro50
EnterpriseUnlimited