Skip to content

Create v2


POST /api/v1/alert_policy/add_v2

Overview

Create an Alert Strategy. v2 supports synchronously updating associated monitors/intelligent monitors/intelligent inspections/SLOs, and security monitoring.

Body Request Parameters

Parameter Name Type Required Description
name string Y Alert Strategy name
Allow empty: False
desc string Description
Allow empty: False
Allow empty string: True
Max length: 256
openPermissionSet boolean Enable custom permission configuration (default false: disabled). When enabled, the operation permissions for this rule are based on permissionSet.
Allow empty: False
permissionSet array Operation permission configuration. Configurable (roles (except owner), member UUIDs, team UUIDs).
Example: ['wsAdmin', 'acnt_xxxx', 'group_yyyy']
Allow empty: False
checkerUUIDs array Monitor/Intelligent Monitor/Intelligent Inspection/SLO UUIDs (added in 2024-12-11 iteration)
Example: ['rule_xxx', 'monitor_xxx']
Allow empty: False
securityRuleUUIDs array Security Monitoring (CSPM, SIEM) UUIDs
Example: ['srul_xxx', 'srul_xxx', 'srul_xxx']
Allow empty: False
ruleTimezone str Y Alert Strategy timezone
Example: Asia/Shanghai
Allow empty: False
alertOpt json Alert settings
Allow empty: False
alertOpt.aggType string Alert aggregation type. Not passing this field defaults to the old version logic (added in 2024-12-25 iteration).
Allow empty: True
Allowed values: ['byFields', 'byCluster', 'byAI', 'byCustom']
alertOpt.ignoreOK boolean Advanced configuration. OK level only generates events, does not send notifications (whether to ignore OK notifications). Added 2025-10-22.
Allow empty: False
alertOpt.alertType string Alert Strategy notification type: level(status)/member(member). Default is level.
Allow empty: False
Allowed values: ['status', 'member']
alertOpt.alertTarget array Trigger actions. Note parameter handling for trigger times.
Example: [{'name': 'Notification Configuration1', 'targets': [{'to': ['acnt_xxxx32'], 'status': 'critical', 'tags': {'pod_name': ['coredns-7769b554cf-w95fk']}, 'upgradeTargets': [{'to': ['acnt_xxxx32'], 'duration': 600}, {'to': ['group_xxxx32'], 'duration': 6000}]}], 'crontabDuration': 600, 'crontab': '0 9 * * 0,1,2,3,4'}, {'name': 'Notification Configuration2', 'targets': [{'status': 'error', 'to': ['group_xxxx32'], 'upgradeTargets': [{'to': ['acnt_xxxx32'], 'duration': 600}, {'to': ['group_xxxx32'], 'duration': 6000}]}], 'customDateUUIDs': ['ndate_xxxx32'], 'customStartTime': '09:30:10', 'crontabDuration': 600}]
Allow empty: False
alertOpt.silentTimeout integer Repeat alert configuration
Allow empty: False
alertOpt.silentTimeoutByStatusEnable boolean Whether to enable per-level repeat alert configuration. Default false, uses silentTimeout configuration.
Allow empty: False
alertOpt.silentTimeoutByStatus array Per-level minimum alert interval configuration.
Allow empty: False
alertOpt.aggInterval integer Y Alert aggregation interval, in seconds. 0 means no aggregation.
Allow empty: False
$minValue: 0
$maxValue: 1800
alertOpt.aggFields array Aggregation field list. Keep as an empty list [] to indicate "Aggregation Rule: All". df_monitor_checker_id: Monitor/Intelligent Inspection/SLO, df_dimension_tags: Detection dimension, df_label: Label, CLUSTER: Intelligent aggregation.
Example: ['CLUSTER']
Allow empty: False
alertOpt.aggLabels array Label value list for label-based aggregation. Only takes effect if df_label is specified in aggFields.
Allow empty: False
alertOpt.aggClusterFields array Field list for intelligent aggregation. Only takes effect if CLUSTER is specified in aggFields. Allowed values: "df_title": Title, "df_message": Content.
Example: ['df_title']
Allow empty: False
alertOpt.aggSendFirst boolean Whether to send the first alert directly during aggregation (parameter added in 2025-09-03 iteration).
Allow empty: False

Parameter Supplementary Description

Data Description.

1. alertOpt Parameter Description

Parameter Name type Required Description
name string Required Rule name
desc string Description
type string Required Checker type
ruleTimezone string Required Alert Strategy timezone (parameter added in 2024-01-31 iteration)
alertOpt Dict Required Alert settings
alertOpt.silentTimeout integer Minimum alert interval. How long to not resend the same alert (i.e., alert silence duration), in seconds/s. 0/null means send the alert only once (i.e., infinite interval).
alertOpt.silentTimeoutByStatusEnable boolean Whether to enable per-level repeat alert configuration
alertOpt.silentTimeoutByStatus array Per-level minimum alert interval, in seconds. Security monitoring levels use the security_ prefix.
alertOpt.aggInterval integer Alert aggregation interval, in seconds. 0 means no aggregation, unit seconds/s range [0,1800].
alertOpt.aggFields array Aggregation field list. Keep as an empty list [] to indicate "Aggregation Rule: All". df_monitor_checker_id: Monitor/Intelligent Inspection/SLO, df_dimension_tags: Detection dimension, df_label: Label, CLUSTER: Intelligent aggregation, or when aggType=byCustom, represents custom aggregation fields.
alertOpt.aggLabels array Label value list for label-based aggregation. Only takes effect if df_label is specified in aggFields.
alertOpt.aggClusterFields array Field list for intelligent aggregation. Only takes effect if CLUSTER is specified in aggFields. Allowed values: "df_title": Title, "df_message": Content.
alertOpt.aggSendFirst boolean Whether to send the first alert directly during aggregation (parameter added in 2025-09-03 iteration).
alertOpt.aggType string Default (not passed) follows old version logic. byFields: Rule aggregation, byCluster: Intelligent aggregation, byAI: AI aggregation, byCustom: Rule aggregation - Custom. Added 2024-12-25.
alertOpt.alertTarget Array[Dict] Alert actions
alertOpt.alertType string Alert Strategy notification type: level(status)/member(member). Default is level. Added 2024-11-06 iteration.
alertOpt.ignoreOK boolean Advanced configuration. OK level only generates events, does not send notifications (whether to ignore OK notifications). Added 2025-10-22.
openPermissionSet boolean Whether to enable custom permission configuration, default false. Added 2024-11-06 iteration.
permissionSet array Operation permission configuration. Added 2024-11-06 iteration.
checkerUUIDs array Associated Monitor/Intelligent Monitor/Intelligent Inspection/SLO UUIDs. Added 2024-12-11 iteration.
securityRuleUUIDs array Associated Security Monitoring (CSPM, SIEM) UUIDs. Added 2025-05-14 iteration.

1.1 alertOpt.aggType Parameter Description 2024-12-25
Alert aggregation type:
 null: No aggregation
 byFields: Rule aggregation
 byCluster: Intelligent aggregation
 byAI: AI aggregation


In the old data structure, since the aggType field did not exist, the aggregation type was determined by the content of aggFields. Therefore, after adding the aggType field, compatibility is handled as follows:
When aggType is specified, aggregate according to the method specified by aggType.
When aggType is not specified or aggType=None (follows old logic):
If aggFields contains "CLUSTER", aggregate using the intelligent aggregation method.
If aggFields does not contain "CLUSTER", aggregate using the rule aggregation method.

Derived rules: Specifying aggInterval=0 or aggInterval=null still means "no aggregation".
When specifying aggType="byCluster", "CLUSTER" does not need to be passed in aggFields (passing it or not does not affect).
When specifying aggType="byFields", but aggFields contains "CLUSTER", "CLUSTER" will be ignored (i.e., aggType has higher priority).
When specifying aggType="byCustom", aggregate according to the custom fields in aggFields.

2. Parameter Description for alertOpt.alertTarget when Alert Strategy is Level Type

key Type Required Description
name string Configuration name
targets Array[dict] Required Notification target configuration (Note the position of this field for level/member type Alert Strategies)
crontab String Start Crontab when selecting a recurring time period (Crontab syntax)
crontabDuration integer Duration (seconds) from the Crontab start time when selecting a recurring time period.
customDateUUIDs Array[String] UUID list of custom notification dates when selecting custom time. Example: ['ndate_xxxx32', 'ndate_xxxx32']. Refer to (Monitoring - Alert Strategy - Custom Notification Date, interface) for custom notification dates.
customStartTime String Daily start time when selecting custom time, format: HH🇲🇲ss
customDuration integer Duration (seconds) from the custom start time customStartTime when selecting a custom time period.

3. Parameter Description for alertOpt.alertTarget when Alert Strategy is Member Type

key Type Required Description
alertTarget[#] dict alertTarget list element
alertTarget[#].name string Configuration name
alertTarget[#].crontab String Start Crontab when selecting a recurring time period (Crontab syntax)
alertTarget[#].crontabDuration integer Duration (seconds) from the Crontab start time when selecting a recurring time period.
alertTarget[#].customDateUUIDs Array[String] UUID list of custom notification dates when selecting custom time. Example: ['ndate_xxxx32', 'ndate_xxxx32']. Refer to (Monitoring - Alert Strategy - Custom Notification Date, interface) for custom notification dates.
alertTarget[#].customStartTime String Daily start time when selecting custom time, format: HH🇲🇲ss
alertTarget[#].customDuration integer Duration (seconds) from the custom start time customStartTime when selecting a custom time period.
alertTarget[#].alertInfo Array[dict] Required Notification-related information configuration for member-type Alert Strategies. Added 2024-11-27 iteration.

4. Parameter Description for alertOpt.alertTarget.alertInfo when Alert Strategy is Member Type

key Type Required Description
alertInfo[#] string alertInfo list element
alertInfo[#].name string Configuration name
alertInfo[#].targets Array[dict] Required Notification target configuration (Note the position of this field for level/member type Alert Strategies)
alertInfo[#].filterString string Used when alertType is member. Filter condition original string. Added 2024-11-27 iteration.
alertInfo[#].memberInfo array Used when alertType is member (Team UUIDs, Member UUIDs). Example: [group_xxxx,acnt_xxxx]. Added 2024-11-27 iteration.

5. Time Configuration Related Description

If selecting a recurring time period, the crontab and crontabDuration fields are required parameters.
If selecting a custom time period, the customDateUUIDs, customDuration, and customStartTime fields are required parameters.
If selecting "Other Times", crontab, crontabDuration, customDateUUIDs, customStartTime, customDuration do not need to be passed.
Note: Each Alert Strategy will have an "Other Times" notification rule, which is the fallback notification target without time configuration.

6. Notification Target Field targets Description
When alertType is status, targets location is alertOpt.alertTarget.targets
When alertType is member, targets location is alertOpt.alertTarget.alertInfo.targets

targets is a list, internal elements are dicts, internal field description as follows:

key Type Required Description
to Array[String] Required Notification targets/members/teams. Example: [group_xxxx,acnt_xxxx,notify_xxxx]. (When alertType is member, only notification targets and fixed fields email, sms (SaaS version supports sms) can be selected. Example: [email,notify_xxxx]. Added 2024-11-06 iteration.)
status Enum Required The status value of the event that needs to trigger the alert (multiple statuses can be separated by commas, All means all). Non-security monitoring status values: fatal, critical,error,warning,nodata,info. Security monitoring status values: critical, high, medium, low, info (Security monitoring enum values added 2025-05-14 iteration).
df_source Enum When status needs to be a security monitoring status, df_source must be specified as security here. Default (not passed) indicates non-security monitoring status. (Added 2025-05-14 iteration)
upgradeTargets Array Escalation notification for each alert configuration status.
tags dict Filter conditions
filterString dict Filter condition original string, can replace tags. filterString has higher priority than tags. Added 2024-11-27 iteration.

7. Notification Target Field upgradeTargets Description

  <br/>

When alertType is status, targets location is alertOpt.alertTarget.targets.upgradeTargets
When alertType is member, targets location is alertOpt.alertTarget.alertInfo.targets.upgradeTargets

7.1 upgradeTargets is a list, internal elements are dicts, internal field description as follows:

key Type Required Description
to Array[String] Required Notification targets/members/teams. Example: [group_xxxx,acnt_xxxx,notify_xxxx]. (When alertType is member, only members and teams can be selected. Added 2024-11-06 iteration.)
duration integer Duration. Trigger escalation notification when events of this status level persist for this duration.
toWay Array[String] Used when alertType is member(member) type. Only notification targets and fixed fields email, sms (SaaS version supports sms) can be selected. Example: [email,notify_xxxx]. Added 2024-11-06 iteration.

8. Operation Permission Configuration Parameter Description

Parameter Name type Description
openPermissionSet boolean Whether to enable custom permission configuration, default false.
permissionSet array Operation permission configuration.

8.1 permissionSet, openPermissionSet Field Description (Added 2024-06-26 iteration):
When openPermissionSet is enabled, only the workspace owner and roles/teams/members configured in permissionSet can edit/enable/disable/delete.
When openPermissionSet is disabled (default), the delete/enable/disable/edit permissions follow the original interface edit/enable/disable/delete permissions.
The permissionSet field can be configured with role UUIDs (wsAdmin, general, readOnly, role_xxxxx), team UUIDs (group_yyyy), member UUIDs (acnt_xxx).
permissionSet field example: 

  ["wsAdmin", "general", "group_yyyy", "acnt_xxxx"]

9. alertOpt[#].silentTimeoutByStatus Parameter Description

Parameter Name type Description
silentTimeoutByStatus[#] dict silentTimeoutByStatus list element
silentTimeoutByStatus[#].status boolean Non-security monitoring status values: fatal, critical,error,warning,nodata,info. Security monitoring status values: security_critical, security_high, security_medium, security_low, security_info.
silentTimeoutByStatus[#].silentTimeout integer Minimum alert interval. How long to not resend the same alert (i.e., alert silence duration), in seconds/s. 0/null means send the alert only once (i.e., infinite interval).

silentTimeoutByStatus field example: 

  [
      {
          "status": "fatal",
          "silentTimeout": 600
      },
      {
          "status": "critical,error",
          "silentTimeout": 900
      },
      {
          "status": "security_high",
          "silentTimeout": 600
      },
  ]

Request Example

curl 'https://openapi.guance.com/api/v1/alert_policy/add' \
-H 'DF-API-KEY: <DF-API-KEY>' \
-H 'Content-Type: application/json;charset=UTF-8' \
--data-raw '{"name":"jj_test","ruleTimezone":"Asia/Shanghai","alertOpt":{"alertTarget":[{"name":"Notification Configuration1","targets":[{"status":"critical","tags":{"pod_name":["coredns-7769b554cf-w95fk"]},"to":["acnt_xxxx32"]}],"crontabDuration":600,"crontab":"0 9 * * 0,1,2,3,4"},{"name":"Notification Configuration2","targets":[{"status":"error","to":["group_xxxx32"]}],"customDateUUIDs":["ndate_xxxx32"],"customStartTime":"09:30:10","customDuration":600},{"targets":[{"status":"warning","to":["notify_xxxx32"]}]}],"silentTimeout":21600,"aggInterval":120,"aggFields":["df_monitor_checker_id"]}}' \
--compressed

Response

{
    "code": 200,
    "content": {
        "alertOpt": {
            "aggFields": [
                "df_monitor_checker_id"
            ],
            "aggInterval": 120,
            "alertTarget": [
                {
                    "crontab": "0 9 * * 0,1,2,3,4",
                    "crontabDuration": 600,
                    "name": "Notification Configuration1",
                    "targets": [
                        {
                            "status": "critical",
                            "tags": {
                                "pod_name": [
                                    "coredns-7769b554cf-w95fk"
                                ]
                            },
                            "to": [
                                "acnt_xxxx32"
                            ]
                        }
                    ]
                },
                {
                    "customDateUUIDs": [
                        "ndate_xxxx32"
                    ],
                    "customDuration": 600,
                    "customStartTime": "09:30:10",
                    "name": "Notification Configuration2",
                    "targets": [
                        {
                            "status": "error",
                            "to": [
                                "group_xxxx32"
                            ]
                        }
                    ]
                },
                {
                    "targets": [
                        {
                            "status": "warning",
                            "to": [
                                "notify_xxxx32"
                            ]
                        }
                    ]
                }
            ],
            "silentTimeout": 21600
        },
        "createAt": 1719373984,
        "creator": "wsak_xxxx32",
        "declaration": {
            "asd": "aa,bb,cc,1,True",
            "asdasd": "dawdawd",
            "business": "aaa",
            "fawf": "afawf",
            "organization": "64fe7b4062f74d0007b46676"
        },
        "deleteAt": -1,
        "id": null,
        "name": "jj_test",
        "ruleTimezone": "Asia/Shanghai",
        "score": 0,
        "status": 0,
        "updateAt": 1719373984,
        "updator": "wsak_xxxx32",
        "uuid": "altpl_xxxx32",
        "workspaceUUID": "wksp_xxxx32"
    },
    "errorCode": "",
    "message": "",
    "success": true,
    "traceId": "TRACE-148B6846-6180-4594-BD26-8A2077F0E911"
}

Feedback

Is this page helpful? ×