Create v2¶
POST /api/v1/alert_policy/add_v2
Overview¶
Create an alert policy. v2 supports synchronously updating associated monitors/intelligent monitors/intelligent inspections/SLOs, and security monitoring.
Body Request Parameters¶
| Parameter Name | Type | Required | Description |
|---|---|---|---|
| name | string | Y | Alert policy name Allow empty: False |
| desc | string | Description Allow empty: False Allow empty string: True Max length: 256 |
|
| openPermissionSet | boolean | Enable custom permission configuration, (default false: disabled). When enabled, the operation permissions for this rule are based on permissionSet. Allow empty: False |
|
| permissionSet | array | Operation permission configuration, configurable (roles (except owner), member UUIDs, team UUIDs) Example: ['wsAdmin', 'acnt_xxxx', 'group_yyyy'] Allow empty: False |
|
| checkerUUIDs | array | Monitor/Intelligent Monitor/Intelligent Inspection/SLO UUIDs (added in 2024-12-11 iteration) Example: ['rule_xxx', 'monitor_xxx'] Allow empty: False |
|
| securityRuleUUIDs | array | Security monitoring (CSPM, SIEM) UUIDs Example: ['srul_xxx', 'srul_xxx', 'srul_xxx'] Allow empty: False |
|
| ruleTimezone | str | Y | Alert policy timezone Example: Asia/Shanghai Allow empty: False |
| alertOpt | json | Alert settings Allow empty: False |
|
| alertOpt.aggType | string | Alert aggregation type. Not passing this field defaults to old version logic. Added in 2024-12-25 iteration. Allow empty: True Allowed values: ['byFields', 'byCluster', 'byAI', 'byCustom'] |
|
| alertOpt.ignoreOK | boolean | Advanced configuration. Normal level only generates events, does not send notifications (whether to ignore OK notifications). Added on 2025-10-22. Allow empty: False |
|
| alertOpt.alertType | string | Alert policy notification type, level(status)/member(member), default is level. Allow empty: False Allowed values: ['status', 'member'] |
|
| alertOpt.alertTarget | array | Trigger actions. Note the parameter handling for trigger times. Example: [{'name': 'Notification Configuration1', 'targets': [{'to': ['acnt_xxxx32'], 'status': 'critical', 'tags': {'pod_name': ['coredns-7769b554cf-w95fk']}, 'upgradeTargets': [{'to': ['acnt_xxxx32'], 'duration': 600}, {'to': ['group_xxxx32'], 'duration': 6000}]}], 'crontabDuration': 600, 'crontab': '0 9 * * 0,1,2,3,4'}, {'name': 'Notification Configuration2', 'targets': [{'status': 'error', 'to': ['group_xxxx32'], 'upgradeTargets': [{'to': ['acnt_xxxx32'], 'duration': 600}, {'to': ['group_xxxx32'], 'duration': 6000}]}], 'customDateUUIDs': ['ndate_xxxx32'], 'customStartTime': '09:30:10', 'crontabDuration': 600}] Allow empty: False |
|
| alertOpt.silentTimeout | integer | Repeat alert configuration Allow empty: False |
|
| alertOpt.silentTimeoutByStatusEnable | boolean | Whether to enable separate repeat alert settings by level. Default false, uses silentTimeout configuration. Allow empty: False |
|
| alertOpt.silentTimeoutByStatus | array | Separate repeat alert settings by level. Minimum alert interval configuration by level. Allow empty: False |
|
| alertOpt.aggInterval | integer | Y | Alert aggregation interval, in seconds. 0 means no aggregation. Allow empty: False $minValue: 0 $maxValue: 1800 |
| alertOpt.aggFields | array | Aggregation field list. Keep as empty list [] to indicate "Aggregation Rule: All". df_monitor_checker_id: Monitor/Intelligent Inspection/SLO, df_dimension_tags: Detection dimension, df_label: Label, CLUSTER: Intelligent aggregation. Example: ['CLUSTER'] Allow empty: False |
|
| alertOpt.aggLabels | array | Label value list for label-based aggregation. Takes effect only when df_label is specified in aggFields. Allow empty: False |
|
| alertOpt.aggClusterFields | array | Field list for intelligent aggregation. Takes effect only when CLUSTER is specified in aggFields. Allowed values "df_title": Title, "df_message": Content. Example: ['df_title'] Allow empty: False |
|
| alertOpt.aggSendFirst | boolean | During aggregation, whether to send the first alert directly (parameter added in 2025-09-03 iteration). Allow empty: False |
Parameter Supplementary Description¶
Data Description.
1. alertOpt Parameter Description
| Parameter Name | type | Required | Description |
|---|---|---|---|
| name | string | Required | Rule name |
| desc | string | Description | |
| type | string | Required | Checker type |
| ruleTimezone | string | Required | Alert policy timezone (parameter added in 2024-01-31 iteration) |
| alertOpt | Dict | Required | Alert settings |
| alertOpt.silentTimeout | integer | Minimum alert interval. How long before the same alert is not sent again (i.e., alert mute duration). Unit: seconds/s. 0/null means send only once (i.e., infinite interval). | |
| alertOpt.silentTimeoutByStatusEnable | boolean | Whether to enable separate repeat alert configuration by level. | |
| alertOpt.silentTimeoutByStatus | array | Minimum alert interval by level, in seconds. Security monitoring levels use the security_ prefix. |
|
| alertOpt.aggInterval | integer | Alert aggregation interval, in seconds. 0 means no aggregation. Unit: seconds/s Range [0,1800]. | |
| alertOpt.aggFields | array | Aggregation field list. Keep as empty list [] to indicate "Aggregation Rule: All". df_monitor_checker_id: Monitor/Intelligent Inspection/SLO, df_dimension_tags: Detection dimension, df_label: Label, CLUSTER: Intelligent aggregation, or custom aggregation fields when aggType=byCustom. | |
| alertOpt.aggLabels | array | Label value list for label-based aggregation. Takes effect only when df_label is specified in aggFields. | |
| alertOpt.aggClusterFields | array | Field list for intelligent aggregation. Takes effect only when CLUSTER is specified in aggFields. Allowed values "df_title": Title, "df_message": Content. | |
| alertOpt.aggSendFirst | boolean | During aggregation, whether to send the first alert directly (parameter added in 2025-09-03 iteration). | |
| alertOpt.aggType | string | Default (not passed) follows old version logic. byFields: Rule aggregation, byCluster: Intelligent aggregation, byAI: AI aggregation, byCustom: Rule aggregation - Custom. Added on 2024-12-25. | |
| alertOpt.alertTarget | Array[Dict] | Alert actions. | |
| alertOpt.alertType | string | Alert policy notification type, level(status)/member(member), default is level. Added in 2024-11-06 iteration. | |
| alertOpt.ignoreOK | boolean | Advanced configuration. Normal level only generates events, does not send notifications (whether to ignore OK notifications). Added on 2025-10-22. | |
| openPermissionSet | boolean | Whether to enable custom permission configuration. Default false. Added in 2024-11-06 iteration. | |
| permissionSet | array | Operation permission configuration. Added in 2024-11-06 iteration. | |
| checkerUUIDs | array | Associated monitor/intelligent monitor/intelligent inspection/SLO UUIDs. Added in 2024-12-11 iteration. | |
| securityRuleUUIDs | array | Associated security monitoring (CSPM, SIEM) UUIDs. Added in 2025-05-14 iteration. |
1.1 alertOpt.aggType Parameter Description
2024-12-25
Alert aggregation type:
null: No aggregation
byFields: Rule aggregation
byCluster: Intelligent aggregation
byAI: AI aggregation
In the old data structure, since the aggType field did not exist, the aggregation type was determined by the content of aggFields. Therefore, after adding the aggType field, compatibility is handled as follows:
When aggType is specified, aggregate according to the method specified by aggType.
When aggType is not specified or aggType=None (follows old logic):
If aggFields contains "CLUSTER", aggregate using intelligent aggregation.
If aggFields does not contain "CLUSTER", aggregate using rule aggregation.
Derived rules:
Specifying aggInterval=0 or aggInterval=null still means "No aggregation".
When aggType="byCluster" is specified, "CLUSTER" can be omitted from aggFields (passing it or not does not affect).
When aggType="byFields" is specified but aggFields contains "CLUSTER", "CLUSTER" is ignored (i.e., aggType has higher priority).
When aggType="byCustom" is specified, aggregate according to the custom fields in aggFields.
2. When the alert policy is of type level, alertOpt.alertTarget parameter description
| key | Type | Required | Description |
|---|---|---|---|
| name | string | Configuration name | |
| targets | Array[dict] | Required | Notification target configuration (Note the position of this field for level/member type alert policies) |
| crontab | String | When selecting a recurring time period, start Crontab (Crontab syntax) | |
| crontabDuration | integer | When selecting a recurring time, duration from Crontab start (seconds) | |
| customDateUUIDs | Array[String] | When selecting custom time, UUID list of custom notification dates. Example: ['ndate_xxxx32', 'ndate_xxxx32']. Refer to (Monitoring - Alert Policy - Custom Notification Date, interface) for custom notification dates. | |
| customStartTime | String | When selecting custom time, daily start time, format: HH ss |
|
| customDuration | integer | When selecting a custom time period, duration from customStartTime custom start time (seconds) |
3. When the alert policy is of type member, alertOpt.alertTarget parameter description
| key | Type | Required | Description |
|---|---|---|---|
| alertTarget[#] | dict | alertTarget list element | |
| alertTarget[#].name | string | Configuration name | |
| alertTarget[#].crontab | String | When selecting a recurring time period, start Crontab (Crontab syntax) | |
| alertTarget[#].crontabDuration | integer | When selecting a recurring time, duration from Crontab start (seconds) | |
| alertTarget[#].customDateUUIDs | Array[String] | When selecting custom time, UUID list of custom notification dates. Example: ['ndate_xxxx32', 'ndate_xxxx32']. Refer to (Monitoring - Alert Policy - Custom Notification Date, interface) for custom notification dates. | |
| alertTarget[#].customStartTime | String | When selecting custom time, daily start time, format: HHss |
|
| alertTarget[#].customDuration | integer | When selecting a custom time period, duration from customStartTime custom start time (seconds) | |
| alertTarget[#].alertInfo | Array[dict] | Required | When the alert policy is of member type, notification-related information configuration. Added in 2024-11-27 iteration. |
4. When the alert policy is of type member, alertOpt.alertTarget.alertInfo parameter description
| key | Type | Required | Description |
|---|---|---|---|
| alertInfo[#] | string | alertInfo list element | |
| alertInfo[#].name | string | Configuration name | |
| alertInfo[#].targets | Array[dict] | Required | Notification target configuration (Note the position of this field for level/member type alert policies) |
| alertInfo[#].filterString | string | When alertType is member, use this field. Filter condition original string. Added in 2024-11-27 iteration. | |
| alertInfo[#].memberInfo | array | When alertType is member, use this field (team UUID, member UUID). Example: [group_xxxx,acnt_xxxx]. Added in 2024-11-27 iteration. |
5. Time Configuration Related Description
If selecting a recurring time period, crontab and crontabDuration fields are required parameters.
If selecting a custom time period, customDateUUIDs, customDuration, and customStartTime fields are required parameters.
If selecting other times, crontab, crontabDuration, customDateUUIDs, customStartTime, customDuration are not required.
Note: Each alert policy will have a notification rule for other times, i.e., the fallback notification target without time configuration.
6. Notification target field targets description
When alertType is status, targets location is alertOpt.alertTarget.targets.
When alertType is member, targets location is alertOpt.alertTarget.alertInfo.targets.
targets is a list, internal elements are dicts. Internal field description is as follows:
| key | Type | Required | Description |
|---|---|---|---|
| to | Array[String] | Required | Notification target/member/team. Example: [group_xxxx,acnt_xxxx,notify_xxxx]. (When alertType is member, only notification targets and fixed fields email, sms (SaaS version supports sms) can be selected. Example: [email,notify_xxxx]. Added in 2024-11-06 iteration.) |
| status | Enum | Required | The status value of the event that needs to trigger the alert (multiple statuses can be separated by commas, All means all). Non-security monitoring status values: fatal, critical,error,warning,nodata,info. Security monitoring status values: critical, high, medium, low, info (security monitoring enum values added in 2025-05-14 iteration). |
| df_source | Enum | When status needs to be a security monitoring status, df_source must be specified as security here. Default (not passed) indicates non-security monitoring status. (Added in 2025-05-14 iteration) | |
| upgradeTargets | Array | Escalation notification for each alert configuration status. | |
| tags | dict | Filter conditions. | |
| filterString | dict | Filter condition original string, can replace tags. filterString has higher priority than tags. Added in 2024-11-27 iteration. |
7. Notification target field upgradeTargets description
<br/>
When alertType is status, targets location is alertOpt.alertTarget.targets.upgradeTargets.
When alertType is member, targets location is alertOpt.alertTarget.alertInfo.targets.upgradeTargets.
7.1 upgradeTargets is a list, internal elements are dicts. Internal field description is as follows:
| key | Type | Required | Description |
|---|---|---|---|
| to | Array[String] | Required | Notification target/member/team. Example: [group_xxxx,acnt_xxxx,notify_xxxx]. (When alertType is member, only members and teams can be selected. Added in 2024-11-06 iteration.) |
| duration | integer | Duration. Trigger escalation notification when events of this status level persist for this duration. | |
| toWay | Array[String] | Used when alertType is member type. Only notification targets and fixed fields email, sms (SaaS version supports sms) can be selected. Example: [email,notify_xxxx]. Added in 2024-11-06 iteration. |
8. Operation Permission Configuration Parameter Description
| Parameter Name | type | Description |
|---|---|---|
| openPermissionSet | boolean | Whether to enable custom permission configuration. Default false. |
| permissionSet | array | Operation permission configuration. |
8.1 permissionSet, openPermissionSet field description (fields added in 2024-06-26 iteration):
When openPermissionSet is enabled, only the workspace owner and roles/teams/members belonging to the permissionSet configuration can edit/enable/disable/delete.
When openPermissionSet is disabled (default), delete/enable/disable/edit permissions follow the original interface edit/enable/disable/delete permissions.
The permissionSet field can be configured with role UUIDs (wsAdmin,general, readOnly, role_xxxxx ), team UUIDs (group_yyyy), member UUIDs (acnt_xxx).
permissionSet field example:
9. alertOpt[#].silentTimeoutByStatus Parameter Description
| Parameter Name | type | Description |
|---|---|---|
| silentTimeoutByStatus[#] | dict | silentTimeoutByStatus list element |
| silentTimeoutByStatus[#].status | boolean | Non-security monitoring status values: fatal, critical,error,warning,nodata,info. Security monitoring status values: security_critical, security_high, security_medium, security_low, security_info. |
| silentTimeoutByStatus[#].silentTimeout | integer | Minimum alert interval. How long before the same alert is not sent again (i.e., alert mute duration). Unit: seconds/s. 0/null means send only once (i.e., infinite interval). |
silentTimeoutByStatus field example:
[
{
"status": "fatal",
"silentTimeout": 600
},
{
"status": "critical,error",
"silentTimeout": 900
},
{
"status": "security_high",
"silentTimeout": 600
},
]
Request Example¶
curl 'https://openapi.truewatch.com/api/v1/alert_policy/add' \
-H 'DF-API-KEY: <DF-API-KEY>' \
-H 'Content-Type: application/json;charset=UTF-8' \
--data-raw '{"name":"jj_test","ruleTimezone":"Asia/Shanghai","alertOpt":{"alertTarget":[{"name":"Notification Configuration1","targets":[{"status":"critical","tags":{"pod_name":["coredns-7769b554cf-w95fk"]},"to":["acnt_xxxx32"]}],"crontabDuration":600,"crontab":"0 9 * * 0,1,2,3,4"},{"name":"Notification Configuration2","targets":[{"status":"error","to":["group_xxxx32"]}],"customDateUUIDs":["ndate_xxxx32"],"customStartTime":"09:30:10","customDuration":600},{"targets":[{"status":"warning","to":["notify_xxxx32"]}]}],"silentTimeout":21600,"aggInterval":120,"aggFields":["df_monitor_checker_id"]}}' \
--compressed
Response¶
{
"code": 200,
"content": {
"alertOpt": {
"aggFields": [
"df_monitor_checker_id"
],
"aggInterval": 120,
"alertTarget": [
{
"crontab": "0 9 * * 0,1,2,3,4",
"crontabDuration": 600,
"name": "Notification Configuration1",
"targets": [
{
"status": "critical",
"tags": {
"pod_name": [
"coredns-7769b554cf-w95fk"
]
},
"to": [
"acnt_xxxx32"
]
}
]
},
{
"customDateUUIDs": [
"ndate_xxxx32"
],
"customDuration": 600,
"customStartTime": "09:30:10",
"name": "Notification Configuration2",
"targets": [
{
"status": "error",
"to": [
"group_xxxx32"
]
}
]
},
{
"targets": [
{
"status": "warning",
"to": [
"notify_xxxx32"
]
}
]
}
],
"silentTimeout": 21600
},
"createAt": 1719373984,
"creator": "wsak_xxxx32",
"declaration": {
"asd": "aa,bb,cc,1,True",
"asdasd": "dawdawd",
"business": "aaa",
"fawf": "afawf",
"organization": "64fe7b4062f74d0007b46676"
},
"deleteAt": -1,
"id": null,
"name": "jj_test",
"ruleTimezone": "Asia/Shanghai",
"score": 0,
"status": 0,
"updateAt": 1719373984,
"updator": "wsak_xxxx32",
"uuid": "altpl_xxxx32",
"workspaceUUID": "wksp_xxxx32"
},
"errorCode": "",
"message": "",
"success": true,
"traceId": "TRACE-148B6846-6180-4594-BD26-8A2077F0E911"
}