An ALERT is a notification that's triggered when a CONNECTION RULE is met. They can be email or HTTP actions.


ALTER ALERT name ACTION [EMAIL TO '' SUBJECT 'the subject' CONTENT 'the email content' |
HTTP (GET | POST | PUT | DELETE) '' (CONTENT 'http post or put body' WITH TYPE 'http content-type')] (AND alert_action)


  • ALTER ALERT name - alter an existing alert defined by name.

  • ACTION alert action - what will happen when the alert is triggered.

  • EMAIL TO - equivalent of mailto

  • SUBJECT - equivalent to &subject.

  • HTTP - HTTP commands required for connection to remote host (such as Slack)

  • CONTENT - any alphanumeric text. You can also include the following Cirro keywords:

      • the user account name used to trigger the originating access rule.
      • the target database the username is attempting to access.
      • source IP address that triggered the originating access rule.


ALTER ALERT slack_alert ACTION HTTP POST '' CONTENT '{"text": "CIRRO ALERT:  tried to access.'

See Also