An ALERT ACTION is a notification that's triggered when a CONNECTION Rule is met. They can be email or HTTP actions.


CREATE ALERT name ACTION [EMAIL TO '' SUBJECT 'the subject' CONTENT 'the email content' |
HTTP (GET | POST | PUT | DELETE) '' (CONTENT 'http post or put body' WITH TYPE 'http content-type')] (AND alert_action)


  • CREATE ALERT name - create the alert with name.

  • ACTION alert action - what will happen when the alert is triggered.

  • EMAIL TO - equivalent of mailto

  • SUBJECT - equivalent to &subject.

  • HTTP - HTTP commands required for connection to remote host (such as Slack)

  • CONTENT - any alphanumeric text. You can also include the following Cirro keywords:

      • the user account name used to trigger the originating access rule.
      • the target database the username is attempting to access.
      • source IP address that triggered the originating access rule.

Additional Information

  • HTTP alert actions have no message, just outputs.

  • Reserved words and characters can be used in the alert name if surrounded by double quotes. See Identifiers and Reserved Words


Email alert with message

Create Alert messagealert ACTION EMAIL TO '' SUBJECT 'Email alert' CONTENT 'Email alert with message';

Email alert using characters in name and parameters

CREATE ALERT "email_alert" ACTION EMAIL TO '' SUBJECT 'ALERT:  accessed  from ' CONTENT 'User  tried to access  from '

Slack alert

CREATE ALERT slack_alert ACTION HTTP POST '' CONTENT '{"text": "CIRRO ALERT:  tried to access'

See Also