An ALERT ACTION is a notification that's triggered when a CONNECTION Rule is met. They can be email or HTTP actions.


CREATE ALERT name ACTION [EMAIL TO '' SUBJECT 'the subject' CONTENT 'the email content' |
HTTP (GET | POST | PUT | DELETE) '' (CONTENT 'http post or put body' WITH TYPE 'http content-type')] (AND alert_action)


  • CREATE ALERT name - create the alert with name.

  • ACTION alert action - what will happen when the alert is triggered.

  • EMAIL TO - equivalent of mailto

  • SUBJECT - equivalent to &subject.

  • HTTP - HTTP commands required for connection to remote host (such as Slack)

  • CONTENT - any alphanumeric text. You can also include the following Cirro keywords:

      • the user account name used to trigger the originating access rule.
      • the target database the username is attempting to access.
      • source IP address that triggered the originating access rule.

Additional Information

  • HTTP alert actions have no message, just outputs.


CREATE ALERT email_alert ACTION EMAIL TO '' SUBJECT 'ALERT:  accessed  from ' CONTENT 'User  tried to access  from '
CREATE ALERT slack_alert ACTION HTTP POST '' CONTENT '{"text": "CIRRO ALERT:  tried to access'

See Also