Notifications
Alert rules
Alert rules let an administrator route zero-day vulnerability alerts to specific recipients — every rule here is scoped to zero-day alerts specifically, not to notifications in general. A rule reads as a sentence: when a zero-day alert matching your conditions happens, send it to who you choose, how (which channels) and on what schedule. Personal preferences still apply on top — rules add targeted distribution, they don't replace what individuals have set.
Alert rules are an administration feature scoped to zero-day vulnerability alerts. They sit on top of your organization's default notification settings. For routing other kinds of notification org-wide, see the Notification Admin hub's own Rules tab, a separate system covered in Delivery and email.
What it's for
- Get zero-day alerts to the right team — for example, route Act Now zero-day alerts on production assets straight to your SOC distribution list.
- Reach people where they work — email, in-app, Slack, Teams, or a webhook.
- Batch or send now — deliver immediately, or roll a rule's alerts into a daily digest.
- Keep external sending safe — restrict who alerts can be emailed to with an approved-domains list.
Alert rules don't cover other notification types — findings, scans, reports, compliance, and the rest are configured through personal preferences and the Notification Admin hub's own Rules tab (see Delivery and email).
The screens in it
The Alert Rules screen shows a list of the rules you've created, with a button to add a new one and an editor that opens above the list.
A note near the top explains that rules only start firing once this capability has been enabled for your workspace. Until then, you can still author and test rules so they're ready to switch on.
Every control explained
Page controls
| Control | What it does |
|---|---|
| New rule | Opens the editor to create a rule. |
| Diagnose | Meant as a shortcut to the delivery diagnostic. In the current release this shortcut doesn't go anywhere useful — instead, open Notification Admin and use its Diagnose tab directly to check why a given person did or didn't receive a notification. See Delivery and email. |
| Approved external domains | A list of email domains alerts may be sent to. When set, saving a rule that emails anyone outside these domains asks you to confirm first. Leave it empty for no restriction. Edit the list and click Save. |
The rule list
Each row summarizes a rule and offers actions:
| Column / action | What it shows or does |
|---|---|
| Name | The rule's name. A mandatory tag appears if the rule overrides personal mutes. |
| When | A short summary of the rule's conditions. |
| Send to | A short summary of the audience. |
| Schedule | Immediate or a Digest with its send hour. |
| On (toggle) | Enables or disables the rule without deleting it. |
| Test (paper-plane) | Sends a test of the rule so you can confirm it reaches the intended recipients. |
| Edit (pencil) | Opens the rule in the editor. |
| Delete (trash) | Removes the rule after you confirm. |
The rule editor
The editor is organized into When, Who, and How — plus a name and priority at the top.
Name and priority
| Field | What it does |
|---|---|
| Name | A label for the rule (required). |
| Priority | A number that decides evaluation order when several rules match — lower runs first. |
When — the conditions
| Control | What it does |
|---|---|
| Severity chips | Limit the rule to certain severities — Act Now, Patch Now, Watch, FYI. Select any combination. |
| Event chips | Limit to event kinds — New, Fix available, or Escalated (KEV). |
| Exposure | Whether the asset's exposure must be Confirmed only, Predicted only, or Either. |
| Specific CVEs | Optionally restrict the rule to one or more named CVEs (comma-separated). |
| Limit to specific assets | Optionally scope the rule to chosen asset groups and/or asset tags (for example env:prod). Leave empty to apply to all affected assets. When set, the rule fires only for assets that definitively carry the issue. |
If you set no conditions, the rule matches any qualifying alert.
Who — the audience
| Field | What it does |
|---|---|
| Roles | Send to everyone holding the named roles (comma-separated). |
| External emails / DLs | Send to specific email addresses or distribution lists. These are checked against your approved-domains list. |
| User IDs | Optionally target named individuals. |
| Slack channel | Post to a Slack channel (for example #soc). |
| Teams webhook URL | Post to a Microsoft Teams channel via its incoming-webhook address (must be an https URL). |
How — channels and schedule
| Control | What it does |
|---|---|
| Channel switches | Turn each delivery channel on or off — In-App, Email, Slack, Teams, Webhook. |
| Schedule | Immediate sends as events happen; Daily digest batches the rule's alerts into one send. |
| Send hour / Timezone | For a digest, the hour (0–23) and timezone the digest goes out. |
| Mandatory | When on, this rule's alerts reach recipients even if they've personally muted the type — for compliance-critical messages. |
Saving
| Control | What it does |
|---|---|
| Save rule | Validates and saves the rule. If any recipients fall outside your approved domains, you're asked to confirm before they're included. |
| Cancel | Discards your edits and closes the editor. |
When a rule would email recipients outside your approved domains, a confirmation appears listing those addresses, with Send to them anyway or Cancel.
Common workflows
Workflow: route Act Now production alerts to your SOC
-
Click New rule and give it a Name (for example, SOC — Act Now production).
Step 1 — naming the new rule -
Under When, select the Act Now severity chip and the New and Escalated (KEV) event chips. Add your production asset group (or a tag like
env:prod) under Limit to specific assets.Step 2 — setting the conditions -
Under Who, enter your SOC distribution list under External emails / DLs (and optionally a Slack channel).
-
Under How, turn on the Email and Slack channels and leave the schedule on Immediate. Click Save rule.
Step 3 — channels and save -
From the rule list, click the Test action to confirm the alert reaches the intended recipients.
Workflow: restrict who alerts can be emailed to
- In the Approved external domains box, enter the domains you allow (for
example,
company.com, partner.org). - Click Save.
- From now on, saving any rule that would email an address outside those domains prompts you to confirm before those recipients are included.