Alerts¶
Alerts run Quandrix queries on a schedule and trigger actions on hits. A background ticker (default 30 seconds, STRIX_ALERT_EVAL_INTERVAL) evaluates all enabled alerts using a cursor-based approach on the ingest timestamp. Each alert tracks last_evaluated_at, so no logs are missed across restarts.
Admins manage alerts from the Alerts page within a fractal.
- Create/edit alerts: Define a Quandrix query, schedule interval, and webhook destination.
- Alert types:
eventalerts fire once per matching log.compoundalerts fire when the result count crosses a threshold. - Import alerts: Bulk import alerts from YAML via the import dialog.
- Execution history: View past alert runs and their results from the alert detail page.
- Bulk operations: Filter alerts by severity or label, then bulk enable or disable the filtered set.
Alert Configuration¶
| Field | Description |
|---|---|
| Name | Display name for the alert |
| Query | Quandrix query to evaluate |
| Type | event (per-match) or compound (threshold-based) |
| Webhook URL | Destination for alert notifications |
| Labels | Tags for organization and filtering (e.g. sigma:high, product:windows) |
| References | External links for context (e.g. MITRE ATT&CK URLs) |
Environment Variables¶
| Variable | Default | Description |
|---|---|---|
STRIX_ALERT_EVAL_INTERVAL |
30s |
How often the alert ticker runs |