How-to
Configuring Alert Thresholds
How to tune detector sensitivity and set up notification routing.
Jump to section
Default thresholds
Every new tenant gets eleven default detector rules with sensible thresholds tuned against a reference customer handling ~85M requests/day. These work out of the box for most SFCC deployments.
Editing a rule
Go to Rules in the sidebar. Each rule card shows its current thresholds and an enable/disable toggle.
- Enable/disable: click the toggle switch on each rule card
- Notification routing: expand the "Notification routing" section on each rule to set per-rule email and webhook overrides
- Inline threshold editing: click the pencil icon next to any rule's threshold block to switch to edit mode. Update values and save directly from the Rules page.
Changes take effect on the next detector cron tick (within 60 seconds for fast detectors).
Key thresholds to tune
| Detector | Threshold | Default | When to change |
|---|---|---|---|
| ASN Spike | multiplier | 5 | Lower for earlier warnings; raise if you get false positives on marketing spikes |
| 499 Rate | ratio_threshold | 0.20 | Lower if your site has very low natural 499s; raise for sites with slow responses |
| Cache Bypass | multiplier | 3 | Depends on your cache mix; set the source baseline first |
| UA Rotation | distinct_ua_threshold | 15 | Lower for uniform traffic; raise for diverse legitimate clients |
| Slow Burn | total_deviation_pct | 50 | Lower to catch subtler growth patterns |
| Bot Score | bot_ratio_threshold | 0.5 | Lower to catch ASNs with moderate bot traffic; raise to reduce noise |
| TLS Weak Protocol | weak_ratio_threshold | 0.01 | Lower for stricter compliance; raise if you have legitimate legacy clients |
| Path Entropy | entropy_threshold | 0.85 | Lower for broader crawl detection; raise if legitimate bots traverse many paths |
| Challenge Solving | solve_rate_increase_pct | 50 | Lower to catch subtler evasion upgrades; raise if challenge rates naturally fluctuate |
| Operation Fingerprint | min_confidence | 0.7 | Lower to match looser profiles; raise to reduce false matches |
| Certificate Expiry | expiry_thresholds_days | [30,14,7,1] | Adjust the day thresholds for earlier or later warnings |
Setting source baselines
The cache-bypass detector uses baseline_cache_hit_ratio from the source row. After 4 hours of real data, Edge auto-calibrates baselines from your actual traffic. This dramatically improves cache-bypass detection accuracy.
Warmup window: New sources have a warmup period (60 minutes for fast detectors, 6 hours for slow detectors) during which detectors are suppressed. This prevents false positives from the initial backfill batch that Logpush sends when a job is first enabled.
Notification routing
Three-tier routing, checked in order:
- Per-certificate — set on the Certificate Detail page (cert expiry alerts only)
- Per-rule — set on the Rules page via the expandable "Notification routing" section
- Tenant defaults — set on the Settings page under "Notification defaults"
Each level supports an email address and a webhook URL. Leave empty to fall back to the next tier. Notifications are sent via email (Resend) and/or webhook (HTTPS POST).