Creating/Editing Alert Policies

Thundra provides you to filter your functions, invocations and traces with detailed queries. For example; you can filter out functions with a specific tag and whose estimated cost is above a threshold while the number of cold starts was below a specific threshold. This query may result in some functions and it's listed in the functions list.

If you want to save this query and periodically check results of this query, you can save your query as alert policy. Saving as alert policy feature is available for functions, invocation and traces.

You can save a query as an alert policy, click on save button next to query bar and select Alert Policy. Thundra opens a new dialog for you to let you tune your alert policy.

Save as Alert Policy Dialog

Alert policy has 3 different parts for saving/editing in common:

  • Alert Metadata - As alert metadata you set a name and severity type for your alert policy. Name is required field for alert policy it cannot be blank. There are 3 different severity options, you can choose one them according to importance level of your alert policy: INFO, WARNING, CRITICALFor example; you can set a CRITICAL level policy if you think that this policy is checking something crucial for your system. Similarly, you can just set it as INFO if you think that you just need to inform your colleagues.

  • Condition - This is the most important part of alert policies. Here you will be able to display query that you write on query bar.

    • Schedule - You can set periodic time that your alert policy will be checked.

    • Trigger - Your query may return thousands of result. You can select when Thundra should trigger your alert policy based on number of results.

    • Throttle - If you want to prevent new events after a condition satisfied, you can use throttle threshold value for this purpose. You can set a threshold time to protect your team from the alert fatigue while they are troubleshooting the issue.

  • Notification - If you want to notified when an alert event is occurred, you can select o notification type. ou can select one or more of the notification channels from the available options such as Slack, OpsGenie, Email and Webhook.

If you create an alert policy without notification channel, you won't be notified. However, you can display events that is occurent from your alert policy in Alerts page.

What's different in Alert Policies created from invocation queries?

When you are filtering the invocation of a function in Thundra, you have the chance of filtering them as follows: tags.user.id="1" AND Duration>200 AND ColdStart=false. In this query, you filtered the invocations in which my function is processing the information of the user with id 1 and the invocation duration is bigger than 200ms while there is no cold start. Like in the alert policies created from function queries, you can save these queries as alert policies.

Target Selection

While saving invocation queries as alert policy, you select target type. You can prefer to target not only the function you are working on but also the other functions in the account or in a specific project.For example; you may want to check the same condition at every function dealing with users.

Using this part, you can decide that your function check the condition for a function or more than one function, for the functions of a specific project(s), or for all functions in Thundra account.

Alert Policies of Security Configurations

When a security configuration is created on the Security Tab, alert policy for this security configuration is created by default. Fields of an alert policy are filled by default and some of them are provided as editable.

  • Alert Policy Name - Default name is assigned for security alert and it begins with Security Alert. Users can change alert policy name.

  • Severity - Severity is assigned by default and cannot be changed. For "Allow and Notify" alerts, it is assigned as WARNING. For "Block and Notify" alerts, it is assigned as CRITICAL.

  • Condition - Condition of security alerts is blacklist or whitelist items. This items can be edited from the Security Tab.

  • Throttle - For "Allow and Notify Me" configurations, it is assigned as 5 minutes. It can be changed by users.

  • Notification - Email type notification and email of users created security notification is selected by default. Notification type can be changed by users.

‚Äč