Alerts

Alerts functionality is being consolidated into Policies in an upcoming release. Alerts will continue to work as documented here until then.

Alerts send notifications when conditions you define are triggered. Each alert is based on a SQL query. If the query returns any rows after a sync, the alert fires and sends notifications to the configured destinations. You can notify a Slack channel and open a Jira ticket at the same time.

CloudQuery Platform alerts are not meant to replace your incident management system. They feed events into your existing tools when your infrastructure does not comply with the rules you set.

How Alerts Work

Alerts are a feature of SQL queries. You configure a query to trigger an alert with a severity, a message, and one or more notification destinations.

The platform evaluates alert queries after every sync. If a query returns any rows, the platform triggers the alert and sends notifications to the configured destinations.

To review and triage the findings that trigger alerts, use Insights.

The alert triggers only once per violation cycle. For the alert to trigger again, the query must return zero rows at least once (resetting the alert to “inactive”), then return rows again on a subsequent evaluation.

Notifications are sent on every state change. When a query first returns rows, a “triggered” notification is sent. If the query continues to return rows on subsequent evaluations, no additional notification is sent. When the query returns zero rows, the alert resets to “inactive” and a resolution notification is sent.

Configuring an Alert

Go to the SQL Console and write a SQL query, or load a saved query. For example, to get notified about unattached EBS volumes:
```
SELECT *
FROM aws_ec2_ebs_volumes
WHERE attachments='[]';
```
Click Configure Alert to open the alert configuration dialog.

Alert configuration dialog opened from the SQL Console with options for query title and notification settings

Enter a Query title. This is used as the alert message. You can change it later.

Configure alert title

Select one or more notification destinations. If none exist yet, click Add notification destination to create one.

Configure notification destinations

Click Save alert.

Configuring Notification Destinations

For full details on creating and managing Slack and webhook destinations, see the Notification Destinations page.

When configuring a webhook destination for alerts, you can use the following placeholder variables in the request body:

Variable	Description
`{{query_name}}`	The name of the query the alert is configured on
`{{query_url}}`	Direct URL to the query in the SQL Console
`{{alert_status}}`	Current alert state: `triggered` or `inactive`
`{{alert_severity}}`	The severity level configured for the alert
`{{alert_message}}`	The custom message configured for the alert
`{{alert_violations}}`	The number of rows returned by the query

Configure notification destination

You can test the destination using the Send test notification button. Test notifications send the body as-is, without replacing placeholders.

Here’s an example of a CloudQuery alert delivered to Slack, showing an unencrypted S3 bucket with resource metadata:

Slack notification from CloudQuery showing an alert for an unencrypted S3 bucket with account ID, region, and resource details

Editing and Managing Alerts

To edit a saved alert, go to the SQL Console and click the Saved queries button in the top right corner. Switch to Saved queries with alerts to see queries that have alerts configured.

Saved queries panel showing saved SQL queries with configured alerts and a dropdown to edit alert settings

Use the dropdown menu on the right to edit the alert. You can change the alert message, severity, and destinations. You can also disable the alert so the query is not evaluated.

Troubleshooting

Notifications Are Not Being Sent

Alerts do not send new notifications when they are already in the “triggered” state. The alert must reset to “inactive” (query returns zero rows) before it can trigger again.

Open the SQL Console and run the alert query to check if it returns rows.
If it does, fix or update the query so it returns zero rows, then run a sync. Any sync with any integration triggers alert evaluation.
To isolate whether the issue is with CloudQuery or the receiving endpoint, add a test destination using Webhook.site. If the test destination receives notifications but your real destination does not, the issue is on the receiving end.

Allow up to 10 minutes after a sync for alert evaluation and notification delivery.

A Destination Cannot Parse the Request Body

Make sure the Content-Type header matches what the receiving service expects. Most endpoints require application/json.

Policies: the next generation of detective controls, replacing alerts
Notification Destinations: configure Slack and webhook endpoints
SQL Console: write and test the SQL queries that power your alerts

Programmatic access

Alerts can be managed via the Platform API. See the Platform API Reference (alerts section) for endpoint details.

Next Steps

Notification Destinations - Configure Slack, Jira, and webhook notification targets
Policies - Define compliance rules that trigger alerts
SQL Console - Write the SQL queries that power your alerts