Detection rules and alerts
11 built-in detection rules:
• Failed Login Burst — 3+ failed logins within 10 minutes
• New Device Sign-In — login from a previously unseen device
• Admin Privilege Elevated — user granted admin or owner role
• Org Member Removed / Added
• Bulk CRM Deletion — 3+ contacts or accounts deleted in 5 minutes
• After-Hours Contract Sent — contract sent between 8 PM and 6 AM
• High-Risk Contact — fraud check returned high risk score
• Medium-Risk Contact — fraud check returned medium risk score
• Payment Method Changed — method added or removed
• External Threat Event — high-severity event from an external integration
Rules evaluate incoming events against a threshold and time window. When a rule fires, it creates or updates one alert per rule for your org.
Managing alerts:
• Acknowledge — you've seen it; keeps it open for tracking
• Resolve — closes the alert; reopens if the rule fires again
To disable a rule: Rules tab → toggle it off