Alert Rules: Complete Reference
Every alert trigger type, threshold option, and notification channel explained. Reference for building a complete monitoring alert setup.
Alert Rules: Complete Reference
Alert rules define the conditions that trigger notifications. Each rule has a trigger type, a threshold, a scope (which domain or all domains), and one or more notification channels.
How Alert Rules Work
On each scan completion, ElasticDomain evaluates all active alert rules for that domain. If a rule's condition is met and it hasn't fired recently (within the cooldown period), a notification is dispatched.
Rules are evaluated per-domain - there are no global aggregation rules (e.g. "alert if more than 5 domains are affected").
Trigger Types
SSL Triggers
| Trigger | Fires When |
|---|---|
| SSL Expiring Soon | Days until certificate expiry ≤ threshold you set |
| SSL Certificate Changed | Certificate fingerprint differs from previous scan |
| SSL Certificate Expired | Certificate is past its valid_to date |
| SSL Grade Dropped | Letter grade calculated from key size, protocol, and cipher drops |
WHOIS / Domain Triggers
| Trigger | Fires When |
|---|---|
| Domain Expiring Soon | Days until WHOIS expiry date ≤ threshold you set |
| Registrar Changed | Registrar name differs from previous scan |
| Nameserver Changed | NS records changed (also covers hosting migrations) |
| WHOIS Changed | Any field in WHOIS data differs (broad catch-all) |
| Registrar Changed | Registrar field value changes |
DNS Triggers
| Trigger | Fires When |
|---|---|
| DNS Record Changed | Any DNS record added, removed, or modified |
| IP Changed | A or AAAA record value changes |
| Hosting Changed | ASN/hosting provider inferred from IP changes |
| CDN Changed | CDN provider detected changes (e.g. Cloudflare → none) |
Security Triggers
| Trigger | Fires When |
|---|---|
| Blacklist Detected | Domain or its IP found on any DNSBL (Spamhaus, SURBL, URIBL, etc.) |
| Security Threat | Broad security signal: blacklist hit, hijack risk, or critical header failure |
| Hijack Risk | Subdomain takeover risk detected, or NS pointing to unclaimed provider |
Uptime Triggers
| Trigger | Fires When |
|---|---|
| Uptime Down | HTTP request returns error status or times out |
| Uptime Up | Domain becomes reachable after a down event (recovery alert) |
Content Triggers
| Trigger | Fires When |
|---|---|
| Content Changed | Page content hash differs beyond significance threshold |
| Redirect Changed | HTTP redirect chain changed |
| Favicon Changed | Favicon hash differs |
| Subdomain New | New subdomain discovered during enumeration |
| Subdomain Removed | Previously known subdomain no longer resolves |
Notification Channels
ElasticDomain supports seven notification channels:
| Channel | What You Need |
|---|---|
| Email address - pre-filled with your account email | |
| SMS | Phone number in international format |
| Push | Browser push notification (requires permission) |
| Slack | Incoming Webhook URL from your Slack workspace |
| Discord | Incoming Webhook URL from your Discord server |
| Telegram | Telegram Bot token and Chat ID |
| Webhook | Any HTTPS URL - receives a JSON POST payload |
Multiple channels can be combined on a single rule. Example: email + Slack for a normal alert, add webhook for integration with PagerDuty or OpsGenie.
Recommended Alert Setup for Production Domains
A solid baseline for any domain you own and depend on:
- Domain Expiring Soon - threshold 60 days, email
- Domain Expiring Soon - threshold 14 days, email + SMS
- SSL Expiring Soon - threshold 30 days, email
- SSL Expiring Soon - threshold 7 days, email + Slack
- SSL Certificate Changed - email + Slack
- Nameserver Changed - email + Slack (critical: nameserver changes affect everything)
- IP Changed - email
- Blacklist Detected - email + Slack
- Uptime Down - Slack or webhook (immediate notification)
Applying Rules to Multiple Domains
Select multiple domains from the dashboard list → Actions → Apply Alert Template. This copies a set of rules to all selected domains at once, saving you from configuring each one individually.
Webhook Payload Format
When a webhook channel fires, ElasticDomain sends a JSON POST to your URL:
{
"event": "alert.triggered",
"alertType": "SSL_EXPIRY",
"domain": "example.com",
"triggeredAt": "2026-03-24T18:00:00Z",
"severity": "warning",
"details": {
"daysUntilExpiry": 28,
"issuer": "Let's Encrypt",
"expiryDate": "2026-04-21"
}
}
Use webhooks to integrate with Zapier, Make (Integromat), custom dashboards, or incident management tools.