{"total":9,"rules":[{"id":1,"rule_id":"high_error_event_rate","name":"High Error Event Rate","description":"Triggers when error-type events exceed 10 per minute in a 60s window","condition":{"metric":"events_per_minute","operator":">","threshold":10.0,"window_seconds":60,"field":null,"event_type":"error","source":null},"severity":"high","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533370+00:00"},{"id":2,"rule_id":"critical_error_event_rate","name":"Critical Error Event Rate","description":"Triggers when error-type events exceed 30 per minute","condition":{"metric":"events_per_minute","operator":">","threshold":30.0,"window_seconds":60,"field":null,"event_type":"error","source":null},"severity":"critical","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533389+00:00"},{"id":3,"rule_id":"high_overall_error_rate","name":"High Overall Error Rate","description":"Triggers when more than 20 percent of events are high or critical severity","condition":{"metric":"error_rate","operator":">","threshold":20.0,"window_seconds":300,"field":null,"event_type":null,"source":null},"severity":"high","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533399+00:00"},{"id":4,"rule_id":"critical_error_rate_threshold","name":"Critical Error Rate Threshold","description":"Triggers when 80 percent or more of events are high or critical severity -- severe degradation","condition":{"metric":"error_rate","operator":">=","threshold":80.0,"window_seconds":300,"field":null,"event_type":null,"source":null},"severity":"critical","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533408+00:00"},{"id":5,"rule_id":"p99_latency_breach","name":"P99 Latency SLO Breach","description":"Triggers when p99 duration_ms exceeds 5000ms in a 5-minute window","condition":{"metric":"p99","operator":">","threshold":5000.0,"window_seconds":300,"field":"duration_ms","event_type":null,"source":null},"severity":"critical","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533415+00:00"},{"id":6,"rule_id":"p95_latency_warning","name":"P95 Latency Warning","description":"Triggers when p95 duration_ms exceeds 2000ms","condition":{"metric":"p95","operator":">","threshold":2000.0,"window_seconds":300,"field":"duration_ms","event_type":null,"source":null},"severity":"medium","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533422+00:00"},{"id":7,"rule_id":"log_error_spike","name":"Log Error Rate Spike","description":"Triggers when more than 30 percent of log entries are ERROR level","condition":{"metric":"log_error_rate","operator":">","threshold":30.0,"window_seconds":120,"field":null,"event_type":null,"source":null},"severity":"high","enabled":1,"source":"config","created_at":"2026-05-18T00:22:24.533427+00:00"},{"id":8,"rule_id":"distinct_source_spike","name":"Distinct Source Spike","description":"Fires when more than 20 distinct sources emit events in 5 minutes -- may indicate a broadcast fault","condition":{"metric":"distinct_sources","operator":">","threshold":20.0,"window_seconds":300,"field":null,"event_type":null,"source":null},"severity":"medium","enabled":0,"source":"config","created_at":"2026-05-18T00:22:24.533606+00:00"},{"id":9,"rule_id":"llm_anomaly_burst","name":"LLM Anomaly Burst","description":"Triggers when the LLM analyser detects 3 or more anomalies within a 1-hour window. This rule is engine-side and complements the LLM's own alert generation -- enable when running with a real API key so anomaly volume itself becomes a signal.\n","condition":{"metric":"events_per_minute","operator":">","threshold":0.0,"window_seconds":3600,"field":null,"event_type":"error","source":null},"severity":"critical","enabled":0,"source":"config","created_at":"2026-05-18T00:22:24.534786+00:00"}]}