> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Up Security Alerting

> Configure alerts for threat detection, PII scrubbing, and security events in your SIEM.

Configure alerting rules to get notified when Golf Gateway detects security threats, scrubs PII from responses, or blocks suspicious requests.

## Prerequisites

* Golf Gateway deployed with audit log export configured
* One of the following export destinations:
  * [Elasticsearch](/gateway/guides/audit-trail/export-to-elasticsearch)
  * [Azure Sentinel](/gateway/guides/audit-trail/export-to-sentinel)
  * [OpenTelemetry](/gateway/guides/audit-trail/export-to-opentelemetry)

## Key fields for alerting

Golf Gateway audit logs include security fields specifically designed for alerting. See the [Audit Log Schema](/gateway/reference/audit-log-schema#security) for complete field documentation.

| Field                        | Type    | Alert Use Case                 |
| ---------------------------- | ------- | ------------------------------ |
| `security.blocked`           | boolean | Request/response was blocked   |
| `security.threats_detected`  | array   | Specific threat types detected |
| `security.threat_category`   | string  | Threat classification          |
| `security.was_scrubbed`      | boolean | PII was detected and removed   |
| `security.entities_redacted` | integer | Count of PII entities found    |
| `security.entities_by_type`  | object  | PII breakdown by type          |

## Recommended alerts

Set up these alerts to monitor security events:

| Alert                   | Condition                                               | Severity |
| ----------------------- | ------------------------------------------------------- | -------- |
| **Threat Blocked**      | `security.blocked = true`                               | Critical |
| **Prompt Injection**    | `security.threats_detected` contains `prompt_injection` | Critical |
| **PII Detected**        | `security.was_scrubbed = true`                          | Warning  |
| **Rate Limit Exceeded** | `security.threat_category = "rate_limit_exceeded"`      | Warning  |
| **Replay Attack**       | `security.threats_detected` contains `replay_attack`    | Critical |

***

## In-app notifications

Golf Gateway also provides built-in notifications in the Admin Portal:

1. Go to **Notifications** in the Admin Portal
2. View real-time alerts for:
   * Threat detections
   * Blocked requests
   * Pending capability approvals
3. Click any notification to navigate to the related session or server

<Tip>
  In-app notifications complement SIEM alerting. Use SIEM for incident response workflows and in-app notifications for quick operational awareness.
</Tip>

***

## Related guides

<CardGroup cols={2}>
  <Card title="Audit Log Schema" icon="file-code" href="/gateway/reference/audit-log-schema">
    Complete field reference for audit log entries
  </Card>

  <Card title="Set Up Monitoring" icon="chart-line" href="/gateway/guides/operations/setup-monitoring">
    Configure health endpoints and metrics
  </Card>

  <Card title="Export to Elasticsearch" icon="magnifying-glass" href="/gateway/guides/audit-trail/export-to-elasticsearch">
    Set up Elasticsearch audit log export
  </Card>

  <Card title="Export to Sentinel" icon="shield" href="/gateway/guides/audit-trail/export-to-sentinel">
    Set up Azure Sentinel export
  </Card>
</CardGroup>