{
  "rules": [
    {
      "ruleId": "attest-key-rotation",
      "name": "Attestation key rotation/revocation",
      "enabled": true,
      "tenantId": "<tenant-id>",
      "match": {
        "eventKinds": [
          "authority.keys.rotated",
          "authority.keys.revoked"
        ]
      },
      "actions": [
        {
          "actionId": "email-kms",
          "enabled": true,
          "channel": "email-kms",
          "template": "tmpl-attest-key-rotation"
        },
        {
          "actionId": "webhook-kms",
          "enabled": true,
          "channel": "webhook-kms",
          "template": "tmpl-attest-key-rotation"
        }
      ]
    },
    {
      "ruleId": "attest-transparency-anomaly",
      "name": "Transparency witness anomaly",
      "enabled": true,
      "tenantId": "<tenant-id>",
      "match": {
        "eventKinds": [
          "attestor.transparency.anomaly",
          "attestor.transparency.witness.failed"
        ]
      },
      "actions": [
        {
          "actionId": "slack-soc",
          "enabled": true,
          "channel": "slack-soc",
          "template": "tmpl-attest-transparency-anomaly"
        },
        {
          "actionId": "webhook-siem",
          "enabled": true,
          "channel": "webhook-siem",
          "template": "tmpl-attest-transparency-anomaly"
        }
      ]
    },
    {
      "ruleId": "identity-watchlist-alert",
      "name": "Identity watchlist match",
      "enabled": true,
      "tenantId": "<tenant-id>",
      "match": {
        "eventKinds": [
          "attestor.identity.matched"
        ]
      },
      "actions": [
        {
          "actionId": "slack-watchlist",
          "enabled": true,
          "channel": "slack-attestation-alerts",
          "template": "identity-matched"
        },
        {
          "actionId": "webhook-watchlist",
          "enabled": true,
          "channel": "webhook-siem",
          "template": "identity-matched"
        }
      ]
    }
  ],
  "channels": [
    {
      "channelId": "email-kms",
      "type": "email",
      "name": "KMS security",
      "target": "kms-security@example.com",
      "secretRef": "ref://notify/channels/email/kms-security"
    },
    {
      "channelId": "webhook-kms",
      "type": "webhook",
      "name": "KMS webhook",
      "endpoint": "https://hooks.internal/kms",
      "secretRef": "ref://notify/channels/webhook/kms"
    },
    {
      "channelId": "slack-soc",
      "type": "slack",
      "name": "SOC high-priority",
      "endpoint": "https://hooks.slack.com/services/T000/B000/XYZ",
      "secretRef": "ref://notify/channels/slack/soc"
    },
    {
      "channelId": "webhook-siem",
      "type": "webhook",
      "name": "SIEM ingest",
      "endpoint": "https://siem.example.internal/hooks/notifier",
      "secretRef": "ref://notify/channels/webhook/siem"
    },
    {
      "channelId": "slack-attestation-alerts",
      "type": "slack",
      "name": "Attestation alerts",
      "endpoint": "https://hooks.slack.com/services/T000/B000/ATTESTATION",
      "secretRef": "ref://notify/channels/slack/attestation-alerts",
      "description": "Slack channel for identity watchlist alerts"
    }
  ]
}