Perm Watch
Single-event alerts for specific server changes that don't belong in rate-based detection. The "tell me the moment X happens" channel.
What it watches
| Event | Why you'd want to know |
|---|---|
| Integration added | A new third-party bot or webhook integration was authorised. Catch unauthorised additions. |
| Webhook created | Someone made a new webhook. Webhooks can post as anyone; great vector for impersonation if abused. |
| Verification level lowered | Discord verification level was dropped (e.g. from "Highest" to "Medium"). Often a precursor to a raid. |
| 2FA requirement disabled | Server-level 2FA requirement for moderators was turned off. |
These don't fit in Anti-Nuke's rate-limit model because they're one-off events that matter the moment they happen.
Settings
| Setting | What it does |
|---|---|
| Enabled | Master switch. |
| Per-event toggles | Each watch above can be on/off individually. |
| Alert channel | Where the alerts post. |
| Mod role | Pinged on every alert. |
What an alert looks like
A rich embed with:
- The event name + severity.
- Who triggered it (actor user, if Discord exposes that).
- The affected object (integration name, webhook name, etc.).
- A timestamp.
- A "view in audit log" link.
Tips
- Always enable integration-added alerts. Unauthorised integrations are one of the most common compromise vectors.
- Webhook-created alerts are noisy on servers that auto-create webhooks for legitimate purposes (e.g. ticket transcripts, log mirrors). Leave off if those generate too much noise.
- 2FA-disabled alert should never fire. If it does, treat it as a P0 incident.
Permissions
security.view— see alert historysecurity.edit— toggle individual watches, change alert channel
Behaviour
- Observation-only — Perm Watch never auto-acts. It just alerts.
- Phantom reads from Discord's audit log to detect these events, so expect a few seconds of delay.
- Pairs naturally with Anti-Nuke for the auto-action side.