Skip to content

philterd/phield

BranchesTags

Repository files navigation

Phield

Phield is a PII (Personally Identifiable Information) drift and trend monitor. It is designed to receive PII type counts via an API or Kafka topic, store them in a MongoDB Time-Series collection (or in-memory if MongoDB is not available), and alert when a count deviates significantly from the established trend (e.g., a sudden spike in Credit Card numbers).

Phield can be used either prior to redaction or after redaction by Philter. Either way implemented, Phield will detect and alert on any significant drift in PII counts.

Phield is part of a suite that includes Phinder (discovery) and Philter (redaction). Visit Philterd for more details.

See the documentation for installation, configuration, API usage, and notification channels.

Capabilities

  • Asynchronously receive PII counts via POST /ingest or from a Kafka topic.
  • Optionally, can use MongoDB Time-Series collections for efficient storage and querying.
  • Falls back to ephemeral in-memory storage if MongoDB is not provided.
  • Background worker calculates a moving average or statistical baseline and detects trend changes.
  • Configurable lookback window (default 24 hours) and detection method (Percentage Delta or Adaptive Z-Score).
  • Adaptive Thresholding using Welford's algorithm to learn "normal" volatility and reduce false positives.
  • Alert Cooldown to suppress notification storms for sustained breaches, with "Back to Normal" automatic reset.
  • Replay Capability to test and fine-tune trend settings against historical data.
  • Triggers structured log alerts and optional Slack/PagerDuty notifications when counts exceed a configurable threshold.

Simulation

To see Phield in action, you can use the included simulate_data.sh script. This script sends randomized but realistic PII counts to Phield and then simulates a sudden trend change (spike) to trigger an alert.

In one terminal, start Phield:

./phield

In a second terminal, start the simulated PII counts:

./simulate_data.sh

Now, switch back to the first terminal and you can see the alerts being generated as the simulated data trends up.

Simulation Configuration

The script supports several environment variables for configuration:

Variable Default Description
PHIELD_URL http://localhost:8080 The URL of the Phield ingest API.
SOURCE_ID simulated-server-01 The source ID for the simulated data.
ORGANIZATION demo-org The organization for the simulated data.
CONTEXT production The context for the simulated data.
ITERATIONS 50 The number of baseline iterations to send.
SLEEP_INTERVAL 1 The sleep interval (in seconds) between iterations.

Example using custom configuration:

PHIELD_URL=http://localhost:8080 ITERATIONS=100 ./simulate_data.sh

License

Copyright 2026 Philterd, LLC.

Apache License 2.0. See LICENSE for details.

About

Monitors PII trends via API and triggers alerts on compliance drift and data spikes.

www.philterd.ai

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Contributors

Languages