Alerts
Alerts are events flagged by detections as requiring attention. They serve as critical indicators of potential security incidents, operational anomalies, or other noteworthy events.
How to Access
Navigate to Insights → Alerts in the platform.
Alert Tabs
| Tab | Description | Shows |
|---|---|---|
| Triage | Alerts undergoing AI analysis | Pending and in-progress AI triage |
| Unassigned | Open alerts not linked to a case | New alerts awaiting review |
| Assigned | Open alerts linked to a case | Alerts under investigation |
| Closed | Resolved alerts | Historical reference with closing reasons |
Timeline View
Click the Timeline View button to see alerts displayed chronologically, useful for understanding attack sequences and event correlation.
Alert Properties
| Property | Description |
|---|---|
| Alert ID | Unique identifier |
| Title | Detection-generated title |
| Severity | Critical, High, Medium, Low, Informational |
| Detection | The detection rule that triggered the alert |
| Created At | When the alert was generated |
| Related Alerts | Count of similar or connected alerts |
| Case | Linked case (if assigned) |
| AI Analysis | Triage status and summary |
Filtering Alerts
Use filters to narrow down the alert list:
| Filter | Description |
|---|---|
| Alert ID | Search by exact alert ID |
| Related Alerts Count | Filter by number of related alerts |
| Created At | Filter by date range |
| Detection | Filter by specific detection rules |
| Observables | Search within alert observables |
| Severity | Filter by severity level |
Working with Alerts
Viewing Alert Details
Click an alert to view:
- Full event data and payload
- Detection that triggered it
- Related alerts grouped together
- AI analysis summary (if triaged)
- Observable indicators
AI Triage
When detections have triage enabled:
- Alert enters Triage tab automatically
- AI Assistant analyzes the event context
- Analysis summary is attached to the alert
- Alert moves to appropriate tab based on findings
tip
AI triage helps prioritize alerts by providing initial analysis, reducing time spent on false positives.
Bulk Actions
Select multiple alerts to:
- Close — Resolve with a closing reason
- Add to Case — Link to existing or new case
- Re-triage — Resubmit for AI analysis
Assigning to Cases
Link alerts to investigations:
- Select one or more alerts
- Click Add to Case
- Choose existing case or create new
- Alerts appear in case timeline
Severity Levels
| Level | Color | Description |
|---|---|---|
| Critical | Red | Major incidents actively compromising systems |
| High | Orange | Significant threats requiring prompt attention |
| Medium | Yellow | Notable events warranting investigation |
| Low | Blue | Minor anomalies for awareness |
| Informational | Gray | Context events for reference |
Best Practices
- Use the Triage tab — Let AI pre-analyze alerts before manual review
- Filter by severity — Address critical alerts first
- Group related alerts — Link to cases for complete context
- Document closures — Always add meaningful closing reasons
- Review patterns — Look for recurring alert types to tune detections