When a rule flags a transaction event, it generates an alert.
The alert is then sent into an alert queue. The team of agents assigned to that alert queue are able to view and investigate the alert.
For example:
- Alert `alert-8547378` generated for `entity-anf873` by smurfing `rule-95437871` triggered by `transaction-7854375843857843` and `transaction-3548257483716543`.
- Alert alert-8547378 added to `team P0` alert queue.
- Agent Annie Smith consumes from the `team P0` alert queue and investigates `alert-8547378`.
If escalation is necessary, the alert and its data can be turned into a case.
Unit21 will not create a new alert if there is already an `OPEN` alert for that entity.
If there is already an open alert from a rule for a specific entity and new transactions are flagged for said entity by said rule, it will be added under the Hits tab in the existing alert.
As such, it is important to close old alerts so that rules can generate new alerts for new transactions! Otherwise new transactions that are flagged may end up getting lost in old unclosed alerts for a specific entity.
Alerts offer many possibilities for action, all of which can be managed from the Alerts page of the Unit21 dashboard.
The Alerts Page
The Alerts page is the first step in the workflow for an agent. Each day, an agent logs into the Dashboard and receives a new set of alerts to investigate:
An agent will choose an available alert from the Alert page to work on for that day.
The agents can request more alerts to work on by using the Get More Alerts button.
Agents will work on alerts that are in their alert queue ONLY. See the Alert Queues section to learn more about how alerts get triaged into alert queues and are consumed by teams of agents.
Anatomy of an Alert
Alerts are the first step in the case management component of the Unit21 platform.
During the investigation process, agents can assign investigators, add notes, view related transaction, perform link analysis, upload media and more.
Each alert is identifiable by an `alert_id` (alert ID).
When an agent investigates an alert, they can also find data about:
- The underlying rule and the transactions that triggered the rule
- Associated alerts, i.e. involving same entities and transactions
- Entities and instruments involved
As an agent investigates the alert, they can:
- Review associated entities, alerts, cases, and reports
- Add documents to the alert
- Add notes to the alert
- Add tags to the alert
- Work through the investigation checklist
- Re-assign or re-queue the alert
- Resolve (dispose, escalate, transfer, close...) the alert through workflow buttons
A Closer Look
Alert Triage and Assignment -- Alerts are triaged using alert queues. You can also manually assign alerts to agents. These actions are reserved for administrators (agents with administrative permissions).
Alert State -- Alerts have two states: `OPEN` or `CLOSED`. If needed, a `CLOSED` alert can be reopened.
Alert Investigation Checklist -- The investigation checklist is programmable by an investigator and forces an investigative workflow for agents (steps they must take and check-off before an alert is resolved).
Alert Disposition -- Alerts can have dispositions such as `FALSE POSITIVE`.
Alert Sub-Disposition -- Alerts can have sub-dispositions such as `BROAD RULE`.
Alert Deadline -- Alerts can have deadlines so that agents have a clear due date for their investigation.
Alert Workflow and Resolution -- Alerts can be escalated, transferred between agents, closed, opened, turned into a case, whitelisted, de-escalated, tagged and more using workflow buttons.
Alert Audit Trail -- Whenever an agent marks an alert’s data, adds a tag to the alert, uploads documents, or resolves the alert, the action is logged automatically in the alert’s audit trail.
Alert Administration
Administrators can view all alerts in all queues under the Admin tab of the Alert page: