Dispositions

Dispositions describes the overall outcome of the alert/case.

Dispositions are standardized on the Unit21 platform using categories. These categories help to generate meaningful metrics, and to train machine learning models.

For example, while a disposition can be named with a custom label such as "BLOCKED", "FRIENDLY FRAUD", "OUTLIER", "BAD RULE", or "FRAUD", they must also be classified into Unit21's set of categories: Closing Review - took action, Dismissing this, We are moving this forward, etc.

"FRIENDLY FRAUD" would typically be categorized as a Closing Review - took action. The "BAD RULE" disposition is typically categorized as a Dismissing this and so on. Anything that is escalated from one state to another (ie. from an alert to a case, or from one queue to another) should be classified as We are moving this forward in our review process.

What are the benefits of labelling dispositions?

1. Alert Scores are very accurate when alerts are disposed correctly in the Unit21 system.
2. Your organization can easily view alert outcome/performance metrics in Dashboards (Insights).

❗️

DISPOSITION NAMES DO NOT SUPPORT UNDERSCORES.

What do the disposition categories mean?

1. Closing review - took action: This indicates that this is the type of behavior you are trying to stop by using Unit21.
2. Blocking this user: This indicates that the user will be, or has been, blocked from the platform as a result of this finding.
3. Dismissing this, but it was worth spending the time to look at this: This indicates that the user’s behavior was correctly flagged, but it could be explained as “not unusual” after gaining additional context.
4. Dismissing this - this should not have reached this stage of the process: This indicates that the alert or case should not have been created, or should not have reached this stage of the review process. Using this disposition allows you to see the waste in your process, so that you can become as efficient as possible.
5. We are moving this forward in our review process: This indicates an interim workflow state such as an escalation from one team to another, or from L1 to L2. Anything that is escalated should be put into this disposition category until a final determination has been made.

You can classify your dispositions as per the image below:

Important:: To make it easier to correctly classify dispositions, when editing a workflow button, the disposition dropdown will be limited to options relevant to the action. For example, on alert workflow buttons, if an alert workflow button creates a case, the disposition dropdown will only display dispositions that are classified as We are moving this forward in our review process will display. Similarly, if a case workflow button creates a SAR, the disposition dropdown will only display those dispositions that are classified as Closing review - took action or This user has been blocked.

How do I use dispositions?

1. Your organization must setup dispositions.
2. Your organization must create workflow buttons to dispose alerts and cases.

An alert/case can be disposed only using a workflow button configured in the Workflow Buttons section of your dashboard. Each workflow buttons can have only one disposition.

Dispositions can be viewed in the Summary section of a alert/case view: