When a model / rule flags a transaction or action event, it generates an alert.

The alert is then sent into an alert queue. The team of agents assigned to that alert queue are able to view and investigate the alert.

For example:

  1. Alert alert-8547378 generated for entity-anf873 by smurfing rule-95437871 triggered by transaction-7854375843857843 and transaction-3548257483716543.
  2. Alert alert-8547378 added to team P0 alert queue.
  3. Agent Grabriela Smith consumes from the team P0 alert queue and investigates alert-8547378.

If escalation is necessary, the alert can be turned into a case.


Unit21 will not create a new alert if there is already an OPEN alert for that entity.

If there is already an open alert for entity A from rule B, any new transactions flagged for entity A by rule B will be added under the Hits tab in the existing alert.


It is important to close old alerts so that rules can generate new alerts for new transactions!

Otherwise new transactions that are flagged may end up getting lost in old unclosed alerts.

Alerts offer many possibilities for action, all of which can be managed from the Alerts pane of the Unit21 dashboard.

Overview of the Alerts page

The Alerts page is the first step in the workflow for an agent. Each day, an agent logs into the dashboard and receives a new set of alerts to investigate:


The agents can request more alerts to work by using the Get More Alerts button.

Agents will work on alerts that are in their alert queue; see the Alert Queues section to learn more.

Simply click on an alert in the table to start the investigation process.

Overview of an Alert

Alerts are the first step in the case management component of the Unit21 platform. During the investigation, agents can assign investigators, add notes, and upload media.


Each alert is identifiable by an alert_id (Alert ID).

When an agent investigates an alert, they can also find data about:

  • The underlying rule and the transactions that triggered the rule
  • Associated alerts, cases, and reports involving the flagged entities
  • Info on all entities and instruments flagged

As an agent investigates the alert, they can:

  • Review associated entities, alerts, cases, and reports
  • Add documents to the alert
  • Add notes to the alert
  • Add tags to the alert
  • Work through the investigation checklist
  • Re-assign or re-queue the alert through default or workflow buttons
  • Resolve (dispose, escalate, transfer, close...) the alert through workflow buttons
1200 1200

Alert Triage and Assignment -- Alerts are triaged using alert queues.
You can also manually assign alerts to agents. These actions are reserved for admins with Permissions.

Alert State -- Alerts have two states: OPEN and CLOSED. If needed, a closed alert can be reopened.

Alert Investigation Checklist -- The investigation checklist is programmable. The checklist is a set of steps an agent must follow to resolve an alert.

Alert Disposition -- Alerts can have dispositions such as "false positive" that define and classify the outcome of the agents' investigation.

Alert Deadline -- Alerts can have deadlines so that agents have a clear due date for their investigation.

Alert Audit Trail -- Whenever an agent updates an alert (adds documents, tags, sub-dispositions...) the action is logged automatically in the alert’s audit trail.

Alert Workflows -- Alerts can be escalated, transferred between agents, closed, opened, turned into a case, whitelisted, de-escalated, tagged and more using programmable workflow buttons.

Alert Administrators

Administrators can view all alerts in all queues under the Admin tab of the Alert page: