Alerts

When a model (rule) flags a transaction event, it generates an alert.

The alert is then sent into an alert queue. The team of agents assigned to that alert queue are able to view and investigate the alert.

For example:

  1. Alert alert-8547378 generated for entity-anf873 by smurfing rule-95437871 triggered by transaction-7854375843857843 and transaction-3548257483716543.
  2. Alert alert-8547378 added to team P0 alert queue.
  3. Agent Grabriela Smith consumes from the team P0 alert queue and investigates alert-8547378.

If escalation is necessary, the alert and its data can be turned into a case.

📘

Unit21 will not create a new alert if there is already an OPEN alert for that entity.

If there is already an open alert from a rule for a specific entity and new transactions are flagged for said entity by said rule, it will be added under the Hits tab in the existing alert.

As such, it is important to close old alerts so that rules can generate new alerts for new transactions! Otherwise new transactions that are flagged may end up getting lost in old unclosed alerts for a specific entity.

Alerts offer many possibilities for action, all of which can be managed from the Alerts pane of the Unit21 dashboard.

Overview of the Alerts page


The Alerts page is the first step in the workflow for an agent. Each day, an agent logs into the dashboard and receives a new set of alerts to investigate:

53445344

The agents can request more alerts to work by using the Get More Alerts button.

Agents will work on alerts that are in their alert queue; see the Alert Queues section to learn more about how alerts get triaged into alert queues and are consumed by teams of agents.

An agent will choose an available alert from the Alert page to investigate further (simply click on an alert in the table).

Overview of an Alert


Alerts are the first step in the case management component of the Unit21 platform. During the investigation, agents can assign investigators, add notes, and upload media.

12001200

Each alert is identifiable by an alert_id (Alert ID).

When an agent investigates an alert, they can also find data about:

  • The underlying rule and the transactions that triggered the rule
  • Associated alerts, i.e. involving same entities and transactions
  • Entities and instruments involved

As an agent investigates the alert, they can:

  • Review associated entities, alerts, cases, and reports
  • Add documents to the alert
  • Add notes to the alert
  • Add tags to the alert
  • Work through the investigation checklist
  • Re-assign or re-queue the alert
  • Resolve (dispose, escalate, transfer, close...) the alert through workflow buttons
12001200 12001200

Alert Triage and Assignment -- Alerts are triaged using alert queues.
You can also manually assign alerts to agents. These actions are reserved for administrators (agents with administrative permissions).

Alert State -- Alerts have two states: open and closed. If needed, a closed alert can be reopened.

Alert Investigation Checklist -- The investigation checklist is programmable by an investigator and forces an investigative workflow for agents (steps they must take and check-off before an alert is resolved).

Alert Disposition -- Alerts can have dispositions such as "false positive".

Alert Deadline -- Alerts can have deadlines so that agents have a clear due date for their investigation.

Alert Workflow and Resolution -- Alerts can be escalated, transferred between agents, closed, opened, turned into a case, whitelisted, de-escalated, tagged and more using workflow buttons.

Alert Audit Trail -- Whenever an agent marks an alert’s data, adds a tag to the alert, uploads documents, or resolves the alert, the action is logged automatically in the alert’s audit trail.

Alert Administrators


Administrators can view all alerts in all queues under the Admin tab of the Alert page:

53445344

Administrators can create and delete alert queues in the Alert tab of the Alert page:

53445344

Did this page help you?