It's important to understand if you should group alerts by entity or by hit:
- Grouping by hit will generate an alert if a transaction or group of transactions trigger your model
- Grouping by entity/instrument will generate a single alert for all transaction(s) that involve the same entity/instrument
If a rule is configured to group by hit, then an alert is generated if a transaction or group of transactions trigger your model (rule).
If entityA is flagged by your model as a result of 1 fraudulent transaction, 1 alert will be created with a single flagged transaction. If entityA is subsequently flagged by your model as a result of 4 transactions, this group of 4 transactions will generate a single new alert.
If a rule is configured to group by entity, then when new transactions are flagged, they will be merged into an existing alert if one exists about the entity/instrument or a new one will be created.
- A single alert is generated for all transaction(s) that involve the same entity/instrument.
- If you do not close an old alert that is related to the entity/instrument in the flagged transaction(s), then the new hits will be added to that existing alert.
If entityA is flagged by your model during 5 transactions, only 1 alert is created and within that alert there will be 5 flagged transaction entries (in the hit tab). If entityA is flagged again by the same model, the same alert will be updated with the new transaction entry (for a total of 6 transactions in the hit tab). If the alert is "closed", a new alert if created.
Updated about 2 months ago