Managing Alerts
Learn how to manage, investigate, and resolve alerts in Containment.AI.
Alert List View
The Alerts page shows the alerts in your organization:
- Newest first
- Severity, actor, policy, and status per row
- Click a row to open its detail drawer
Alert Statuses
An alert is always in one of four statuses:
| Status | Meaning |
|---|---|
| Open | New, not yet handled |
| In Progress | Being worked |
| Resolved | Addressed and closed |
| Muted | Suppressed from the active view |
Investigating Alerts
Viewing Alert Details
Click any alert to open the detail drawer:
- Header - Severity, status, and quick actions
- Summary - What happened and why
- Violation - The matched term/pattern and violation message
- Context - User, device, and platform info
- Timeline - History of changes and actions
Understanding the Match
The violation section shows the retained alert metadata:
- Matched term/pattern - What triggered the policy
- Match reason - Which policy rule matched
- Violation message - Description of what was flagged
The policy-check service retains only violation alert metadata (policy name, severity, violation message, and the matched term/pattern). The full prompt text is not stored.
Gathering Context
Before taking action, consider:
- Is this a known false positive pattern?
- What was the user trying to accomplish?
- Is this a repeat offense?
- What's the business context?
Taking Action
From the alert detail drawer:
Acknowledge
Record that you've seen the alert. Click Acknowledge Alert. The alert shows who acknowledged it and when; other admins can see it's being handled.
Mark as Resolved
Click Mark as Resolved to close the alert once it's addressed.
Change Status
Use the status control to move an alert between Open, In Progress, Resolved, and Muted. Mute an alert to suppress it from the active view.
Granting an Exception
If a user needs to bypass a policy for a specific alert, use the row's action menu (exception workflows require a plan that includes them):
- On the Alerts list, open the alert row's action menu (the ⋯ menu).
- Choose Create exception.
- Complete the exception details and save.
See Exceptions for the full exception model.
Exceptions should be rare and well-documented. Consider adjusting the policy instead of granting many exceptions.
Triage Guidance
Efficient Triage
- Start with Critical/High severity.
- Use the alert filters to narrow the list.
- Resolve or mute handled alerts so the active view reflects outstanding work.
- Add context in your own tracking as you go.
Reducing Volume
If alert volume is too high:
- Review policy sensitivity settings
- Add legitimate patterns to allowlists
- Consider policy restructuring
- Train users on acceptable use
Suggested Response Times
- Critical: Immediately
- High: Within 4 hours
- Medium: Within 1 business day
- Low: Weekly review
Related Topics
- Understanding Alerts - Alert anatomy and severity
- Alert Filters - Find specific alerts
- Policy Configuration - Tune to reduce false positives
- Exceptions - When to grant exceptions