Managing Alerts
Learn how to effectively manage, investigate, and resolve alerts in Containment.AI.
Alert List View
The Alerts page shows all alerts in your organization:
Default View
- Sorted by newest first
- Shows unresolved alerts by default
- Displays severity, user, policy, and status
Quick Actions
From the list, you can:
- Click to view details
- Bulk select for actions
- Export visible alerts
Investigating Alerts
Viewing Alert Details
Click any alert to open the detail drawer:
- Header - Severity, status, and quick actions
- Summary - What happened and why
- Content - The flagged content with highlights
- Context - User, device, and platform info
- Timeline - History of changes and actions
Understanding the Match
The content section shows:
- Highlighted text - What triggered the policy
- Match reason - Which policy rule matched
- Confidence - How certain the detection is
Gathering Context
Before taking action, consider:
- Is this a known false positive pattern?
- What was the user trying to accomplish?
- Is this a repeat offense?
- What's the business context?
Taking Action
Acknowledge
Mark that you've seen the alert:
- Click Acknowledge or press
A - Alert moves from New to Acknowledged
- Other admins see it's being handled
Resolve
Close the alert when addressed:
- Click Resolve or press
R - Select a resolution reason:
- True Positive - Blocked - Correctly prevented
- True Positive - Coached - User educated
- False Positive - Incorrect trigger
- Exception Granted - Allowed with approval
- Add optional notes
- Click Confirm
Dismiss
For alerts that don't need action:
- Click Dismiss or press
D - Select reason:
- False positive
- Duplicate
- Test data
- Not actionable
- Confirm dismissal
Escalate
Forward to another team member:
- Click Escalate
- Select assignee
- Add context notes
- Submit
Adding Notes
Document your investigation:
- Click Add Note in the detail view
- Enter your observations
- Notes are timestamped with your name
- Visible to all admins
Example notes:
- "Contacted user - training data, not real PII"
- "Working with legal on this pattern"
- "Added to exception list per ticket #1234"
Granting Exceptions
If a user needs to bypass a policy:
- From the alert, click Grant Exception
- Configure the exception:
- Duration - Temporary or permanent
- Scope - This user only or team
- Policy - Specific policy or all
- Add justification
- Approve
caution
Exceptions should be rare and well-documented. Consider adjusting the policy instead of granting many exceptions.
Bulk Actions
Handle multiple alerts efficiently:
Selecting Alerts
- Click checkbox to select individual
- Click header checkbox to select all visible
- Shift+click for range selection
Available Bulk Actions
- Acknowledge - Mark all as seen
- Resolve - Close with shared reason
- Dismiss - Remove from active view
- Export - Download selected data
Bulk Resolve
- Select alerts with similar issues
- Click Bulk Actions > Resolve
- Choose resolution reason
- Add shared notes
- Confirm action
Alert Assignment
Auto-Assignment
Configure automatic assignment:
- By severity level
- By policy category
- By affected team
- Round-robin among admins
Manual Assignment
- Open alert details
- Click the assignee field
- Select admin from dropdown
- Alert now shows in their queue
My Alerts
Filter to see only your assigned alerts:
- Click My Alerts filter
- Or use filter:
assignee:me
Workflow Integration
Slack/Teams
Receive alerts in your chat:
- Configure in Integrations
- Click alerts to open in dashboard
- React to acknowledge quickly
Ticketing Systems
Create tickets from alerts:
- Click Create Ticket in alert detail
- Select ticketing system (Jira, ServiceNow, etc.)
- Alert ID links automatically
- Resolution syncs back
SIEM Integration
Forward alerts to your SIEM:
- All alerts forwarded in real-time
- Includes full context
- Correlate with other security events
Performance Tips
Efficient Triage
- Start with Critical severity
- Use filters to group similar alerts
- Bulk resolve patterns
- Document for future reference
Reducing Volume
If alert volume is too high:
- Review policy sensitivity settings
- Add legitimate patterns to allowlists
- Consider policy restructuring
- Train users on acceptable use
Time Management
Recommended triage schedule:
- Critical: Immediately
- High: Within 4 hours
- Medium: Within 1 business day
- Low: Weekly review
Reporting
Alert Reports
Generate reports showing:
- Alert volume over time
- Resolution rates
- Top triggered policies
- User patterns
Export Options
Export alert data as:
- CSV for spreadsheets
- JSON for systems integration
- PDF for compliance documentation
Related Topics
- Alert Filters - Find specific alerts
- Policy Configuration - Tune to reduce false positives
- Exceptions - When to grant exceptions