Skip to main content

Managing Alerts

Learn how to manage, investigate, and resolve alerts in Containment.AI.

Alert List View

The Alerts page shows the alerts in your organization:

  • Newest first
  • Severity, actor, policy, and status per row
  • Click a row to open its detail drawer

Alert Statuses

An alert is always in one of four statuses:

StatusMeaning
OpenNew, not yet handled
In ProgressBeing worked
ResolvedAddressed and closed
MutedSuppressed from the active view

Investigating Alerts

Viewing Alert Details

Click any alert to open the detail drawer:

  1. Header - Severity, status, and quick actions
  2. Summary - What happened and why
  3. Violation - The matched term/pattern and violation message
  4. Context - User, device, and platform info
  5. Timeline - History of changes and actions

Understanding the Match

The violation section shows the retained alert metadata:

  • Matched term/pattern - What triggered the policy
  • Match reason - Which policy rule matched
  • Violation message - Description of what was flagged
note

The policy-check service retains only violation alert metadata (policy name, severity, violation message, and the matched term/pattern). The full prompt text is not stored.

Gathering Context

Before taking action, consider:

  • Is this a known false positive pattern?
  • What was the user trying to accomplish?
  • Is this a repeat offense?
  • What's the business context?

Taking Action

From the alert detail drawer:

Acknowledge

Record that you've seen the alert. Click Acknowledge Alert. The alert shows who acknowledged it and when; other admins can see it's being handled.

Mark as Resolved

Click Mark as Resolved to close the alert once it's addressed.

Change Status

Use the status control to move an alert between Open, In Progress, Resolved, and Muted. Mute an alert to suppress it from the active view.

Granting an Exception

If a user needs to bypass a policy for a specific alert, use the row's action menu (exception workflows require a plan that includes them):

  1. On the Alerts list, open the alert row's action menu (the menu).
  2. Choose Create exception.
  3. Complete the exception details and save.

See Exceptions for the full exception model.

caution

Exceptions should be rare and well-documented. Consider adjusting the policy instead of granting many exceptions.

Triage Guidance

Efficient Triage

  1. Start with Critical/High severity.
  2. Use the alert filters to narrow the list.
  3. Resolve or mute handled alerts so the active view reflects outstanding work.
  4. Add context in your own tracking as you go.

Reducing Volume

If alert volume is too high:

  • Review policy sensitivity settings
  • Add legitimate patterns to allowlists
  • Consider policy restructuring
  • Train users on acceptable use

Suggested Response Times

  • Critical: Immediately
  • High: Within 4 hours
  • Medium: Within 1 business day
  • Low: Weekly review