An Investigation contains all ongoing monitoring activity related to a specific entity. It brings together every stage of the Alert lifecycle — from initial detection through escalation and closure — in one centralized view.
Within each Investigation, you’ll also find Alerts, which represent individual events and their associated risk indicators (for example, a single transaction or a customer login attempt).
Investigation Lifecycle Overview
An Investigation can move through several stages depending on the outcome of each review:
Alert = Alert Review
Represents individual events and their associated risk indicators (for example, a single transaction or a customer login attempt).
When an Investigation is in Alert Review status, it means a potential issue has been detected.
The assigned agent reviews the Alert to determine whether it should be dismissed or escalated.
Case = Case Review
If an Alert appears suspicious or requires deeper analysis, the Investigation can be promoted to Case Review.
At this point, it becomes a Case, prompting more thorough investigation and documentation.
This step may also involve collaboration or management review.
Confirmed Risk
If the Case is confirmed to involve high-risk or suspicious activity, it is marked as Confirmed Risk (a true positive).
Depending on your organization’s internal policies, these confirmed cases may lead to a Suspicious Activity Report (SAR).
A separate guide detailing the SAR filing process should be referenced
Dismissed
An Investigation or Alert that is determined to be not suspicious is marked as Dismissed.
Alloy automatically tracks whether the dismissal occurred during Alert Review or Case Review for reporting and audit purposes.
Comments
0 comments
Please sign in to leave a comment.