Skip to main content

Working an Investigation

Val Gashi
Updated

An Investigation includes all suspicious activity (Alerts) related to a specific entity.

When you open an Investigation, you’ll first see a summary section that highlights:

  • The total number of Alerts within the Investigation.

  • The Outcomes (e.g., Suspicious or Dismissed) that have been recorded for those Alerts.

Below the summary, you’ll find a list of all open Alerts aggregated for that entity. These Alerts represent ongoing events—such as transactions or login attempts—that meet the criteria defined in your organization’s policy to trigger an Alert.  The Alerts are displayed in a timeline view, with the most recent activity shown at the top.

Reviewing an Alert

If you are assigned to review an Alert:

  1. Select Review next to the Alert.

  2. Choose an OutcomeSuspicious or Dismissed.

  3. Enter a Review Reason and add any relevant notes to support your decision.

    ⚠️ Note: The decision you make applies only to that specific Alert. It does not affect the overall Investigation status.

Reviewing Alerts in Bulk

If multiple Alerts share similar indicators, you can review them together.

  • Use the Filters (Status, Outcome Reason, Type, or Device ID) to group related Alerts

  • Select the Alerts with common characteristics.

  • Perform a Bulk Review to apply the same decision to all selected Alerts.

Alerts that require review will be:

  • Auto-assigned to the designated reviewer

  • Manually assigned by a user

  • Automatically assigned to the agent completing the bulk review.

Escalating an Investigation to Case Review

If an Alert is determined to be Suspicious and further action is needed — such as requesting a manager review or filing a SAR — the agent can promote the Investigation to Case Review status.

Steps to Promote an Investigation:

  1. Assign yourself to the Investigation (or ensure you are already assigned).
    In the example below, Agent Jane Zachar is assigned to the Investigation before promotion.

  2. Select Promote to Case from the available actions. The Investigation status will update to Case Review.

  3. In the Note section of the Review:

    • Add a brief description summarizing why the Investigation is being escalated.

    • Attach any supporting documents as evidence.

4.  Escalation details — including the review reason, notes, reviewer, and date — will appear at the top of the Investigation feed.

Closing an Investigation

Once you are assigned to an Investigation, you have the ability to make the final decision to close it.

Before closing an Investigation, ensure that all associated Alerts have been reviewed and marked as either Suspicious or Dismissed. This step is required to complete the Investigation.

⚠️ Important: Once an Investigation is closed, it cannot be reopened.  Any future Alerts triggered for the same entity will automatically create a new Investigation.

When closing an Investigation, select one of the following outcomes:

  • Confirmed Risk – The activity has been verified as a true positive (suspicious behavior confirmed).

  • Dismissed – The activity was determined to be not suspicious.

After closing, the final decision will appear at the top of the Investigation feed, along with the corresponding notes, reviewer details, and date of closure.

 

Investigation and Alert Details

Each Investigation contains all related Alerts for a single entity. Because these Alerts provide insight into specific events or behaviors, having context about the entity itself helps agents make more informed review decisions.

When you open an Investigation, you’ll see the Entity Panel on the right side of the screen. 

 

The Entity Panel

The Entity Panel provides a quick, structured summary of key information related to the entity under review. It is divided into several sections:

Profile

  • Displays a summary of the entity’s personally identifiable information (PII).

  • Includes two unique identifiers:

    • Entity Token – Automatically generated by Alloy; begins with “P-” for person-type entities or “B-” for business-type entities.

    • External ID – Used to map the entity to your organization’s customer records.

  • Both IDs can be used to search for the entity in the Investigation Queue search bar.

Published Attributes

  • Shows key attributes associated with the entity that are configured for workflow decisioning.

  • Examples include Risk Score, Customer Income, or other metrics relevant to your review process.

  • These attributes give agents important context when evaluating an Investigation.

Accounts

  • Lists all accounts that Alloy has linked to the entity, providing visibility into related financial or operational connections.

Investigations

  • Displays a history of past Investigations for the same entity, including:

    • The number of prior Investigations

    • Dates when they were opened

    • Outcomes and resolution details

Accessing the Full Profile

  • Agents can click directly from the Entity Panel to open the full Entity Profile, where additional data and expanded views of each section are available.

Understanding the Workflow Dropdown

The Workflow dropdown allows reviewers to access deeper insights about the Alert.  The information displayed here depends on the Event Type that triggered the Alert (for example, a transaction, login attempt, or account update).

For Transaction Alerts

Transaction-based Alerts typically include:

  • Transaction Details – such as the amount, merchant category, timestamp, and any associated accounts.

  • Recent Activity – a list of the entity’s most recent transactions for additional context.

  • Outcome Reasons and Tags – indicators showing which rule or condition triggered the Alert.

  • Data Source Responses – results from third-party or internal data checks used during the workflow decisioning process.

  • Other Data Panel – additional payload data configured by the client to display relevant custom fields.

This contextual data helps reviewers understand why the Alert was generated and assess its potential risk more effectively.

Outcome Reasons and Tags

Outcome Reasons and Tags provide valuable insight into the rules that triggered an Alert.
Agents can click on these fields to view:

  • The logic or conditions used in the workflow rule.

  • The specific values that were evaluated during the decision process.

  • The results that led to the Alert’s creation.

This level of transparency allows reviewers to trace each Alert back to its source logic and determine whether the outcome aligns with the expected behavior.

💡 Tip: From the Alert details view, agents can also view or download transactions and other data tied to the rule logic for further analysis or recordkeeping.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk