Title here
Summary here
Alerts Tab
Alert Rules vs. Notification Channels
These are two distinct, independent systems that are sometimes confused:
Alert Rules (managed in the Alerts tab, Dashboard view):
- Threshold-based triggers that evaluate conditions in your Confluence and Aegis data
- Examples: “Alert when exposure score increases by 20+ points in the ENG space”
- Stored as a KVS array; evaluated by the hourly alert job or fired synchronously at event time
- Result in
alert-recordentities visible in the Alerts tab
Notification Channels (managed in Admin > Notifications):
- Routing rules that determine how events are delivered to users as in-app notifications
- Examples: “Notify all users when a critical finding is created”
- Stored as
integration-configentities; fired viarouteEvent()when events occur - Result in
delivery-attemptentities visible in the notification bell and the Delivery Log
Both systems can coexist. A user who has both a matching alert rule and a matching notification channel configured will receive two separate notifications for the same event, this is intentional.
Note: For most users, Notification Channels (Admin > Notifications) are the primary way to receive real-time alerts about security events. Alert Rules add threshold-based conditions on top of that.
Alert Record List
The main section of the Alerts tab shows a list of triggered alert records. Each alert record represents one instance of an alert rule being triggered.
Toolbar:
- Status filter: Open / Acknowledged / Resolved
- Refresh button
- Alert Rules button (Admin only): Toggles the alert rules configuration panel
- Delivery Log button (Admin only): Toggles the notification delivery log
Alert record columns (displayed as cards, not a table):
| Field | Meaning |
|---|---|
| Status lozenge | Open (red) / Acknowledged (orange) / Resolved (green) |
| Rule name | The name of the alert rule that triggered this alert |
| Space | The Confluence space key associated with this alert (for space-scoped rules) |
| Timestamp | When the alert was created |
| Message | Human-readable description of what triggered the alert |
| Affected pages | For score_increase alerts: list of pages showing previous score → current score → delta |
Alert Statuses
| Status | Meaning |
|---|---|
| Open | Alert has fired and has not been acknowledged. Requires attention. |
| Acknowledged | A team member has seen and acknowledged the alert. Investigation may be in progress. |
| Resolved | The alert has been addressed. The underlying condition may or may not still be active. |
Acknowledging an Alert
Acknowledgment signals that the alert has been seen and is being investigated. It does not mean the underlying issue is resolved.
- Find an Open alert in the list
- Click Acknowledge in the alert’s action row
- The status lozenge changes from “Open” (red) to “Acknowledged” (orange)
- The alert moves to the Acknowledged filter view
Acknowledge is available to Analysts, Approvers, and Admins.
Resolving an Alert
Resolution signals that the alert has been addressed (the underlying issue mitigated or determined to be a false positive).
- Find an Open or Acknowledged alert
- Click Resolve
- The status changes to “Resolved” (green)
- The alert moves to the Resolved filter view
Resolved alerts are not deleted, they are retained for the configured retention period (default 180 days) and appear in the Audit Log as evidence.