Alerts
The AI Alert Management System provides intelligent threat detection, risk assessment, and automated response recommendations with executive briefing capabilities.
Overview
Monitor and respond to security alerts generated by AI agent activity, with integrated threat intelligence and compliance mapping.
Source: owkai-pilot-frontend/src/components/AIAlertManagementSystem.jsx (SEC-028)
Compliance: SOC 2 CC6.8, NIST SI-4, PCI-DSS 11.4
Dashboard Tabs
| Tab | Description |
|---|---|
| Alerts | Active security alerts |
| AI Insights | AI-powered threat analysis |
| Threat Intel | Threat intelligence feed |
| Performance | Alert metrics and KPIs |
| Executive Brief | AI-generated summaries |
Alert List
Alert Information
Each alert displays:
┌─────────────────────────────────────────────────────────────┐
│ ⚠️ High Risk Agent Action Severity: HIGH │
├─────────────────────────────────────────────────────────────┤
│ Agent: support-ticket-agent │
│ MCP Server: aws-s3-connector │
│ Message: Enterprise Alert: Agent performed database_write │
├─────────────────────────────────────────────────────────────┤
│ NIST: SI-4 MITRE: T1041 Risk: 75/100 │
├─────────────────────────────────────────────────────────────┤
│ [✓ Acknowledge] [⚡ Escalate] [📋 Details] │
└─────────────────────────────────────────────────────────────┘
Alert Fields
| Field | Description | Source |
|---|---|---|
id | Unique alert identifier | Database |
timestamp | When alert was created | Database |
alert_type | Classification type | Backend |
severity | Alert severity level | Backend |
message | Alert description | Backend |
agent_name | Human-readable agent name | Extracted from message |
mcp_server_name | MCP server identifier | Extracted from message |
risk_level | Risk classification | Agent action |
ai_risk_score | AI-calculated risk (0-100) | Agent action |
Compliance Mappings
| Field | Description | Standard |
|---|---|---|
mitre_tactic | MITRE ATT&CK tactic | MITRE ATT&CK |
mitre_technique | MITRE ATT&CK technique | MITRE ATT&CK |
nist_control | NIST 800-53 control | NIST 800-53 |
nist_description | Control description | NIST 800-53 |
Alert Actions
Acknowledge Alert
- Review alert details
- Click Acknowledge
- Alert status changes to
acknowledged
Audit Trail: Records acknowledger and timestamp.
Escalate Alert
- Click Escalate
- Select escalation level
- Add escalation notes
- Confirm escalation
Notification: Triggers security team notification.
Update Alert Status
| Status | Description |
|---|---|
new | Unreviewed alert |
acknowledged | Alert reviewed |
in_review | Under investigation |
resolved | Issue addressed |
AI Insights
The AI Insights tab provides automated threat analysis:
Threat Summary
{
"total_threats": 15,
"critical_threats": 2,
"high_threats": 5,
"medium_threats": 8,
"by_category": {
"data_access": 7,
"authentication": 4,
"system_config": 4
}
}
Predictive Analysis
| Metric | Description |
|---|---|
risk_score | Composite risk score (0-100) |
trend_direction | increasing, stable, decreasing |
anomaly_detected | Boolean anomaly flag |
AI Recommendations
Actionable recommendations prioritized by risk:
| Priority | Description | Timeframe |
|---|---|---|
| Critical | Immediate action required | < 1 hour |
| High | Urgent attention needed | < 4 hours |
| Medium | Should be addressed soon | < 24 hours |
| Low | Monitor and review | Weekly |
Threat Intelligence
The Threat Intel tab displays current threat landscape:
Intelligence Sources
- Agent activity patterns
- MITRE ATT&CK mapping
- NIST control violations
- Anomaly detection engine
Threat Categories
| Category | Description |
|---|---|
data_exfiltration | Unauthorized data access |
privilege_escalation | Unauthorized access elevation |
lateral_movement | Network traversal attempts |
initial_access | Entry point attacks |
Performance Metrics
Track alert system effectiveness:
Key Metrics (SEC-066)
| Metric | Description | Source |
|---|---|---|
threats_detected | Total alerts in period | Unified Metrics |
threats_prevented | Acknowledged alerts | Unified Metrics |
cost_savings | Estimated savings | Unified Metrics |
accuracy_rate | Resolution rate | Unified Metrics |
false_positive_rate | Dismissed alerts | Unified Metrics |
SLA Compliance
| Severity | Target Response | SLA |
|---|---|---|
| Critical | 15 minutes | 99% |
| High | 30 minutes | 95% |
| Medium | 60 minutes | 90% |
| Low | 120 minutes | 80% |
Executive Brief
Generate AI-powered executive summaries:
Brief Contents
- Summary: High-level threat overview
- Key Metrics: Threats detected, prevented, cost savings
- Recommendations: Prioritized action items
- Risk Assessment: Overall security posture
Generation Options
| Option | Description |
|---|---|
| Time Period | 24h, 7d, 30d, 90d |
| Format | PDF, JSON |
| Distribution | Email list |
API Reference
| Endpoint | Method | Description |
|---|---|---|
/api/alerts | GET | List all alerts |
/api/alerts/count | GET | Get alert count |
/api/alerts/{id} | PATCH | Update alert status |
/api/alerts/create-test-data | POST | Create test alerts |
Source: ow-ai-backend/routes/alert_routes.py
Alert Filters
Filter Options
| Filter | Options |
|---|---|
| Severity | critical, high, medium, low |
| Status | new, acknowledged, in_review, resolved |
| Time Range | Last 24h, 7d, 30d, custom |
Best Practices
- Review critical alerts immediately: SLA requires 15-minute response
- Use AI Insights: Let AI prioritize your review queue
- Document resolutions: Add notes for audit compliance
- Monitor trends: Watch for increasing threat patterns
- Generate weekly briefs: Keep stakeholders informed
Troubleshooting
Alerts not loading
Solution: Check authentication and refresh page.
AI Insights showing empty state
Solution: Verify organization has alert data; SEC-008 returns empty state when no alerts exist.
High false positive rate
Solution: Review and tune Smart Rules thresholds.