Alerts & Incidents
The Alerts & Incidents panel is a card-based incident board for managing security events.
Alert Display
Each alert is a collapsible card:
- Collapsed view — severity badge + title + age timer + status pill for quick scanning
- Expanded view — description, source, instance, ACK/Resolve buttons, and backlink to the originating panel
Alert Severities
| Severity | Color | Meaning |
|---|---|---|
| CRITICAL | Red | Immediate attention required (BLOCK verdict, break-glass activation, service failure) |
| HIGH | Orange | Significant threat or operational event |
| MEDIUM | Yellow | Moderate concern |
| LOW | Blue | Informational |
Alert Lifecycle
- OPEN — new alert, needs attention
- ACKNOWLEDGED — someone is looking at it
- INVESTIGATING — active investigation
- MITIGATED — threat contained
- RESOLVED — issue resolved
- FALSE POSITIVE — not a real threat
Backlinks
Each alert card links back to its source: correlation alerts link to the Correlations tab, shield alerts link to Prompt Shield, session-watcher alerts link to Traffic Monitor.
Common Alert Types
| Alert | What To Do |
|---|---|
| ”Shield BLOCK: [rule]“ | Review the detection; whitelist if false positive |
| ”Shield REVIEW: [rule]“ | Check the traffic entry; may need investigation |
| ”Watchdog: Dashboard recovered” | Check logs; usually transient |
| ”Break-Glass Activated” | Verify authorization; review unscanned traffic after |