The Alert Intake Case

The first Step of the Prepare Stage, Classify Alert, retrieves metadata from the Alerts catalog using information provided by an Alert generating system, such as Alert scenario or Sub scenario. Then, in the Enrich data Step, additional data is automatically sourced from both external and internal systems. AIM uses a combination of the Subject Profile and data retrieved from the system of record to display the full set of customer data.

Effective and efficient investigations rely on the relationships between data being established and maintained. Indexes are generated for key data within, or related to, the Alert, to form the Data Link Analysis network (DLA) in the Index data Step. These indexes are refreshed across the life cycle of the Alert Intake and Investigation Cases. Data to be indexed varies across use cases, and includes examples such as customers, accounts, transactions, checks, and cards. DLA is used for discovery purposes.

The Resolve duplicates Step is a placeholder Step that is intended to contain additional logic to identify and flag duplicate Alerts. The last Step, Prioritize alert, executes business rules to derive the priority of the Alert based on the Alerts score and Alert type. This priority is used in calculating the urgency of the Investigation Case.

The Discard false positives Step is a placeholder Step that is intended to include appropriate types of AI models or specific business rules that can be used to accurately identify and automatically dismiss false positive Alerts.

As investigations are conducted, the stream of Alerts will continue. Creating a new Investigation Case for each Alert is inefficient and increases the risk of lost insights that could be attained from new Alerts that are related to an ongoing investigation. The following brief overview lists the high-level logic that is used in the Assign to investigation Step to identify an inflight Investigation Case into which to merge an Alert:

1. The DLA network is queried using the Alert Intake Case ID to return a list of in-flight Investigation Cases.
2. Any cases that have a status of Pending-Triage or Pending-Investigation are retained, and the rest are removed from the list.
3. Any cases for which the entities match those of the Alert are retained and the rest are removed from the list.
4. The list of Investigation Cases is sorted based on the highest interest value.
5. The Alert is merged into the first Investigation Case from the list.
   Note: The Assign to investigation Step is a critical part of the overall infrastructure for AIM, and is a sophisticated step. A sample configuration is provided with the Accelerator, but the expectation is that for each implementation, users will deeply assess and configure this step based on their business needs.

The Provide feedback Step is a placeholder step that is used to automatically generate and submit feedback about the Alert to the source system. Knowing whether the Alert was confirmed or dismissed during the Investigation Process is useful training data for the Alert generation model.

The Alert Intake Case is designed to be fully automated to allow Straight Through Processing (STP). The Perform Quality Assurance placeholder step allows for the creation of a manual Quality Assurance process in which a user can review the decisions made for an Alert.