Alerts, cases & SARs
This is the investigation half of Compliance — where flagged activity becomes a decision. Events that score high raise alerts; your team groups an entity's alerts into a case, investigates it, and — where reportable — files a SAR or STR. All of it lives under Dashboard → Compliance, and every write is audited server-side.
Alerts
An alert is opened automatically when an event scores at or above your review threshold. Review alerts under Compliance → Alerts (alerts:read).
| Field | Notes |
|---|---|
| Decision | The event's decision — typically REVIEW or BLOCK. |
| Risk score | The score that triggered it (0–100). |
| Status | OPEN, RESOLVED, or DISMISSED. |
| Reasons | The rules that contributed, each with a score and a detail string (e.g. amount 48000 > 10000). |
The list shows each alert's entity, decision, risk score, status, and how many cases it belongs to.
Alerts appear here when transaction scoring flags an event for review or block.
Opening a case
To investigate, select alerts from a single entity and open a case (alerts:manage). The dialog lets you name the case (defaults to Investigation — N alert(s)) and add a summary of why it's being opened. All alerts must belong to the same entity — a case is scoped to one subject.
Cases
A case groups one entity's alerts and tracks the investigation to a conclusion. Manage cases under Compliance → Cases (cases:read to view, cases:manage to act).
| Attribute | Values |
|---|---|
| Status | OPEN → IN_REVIEW → CLOSED. |
| Disposition | Set when closed: CLEARED (false positive), CONFIRMED (fraud/ML), ESCALATED (needs senior review), INCONCLUSIVE. |
| Assignee | A team member, or unassigned. |
| Alerts | The grouped alerts; add more of the entity's alerts at any time. |
From a case you can assign it, add alerts, edit its title/summary, and dispose it — set the disposition and a closing summary, which moves it to CLOSED.
Open a case from the Alerts view to start an investigation.
SARs & STRs
When a case is reportable, draft a regulatory filing from it (cases:manage):
| Attribute | Values |
|---|---|
| Report type | SAR (Suspicious Activity Report) or STR (Suspicious Transaction Report). |
| Status | DRAFT → FILED, or CANCELLED. |
| Reference | Your external filing reference (e.g. the regulator's number), set when filing. |
The lifecycle:
- Draft — choose
SARorSTRand a reason. The report is generated server-side in goAML format. - Review & export — inspect the goAML payload on the SAR detail view and export it as XML for submission to your FIU/regulator.
- File — record the external reference and file path; the SAR moves to
FILED. - Cancel — a
DRAFTcan be cancelled if it's no longer needed.
Audit
Every case and SAR write — open, assign, add-alerts, dispose, draft, file, cancel — is recorded in your organization's audit log (Dashboard → Audit logs), with the actor and timestamp.
Related
- Event monitoring — how alerts get raised.
- Monitoring rules — the thresholds that decide
REVIEWvsBLOCK. - Compliance overview — the end-to-end lifecycle.