Understanding Alerts
Alert Severity Levels
| Severity | Color | Meaning | Response time | Example |
|---|---|---|---|---|
| CRITICAL | Red | Immediate action required | Minutes | C2 beacon, data exfiltration |
| HIGH | Orange | Investigate within 1 hour | 1 hour | Port scan, lateral movement |
| MEDIUM | Yellow | Review within 24 hours | 24 hours | Shadow AI usage, unusual DNS |
| LOW | Green | Informational | Best effort | New device connection |
SHAP Explanations
Every alert includes a SHAP (SHapley Additive exPlanations) waterfall chart showing which network features contributed to the detection and by how much.
Example: A C2_BEACON alert at score 0.87 might show:
- Non-standard port 4444: +0.42
- Known malicious IP: +0.38
- Off-hours connection: +0.27
- High upload ratio: +0.15
- Base value: -0.35
This is key for:
- Analysts: Understand why an alert was triggered, not just that it was
- Auditors: Verify detection logic is sound and unbiased
- Compliance: NIS2 Art.23 requires explainable incident detection
- EU AI Act: Decision Traces provide full algorithmic transparency
Alert Actions
| Action | Who can do it | What it does |
|---|---|---|
| Block IP | Admin, Analyst | Adds source IP to whitelist/blocklist |
| Mark False Positive | Admin, Analyst | Flags alert as FP, improves future detection |
| Generate NIS2 PDF | Admin, Analyst, Auditor | Creates NIS2 Art.23 incident report |
| Generate GDPR PDF | Admin, Analyst, Auditor | Creates GDPR Art.33 breach report |
| Escalate to IR | Admin, Analyst | Marks alert for incident response team |
| View Decision Trace | All roles | Opens full proof trail with inputs, factors, outputs |
Filtering and Search
- Status: Open, Reviewed, Resolved, False Positive
- Severity: Critical, High, Medium, Low
- Rule: Filter by specific detection rule
- Date range: Custom time window
- Search: Free-text search across alert fields
NIS2 72-Hour Countdown
For CRITICAL alerts, the dashboard displays a countdown timer for the NIS2 Art.23 reporting deadline (72 hours from detection). This helps ensure your organization meets the mandatory incident notification timeline.
Proof Trail
Each alert has a cryptographic proof trail (JSON) that includes:
- Raw detection inputs (anonymized flow metadata)
- NDR scoring factors
- Rule match details
- SHAP feature contributions
- Timestamp chain
This proof trail can be exported and provided to auditors or CSIRT as evidence of detection methodology.