Working an Alert
Understand how to review an alert, analyse the signal, and submit your case for review.
Alerts
In RiskOps Lab, an alert is not just a signal. It is the starting point of an investigation.
The alert page brings together the alert details, your activity on the alert, and a review workspace where you document your decision and manage your case.
What you see on an alert
When you open an alert, you get the key information needed to understand the signal.
This includes the alert ID, date, rule name, type, severity, current status, and a short description of the behaviour that triggered the alert.
The page is linked to a specific user, allowing you to analyse the alert in context. To get the full picture, you should open the user profile. This is where you can review the user’s full activity, including transaction history, events, and other alerts.
You can also see your activity history on the alert, including decisions, drafts, and submissions.
Assignment
To start working on an alert, you can use Assign to me.
Alerts can be assigned in two ways:
- Self-assigned - you take the alert yourself
- Assigned by a reviewer - if this is part of your workflow
If you assigned the alert yourself, you can remove it using Unassign.
Review workspace
The review workspace is where you document your investigation and build your case.
You can:
- Write your analysis and reasoning
- Save your work as a draft
- Submit your case for review
Drafts can be used as internal notes or work-in-progress. You do not have to submit them unless you are ready.
Case status and review
When you submit your work, it becomes a review case.
The case moves through different statuses:
- Submitted - your case was sent for review
- In review - a reviewer is checking your work
- Changes requested - you need to update your analysis
- Approved - your case is accepted
- Closed - the process is complete
Each submission creates a new version. You continue working in the same thread.
Reviewer feedback
After submission, a reviewer evaluates your case.
They can leave comments, request changes, or approve the case.
You can reply in the same thread, update your reasoning, and submit a new version.
The goal is not just to reach a decision, but to justify it clearly.
Alert status and decisions
When you select a decision and submit your case, it reflects how you would act in a real environment.
The alert is simulated. Your decision represents your proposed action as an analyst.
- False positive - the behavior may look unusual, but there is no strong evidence of financial crime.
- True positive - the behavior clearly indicates suspicious or potentially illicit activity.
- Info requested - there is not enough information to make a decision. Additional data or documents are required.
- Escalated - the case is complex or high-risk and should be reviewed at a higher level.
Your decision is recorded as part of the alert history and linked to your case.
How to structure your analysis
Your case note should reflect clear analytical thinking.
Use a simple structure:
Activity review: What happened.
Red flags: What is suspicious.
Decision: Your conclusion.
Rationale: Why you made this decision.
Example
Activity review: The user received multiple incoming transfers over 3 days from different senders. Total volume reached €18,000. Shortly after receiving funds, most of the balance was withdrawn to an external wallet. No prior transaction history before this activity.
Red flags: Multiple third-party senders. Rapid movement of funds after receipt. No historical activity
Decision: Info requested
Rationale: The transaction pattern is potentially suspicious, but there is not enough information to confirm financial crime. The user should be asked to clarify:
- Source of funds (who the senders are and relationship to the user)
- Purpose of the transactions
- Destination of funds (who received them and why)
- Supporting documents if applicable
Without this information, the behaviour cannot be confidently classified as either legitimate or suspicious.