Knogin
[Developers]

Alert Management

A security operations team monitors feeds from six SIEM systems, three OSINT providers, and a blockchain transaction monitor. On a busy day, thousands of raw events arrive. Without intelligent processing, analysts spend

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaireal-timeblockchain

Overview#

A security operations team monitors feeds from six SIEM systems, three OSINT providers, and a blockchain transaction monitor. On a busy day, thousands of raw events arrive. Without intelligent processing, analysts spend most of their time triaging noise rather than investigating real threats. Missed signals can mean missed incidents.

The Alert Management module is the core event processing engine of the Argus platform. Alerts from diverse sources, including SIEM systems, OSINT feeds, blockchain monitors, satellite imagery, sensors, and APIs, flow into a unified processing pipeline with AI-powered triage, machine learning clustering, real-time streaming, and multi-layered deduplication. The result is a managed alert queue where analysts see what matters, ranked in order of risk.

Key Features#

  • AI-Powered Triage: Automatic priority assignment (P1 through P5) with confidence scoring, explainable reasoning, and continuous learning from analyst feedback.
  • ML-Based Clustering: Density-based clustering groups related alerts to identify patterns, with outlier detection for anomalous events.
  • Real-Time Streaming: Live alert feeds via server-sent events with server-side filtering, configurable buffering, and automatic backpressure handling.
  • Multi-Layer Deduplication: Three-tier deduplication using exact hash matching, fuzzy content similarity, and semantic vector comparison to eliminate redundant alerts.
  • Autonomous Actions: Automated response execution including auto-triage, auto-assignment to appropriate analysts, auto-escalation based on configurable rules, and auto-enrichment with related data.
  • Workflow Automation: Configurable multi-step workflows with conditional logic, error handling, and rollback support for complex alert processing pipelines.
  • Digital Notary: Cryptographic evidence preservation with tamper-evident records, verified timestamps, and a complete chain of custody audit trail.
  • Stream Healing: Self-healing data streams with automatic reconnection, buffer management, and error recovery for uninterrupted alert monitoring.
  • AI Predictions: Generate AI-powered predictions for alert priority, risk factors, and recommended actions, with analyst feedback loops for continuous model improvement.
  • Bulk Operations: Batch triage, decision-making, and property updates across multiple alerts for efficient high-volume alert management.
  • Programmable API Access: Full API support for alert creation, querying, filtering, streaming, clustering, and management operations.

Alert Sources#

  • SIEM: Security Information and Event Management systems
  • OSINT: Open Source Intelligence feeds
  • Blockchain: Cryptocurrency and blockchain transaction monitoring
  • Satellite: Satellite imagery and telemetry data
  • Sensors: IoT sensor networks
  • APIs: Custom external API integrations
  • Manual: Analyst-created manual entries
  • AI-Generated: Alerts generated by AI analysis engines

Use Cases#

Security operations centres at financial institutions process and triage security alerts from multiple SIEM sources, automatically cluster related events, and route to appropriate analysts based on priority and expertise, cutting mean-time-to-response significantly.

Financial crime units monitor blockchain transactions and financial data streams for suspicious activity, with AI-powered risk assessment and automatic escalation of high-confidence findings to investigation teams.

Intelligence agencies aggregate OSINT and multi-source intelligence alerts, identify patterns through ML clustering, and generate actionable intelligence briefs from correlated signals that would be invisible when reviewed individually.

Critical infrastructure operators use real-time alert streaming for rapid incident detection, with automated workflow execution for initial containment actions and cryptographic evidence preservation for regulatory reporting.

Integration#

The Alert Management module connects with other Argus modules:

  • Case Management: Escalated alerts can be promoted to investigation cases with full context and evidence preservation.
  • AI Triage: Deep integration with the AI Triage engine for advanced priority scoring and sentiment analysis.
  • Entity Management: Alert entities are linked to the knowledge graph for relationship-based analysis and correlation.
  • Evidence Management: Cryptographic evidence preservation through the Digital Notary ensures alert data integrity for legal proceedings.
  • Monitoring: Alert source monitors feed directly into the alert processing pipeline.
  • Investigation: Alert investigation workflows connect to the broader investigation management system.

Open Standards#

  • OASIS STIX 2.1 / 2.0: Alerts and associated entities are exported as fully-formed STIX bundles, indicators and cyber-observables, using the application/stix+json media type, enabling ingestion by any STIX-aware threat-intelligence platform.
  • MITRE ATT&CK: Each alert can carry structured mitre_tactics and mitre_techniques annotations that are stored in the AI analysis payload and surfaced to analysts for threat-classification and hunt prioritisation.
  • ISO 19005-3 (PDF/A-3): The Digital Notary generates court-admissible archival exports in PDF/A-3 format with embedded JSON metadata, satisfying long-term preservation requirements for legal and regulatory proceedings.
  • HMAC (RFC 2104) with SHA-256 / SHA-512: Tamper-evident signatures on export packages are produced using HMAC-SHA256 or HMAC-SHA512, providing keyed integrity verification of the serialised alert evidence.
  • ECDSA P-256 and Ed25519 (FIPS 186-5 / RFC 8037): Digital Notary signing supports both ECDSA over the P-256 curve and Ed25519, enabling interoperable cryptographic attestation of alert exports.
  • NIST FIPS 204 (ML-DSA-65): A hybrid post-quantum signature mode combines ECDSA-P256 with ML-DSA-65 for export packages requiring long-term cryptographic assurance against quantum adversaries.
  • GraphQL: All alert queries, mutations, bulk operations, and real-time alert-stream subscriptions are exposed through a GraphQL API, allowing clients to request precisely the fields they need.
  • W3C Server-Sent Events (SSE): Live alert feeds are delivered over persistent HTTP connections using the text/event-stream content type, with server-side filtering, configurable buffering, and automatic backpressure handling.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.