search
ProductBook a demoOpen app
linkedinyoutube

triangle-exclamationRadiant Alerts

Understand how Radiant triages, enriches, and presents security alerts.

The Alerts page is where Radiant's AI-powered triage becomes visible. Alerts that appear here have already passed through Radiant's full data pipeline, filtered for noise, deduplicated, and autonomously triaged by Radiant's AI SOC Analyst so security teams can focus on assessing, validating, and acting rather than sorting through raw signal.

circle-info

Note: If you're not yet familiar with how security data flows through Radiant before it reaches this point, see The Radiant Data Pipeline for a complete overview.

Whether you are an analyst working through a queue or conducting a deeper analysis, the Alerts page is designed to meet analysts at the right level of detail without overwhelming them upfront. This article walks through the key elements of the alert experience so you can get oriented quickly.

hashtag
The Alert page

Opening an alert surfaces the most critical information immediately, before engaging with any of the detail below. Promptly, analysts can see:

  • The AI verdict - displayed as a color-coded badge (for example, Recommended Malicious), so Radiant's assessment is visible the moment the page loads.

  • The duplicate alerts count - if Radiant has identified duplicate alerts, a tag shows the total number grouped under this alert. Clicking the tag opens the Duplicate alerts Panel, where the full deduplication activity for that alert can be reviewed in detail.

  • The alert title - the name of the alert generated by a Radiant specialized agent.

  • Three timestamps - showing exactly when the vendor detected the alert, when Radiant received it, and when triage was completed. These timestamps provide a precise picture of the chain of events, which is especially useful when building a timeline or drafting an incident report.

hashtag
The Duplicate alerts panel

When Radiant identifies that an alert has duplicates, a side panel provides full visibility into how that deduplication activity was handled. The panel is organized into three sections:

  • Deduplication Criteria - Describes the logic Radiant's AI used to identify duplicates. This section shows the exact query conditions and merge key values from the initial alert that any incoming alert must match to be treated as a duplicate - for example, subtype:'ips' AND "srcip":"203.0.113.58" AND "action":"dropped". Rather than requiring analysts to take the deduplication on faith, this makes the AI's reasoning explicit and auditable.

  • Timeline - A visual representation of the deduplication window, showing when the initial alert was received, when duplicate alerts were grouped under it, and when the deduplication window closes - or indicating how much time remains if it is still active. By default, the deduplication window spans 3 days from the initial alert.

circle-info

Note: Deduplication logic and time windows can be customized to fit the specific needs of the environment - contact your Customer Success representative to discuss tuning options.

  • Alert Events - The raw body of the initial alert followed by the raw bodies of all duplicate alerts, each with their respective timestamps. Analysts can search across all of them for quick reference without leaving the panel.

In the top-right corner of the panel, the See Alert Events button navigates directly to the Log Manager with the relevant query pre-filled, enabling analysts to dive into the underlying log data and carry out a deeper investigation without having to reconstruct the query manually.

hashtag
The Overview tab

Each alert in Radiant is organized into tabs that separate information by purpose and depth. The default view, the Overview tab, is designed to be scanned. It gives L1 analysts everything they need to orient quickly, assess Radiant's AI verdict, and keep moving through their queue. For L2 and L3 analysts who want to validate findings or dig into the underlying evidence, the Triage Results tab is one click away. The right level of detail is always within reach, without getting in the way when it is not needed.

The Overview tab is divided into three panels displayed side by side: Alert at a Glance on the left, Conclusion and Key Findings in the center, and Artifacts on the right.

1

hashtag
Alert at a glance

The Alert at a glance panel surfaces key information about the detected vendor alert on the Overview tab. It provides a concise, standardized breakdown helping analysts quickly understand alert context without needing to open the full raw alert payload. It is presented in the following format:

  • Focus: The attacker's core goal or intent, giving analysts the "why" behind the alert immediately (e.g. Exploit a public-facing application to gain unauthorized system access).

  • Source: Who or where the activity originated from. This could be a username, a process, an IP address, a cloud role, or a geographic location - whatever the vendor identified as the initiating artifact (e.g. explorer.exe on PIL-EP10-1).

  • Action: What was actually done or attempted (e.g. Revoked security group ingress rules for defense evasion).

  • Target: What asset or resource was affected or accessed - the "where" of the alert (e.g. AWS Security Group sg-3349180977d3f5545).

  • Vendor Response: What action, if any, the detecting tool took (e.g. Detected, Process Blocked, Allowed, Process killed and files quarantined, etc).

The panel includes a button for accessing the underlying alert data:

  • Raw Alert - opens the raw alert body as received by Radiant, always available regardless of the source tool.

Because this structure is consistent across every alert that reaches the Alerts page, regardless of which vendor or tool generated it, analysts build pattern recognition over time. You always know where to look and what to expect, which reduces the mental overhead of orienting to a new alert.

2

hashtag
Conclusion and Key findings

The center panel opens with Radiant's triage conclusion - a concise paragraph written by Radiant's AI SOC Analyst summarizing what happened, what was investigated, and whether the alert represents a real threat. Rather than requiring analysts to read through raw data before forming a picture, the conclusion surfaces the AI's verdict upfront, in plain language.

Directly below the conclusion, Key Findings surfaces the most important outcomes of the triage process as a short, scannable list of bullet points. These are the specific facts and signals that most directly support the AI's verdict - the details that matter, pulled to the top so analysts do not have to go looking for them. Together, the Conclusion and Key Findings are designed to answer the analyst's first question as quickly as possible: Do I need to act on this?

For analysts who want to dig deeper into the evidence behind the verdict, a Triage Results shortcut button in the top-right corner of the Conclusion panel navigates directly to the Triage Results tab.

3

hashtag
Artifacts

The right panel displays all of the security-relevant artifacts identified in the alert, organized into named categories - Device, Files, IPs, URLs, Human Identity, and others depending on what the alert contains. This categorization means analysts can navigate directly to the type of artifact they are interested in rather than scanning through an undifferentiated list.

Clicking any artifact tag opens a side panel displaying the artifact's enrichment data:

The attributes shown in the panel vary by artifact type and always reflect what is most relevant to that artifact - for example, a User artifact surfaces identity-specific attributes such as Identity Type, Identity Source, and User Principal Name, while a File artifact surfaces File Name, File Size, File Extension, and more. Analysts can navigate between all artifacts in the alert directly from the panel using the forward and back controls, without having to close and reopen it for each one.

circle-info

Note: For a complete reference of all artifact types available in Radiant, see the Artifact Reference Guide.

hashtag
The Triage Results tab

The Triage Results tab provides a full, transparent view of how Radiant's AI SOC Analyst investigated the alert - every task executed, every finding produced, and every query run against connected data sources. While the Overview tab is designed for fast orientation, the Triage Results tab is where analysts go to understand and validate the reasoning behind Radiant's verdict.

For a deeper understanding of how Radiant's triage pipeline works - including how alerts are classified, enriched, and investigated - see The Radiant Data Pipeline.

hashtag
See Radiant's AI Triage Outline

In the top-right corner of the Triage Results tab, the See Radiant's AI Triage Outline button surfaces the full triage plan that Radiant generated or reused for this alert - the complete set of tasks and questions that structured the investigation. This gives analysts full visibility into how Radiant approached the alert and why each area was investigated.

hashtag
The task list

The tab displays a consolidated list of all tasks completed during the triage of the alert. Each task is summarized in a single human-readable sentence describing what was investigated and what was found - for example, Verified MFA usage and identified malicious activity due to failed MFA and suspicious IP usage.

Each task row is color-coded along its left border to indicate the individual task verdict:

  • Red - The task findings point toward malicious activity.

  • Yellow - The task findings were inconclusive.

  • Green - The task findings point toward benign activity.

This color coding allows analysts to scan the full list at a glance and immediately identify which areas of the investigation raised concerns, without having to open every task individually.

hashtag
Expand a task

Clicking on a task row expands it to reveal the Finding - a numbered list of human-readable conclusions drawn from the questions Radiant executed within that task. These findings represent the AI's interpretation of the data retrieved, written in plain language so analysts can quickly assess what the evidence showed without parsing raw logs.

For analysts who want to go further, the Answer Details button opens a side panel showing the full detail behind the task:

  • The question asked - the specific inquiry Radiant set out to answer within that task.

  • Result analysis - a plain-language summary of what the query returned and what it means in the context of the investigation.

  • Queries - the exact queries Radiant ran against connected data sources, including the data source name, the time range queried, the query syntax, and the raw log results returned. A View Logs button navigates directly to those results in the Log Manager for further investigation.

hashtag
We'd love your feedback

The Alerts page is designed with analysts in mind, and the best way to keep improving it is to hear from the people using it every day. We encourage all customers to explore the new experience and share any thoughts, questions, or suggestions. To provide feedback or get assistance navigating the new Alerts page, reach out to your Customer Success representative.

PreviousThe Radiant Data PipelineNextAlert Deduplication

Last updated

Was this helpful?