Skip to main content

Alert queue triage

When you'd use this

Every shift starts with the alert queue. This runbook walks an analyst through reading the queue, deciding whether an alert warrants a case, and dispatching the right specialist agent.

Reading the queue

The Security Overview page is the queue's home. Critical and high alerts surface in the top KPI strip with live sparkline context; the alert volume chart shows the last 24 hours by severity. The recent-alerts panel is the per-alert detail with source, status, and the time since the alert fired.

A green pulsing dot on a KPI card means the count is changing live. The page refreshes every 15 seconds; the timestamp at the top right is the last refresh.

Deciding what to do

For each alert, three actions are typical:

  1. Acknowledge if the alert is a known benign condition (a planned scan, a maintenance window). The Acknowledge action requires the alert:acknowledge permission; the audit trail records who acknowledged and when.
  2. Promote to case if the alert is real and needs an investigation. The Promote action creates a case linked to the alert; the new case starts in investigating.
  3. Dispatch to an agent if you want a specialist to do the first pass before you read the result. The BeeAI fleet panel on the dashboard exposes a Quick Dispatch collapsible: pick an active agent, write the prompt, set the priority, queue.

How to dispatch

The Quick Dispatch panel is hidden by default to keep the dashboard dense. Click the panel header to expand. The agent list shows only the active replicas; if no agent is active, the dropdown will be empty and the dispatch button is disabled. The expected wait time depends on the priority and the per-agent queue depth.

Once queued, the investigation appears in the Investigations list under "pending". When the agent finishes, the status moves to completed or review_required depending on whether the agent could close the loop on its own.

What goes wrong

  • The dashboard says "read-only" on Quick Dispatch, your operator account does not have the agents:assign permission. Ask your team lead.
  • An alert sits in new forever, the deduplication path may have absorbed every subsequent matching alert; check whether the alert source went silent or whether the alerts_deduplicated_total metric in the observability dashboard spiked at the alert's first-seen timestamp.
  • Dispatch succeeds but the investigation never moves out of pending. The agent worker may be restarting; the Investigations page status filter "dead_lettered" is where the reaper places stalled investigations after the stale window expires.