Cases And Investigations

Loci separates alert triage from case investigation.

Alerts are individual items that need attention. Cases are investigation containers that can group one or more alerts, assign ownership, track status, collect notes, preserve evidence, and record a final disposition.

Alerts Versus Cases

An alert usually represents a specific transaction, rule hit, screening result, device event, or session signal.

A case represents the investigation around one or more related alerts. Cases are useful when activity spans multiple transactions, multiple rules, repeated customer behavior, or multiple evidence sources.

Typical Analyst Workflow

  1. Analyst opens the alert queue.
  2. Analyst claims or is assigned an alert.
  3. Analyst reviews transaction details, matched rules, and entity context.
  4. Analyst creates or links a case when the alert needs deeper work.
  5. Analyst adds notes, reviews linked evidence, and updates status.
  6. Analyst recommends a disposition such as no issue, false positive, confirmed fraud, or STR filed.
  7. A reviewer approves, rejects, or requests more work when maker-checker is enabled.
  8. The final decision is recorded in the timeline and audit trail.

Investigation Evidence

A case can link evidence from several sources depending on enabled modules:

  • Transaction monitoring alerts.
  • Entity graph, centrality, and relationship context.
  • AccessGate device, session, and profile signals when the AccessGate module is enabled.
  • AccessGate AML screening and relationship results when the AML module is enabled.
  • Analyst notes, attachments, exports, or operational records where configured.

AccessGate and AccessGate AML are optional modules. Their evidence should appear only when enabled for the tenant.

Status And Lifecycle

A case lifecycle commonly includes:

  • Open.
  • In review.
  • Escalated.
  • Pending approval.
  • Closed.
  • Reopened.

Deployments can map these states to local operating procedures, service levels, and approval policies.

Dispositions

Dispositions capture the analyst's conclusion. Examples include:

  • No issue.
  • False positive.
  • Confirmed fraud.
  • STR filed.

A confirmed-fraud disposition should update fraud outcome records and linked transaction state where the deployment is configured to do so.

Maker-Checker

Maker-checker adds a second-person approval step for sensitive outcomes. It is useful when closing high-risk cases, confirming fraud, filing regulatory outcomes, or changing customer-impacting status.

SLA And Timeline

SLA tracking helps teams identify overdue investigations and escalation needs. Timeline entries preserve what changed, who changed it, and when.

API Reference