Alerts

Alerts

List view

Quick Start
Welcome
Console & Settings
Release Notes
October 9, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Copy August 12, 2025: WitnessAI Update
Supported Applications & LLMs
User Guide
Lists - OLD
Private Applications
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Witness Anywhere with Stunnel
Witness Anywhere: Azure VDI - Intune
Witness Anywhere: CrowdStrike (Windows)
Witness Anywhere: GPO (Windows)
Witness Anywhere: Jamf (macOS) (Beta)
Witness Anywhere: SentinelOne
Witness Anywhere: FAQ
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption
 

Alerts

💡
Note the Alerts Console Redesign was released October 2, 2025
See the Release Notes here.
The Alerts section displays real-time alerts triggered by WitnessAI Policies and Guardrails. These notifications can be used to inform security teams, managers, or individual users about high-risk events, policy violations, or other significant activities.
Alerts can be forwarded to a number of popular SIEM platforms, as documented in the User Guide → Settings → Configuration → SIEM Integrations section.
The Alerts feature is vital for ensuring rapid response to potential issues and maintaining control over AI interactions within the organization.
WitnessAI navigation and top-level filters are described and shown in detail on the https://docs.witness.ai/v2-0/console/ documentation page. Please refer to that resource if the instructions below are not sufficient.
notion image
Navigate to the Alerts console by clicking “Alerts” in the left-side navigation menu. To collapse the left-side menu and have more room to view extra columns in the page, just click the left-pointing arrow button shown in mid-page of the left side menu, close to the right side of the “Policies” menu item.

Time Range and Filters

The console includes the standard time range selector. Top-level filters for groups, users, and applications are on the second header line. Once any filters are set, a “Clear” button appears to the right of the top-level filters, as shown in the image below. When the Clear button is clicked, it resets all filters to their default, except the date field.
Note that switching between console views resets the date to “Last 7 days".
Additional top-level filters include “Group”, “User”, and “Application”.
notion image

Alert Count, Exporting Data and Choosing Columns

The third line of the page header displays “nnnn Total Alerts in last n days” for the chosen time range. On the right side of the screen, an “Export” widget and a “Column Chooser” icon are displayed.
notion image
 
Export enables an export of the current page of filtered Alerts showing on the console, in CSV or JSON format. By default this is set to 250 Alerts.
💡
Note that only the default count of items displayed on the page are exported, not the full set that match the filter.
 
notion image
 
Column Chooser lets you pick the columns you want to view and export. Click the Column Icon (looks like an open book), then click to ‘check’ the columns you want to display on the console.
Click and drag the 6 dot handle to change the order of columns to your preference.
 
notion image


Column Changes

Additional Columns: UserName, Email, Policy, Action, and Subtopic.
The “Prompt” column has been removed. Prompts are viewable in the right-side “Alert Details” slide-out sidebar by clicking any individual Alert row.
Provider Logos in the Application column and Action badges in the Action column provide instant “at-a-glance” understanding of your Alerts.
The Alerts console provides filtering, searching, customization options, and an improved “Alerts Page” to help you locate and review specific alerts.
notion image

Column Filters

Column filter and sort are only available for the ”Date” column in the current release. Hovering over the text of the Date column header changes your mouse cursor from an arrow into a link pointer. Clicking one time displays an upward-facing arrow next to the Date label, and sorts the table in ascending chronological order (newest alerts at the top).
Clicking a second time displays a downward-facing arrow, and sorts the table in descending chronological order (oldest alerts at the top).
A third click makes the arrow disappear, and returns the table to the original sort. Generally this is ascending chronological order.

Alert Details Sidebar

Clicking any Alert row displays the slide-out “Alert Details” sidebar. The first view is the “Overview” tab as shown below, underlined in orange.
Clicking on the “Matches” tab (see below) shows additional information about the Alert.
 
notion image
 
notion image