Contact SupportSubmit a Ticket

What are Alerts?

Alerts are a configurable action in Aiceberg that automatically sends security findings to your connected SIEM when specific signals are detected. This enables real-time threat intelligence and seamless integration with your existing security operations workflows.

When Alerts are Sent

When you have a SIEM integration configured, Aiceberg will automatically send alerts to your SIEM for any signal where "Alert" is configured in the Profile. Learn more about configuring Profile actions in How are Profiles Configured.

Alert Structure

Alerts are sent as "security findings" events and include the following information.

Core Event Data

  • activity_id: Unique identifier for the activity (set to 1)

  • metadata.product: Source platform (set to "Aiceberg")

  • severity_id: Severity level (currently defaults to 4; future versions may allow per-signal severity customization)

  • state_id: Action state—1 for monitored events, 4 for blocked events

  • type_uid: Event type identifier—200101 for monitored events, 200103 for blocked events

Finding Object

  • title: "AI Interaction Flagged"

  • uid: The prompt or event ID

  • description: JSON object containing:

    • signal_type: The type of signal that triggered the alert

    • profile_id: The Profile identifier

    • profile_name: The Profile name

    • api_key_name: The API key used for the interaction

    • user_id: The user identifier

  • src_url: Direct link to the AI interaction details in Aiceberg

Additional Context

Alerts may also include:

  • Use case ID

  • Session ID

  • Actions taken (blocked or modified)

  • Mode (API or Cannon)

  • Timestamp of the event

Alert Direction: Alerts flow one-way from Aiceberg to your SIEM. Your SIEM cannot write back to Aiceberg or trigger actions within the platform.

Read more about Integrations here.

PreviousWhat are Adversarial signals?NextWhat is the Inventory?

Last updated