Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Alerts are individual security events surfaced from your connected integrations. Clarion deduplicates, prioritizes, and routes them through agent triage before anything reaches a human.

How alerts are created

There are two types of alerts. Some come from connected monitors like Okta or CrowdStrike, where the integration itself produces alerts or cases and forwards them to Clarion. Other monitors send raw events to Clarion, and signal rules match those events against correlation logic (single-event match, or multi-step sequences with grouping and time windows) to turn them into alerts. Clarion ships with rule templates for every supported source. Use them as-is, fork them to customize, or write rules from scratch.

What an alert contains

  • Status: New, Analyzing, Escalated, or Closed.
  • Disposition: The triage outcome. One of Unknown, Benign, Suspicious, Confirmed Threat, False Positive, or Duplicated.
  • Severity: Critical, High, Medium, or Low.
  • Action required: Whether the alert needs human approval, clarification input, or no further action.
  • Source: The integration that produced the underlying signal.
  • Deduplication key: The external event ID used to merge repeated alerts.

What you can do

  • Triage alerts manually or let an agent handle the first pass.
  • Update disposition as you confirm threats or rule out false positives.
  • Escalate to an incident when the alert needs broader response.
Most alerts close themselves. A well-tuned signal rule library and agent skill set means most benign or duplicate alerts are dispositioned automatically, so your team only sees the ones that actually need attention.
Learn about Incidents →