What are Alerts?

Alerts are a configurable action in Aiceberg that automatically sends security findings to your connected SIEM when specific signals are detected. This enables real-time threat intelligence and seamless integration with your existing security operations workflows.

When Alerts Are Sent

When you have a SIEM integration configured, Aiceberg will automatically send alerts to your SIEM for any signal where "Alert" is configured in the Profile. Learn more about configuring Profile actions in How are Profiles Configured.

Alert Structure

Alerts are sent as "security findings" events and include the following information:

Core Event Data:

activity_id: Unique identifier for the activity (set to 1)
metadata.product: Source platform (set to "Aiceberg")
severity_id: Severity level (currently defaults to 4; future versions may allow per-signal severity customization)
state_id: Action state—1 for monitored events, 4 for blocked events
type_uid: Event type identifier—200101 for monitored events, 200103 for blocked events

Finding Object:

title: "AI Interaction Flagged"
uid: The prompt or event ID
description: JSON object containing:
- signal_type: The type of signal that triggered the alert
- profile_id: The Profile identifier
- profile_name: The Profile name
- api_key_name: The API key used for the interaction
- user_id: The user identifier
src_url: Direct link to the AI interaction details in Aiceberg

Additional Context:

Use case ID
Session ID
Actions taken (blocked or modified)
Mode (API or Cannon)
Timestamp of the event

Alert Direction

Alerts flow one-way from Aiceberg to your SIEM. Your SIEM cannot write back to Aiceberg or trigger actions within the platform.