RemlloDocs
Book demo
OverviewCore ConceptsIntegration OptionsAPI ReferenceOperationsSecurityGo-Live
DocsWatchTowerAlerts and Cases

Alerts and Cases

How WatchTower turns suspicious activity into operational investigations for risk teams.

Alert inbox

Triage suspicious activity with assignment, filtering, decision context, and escalation paths.

Case workspace

Investigate with ownership, status, notes, evidence, timeline, exports, and final outcomes.

Analyst context

Connect triggered controls, customer context, related activity, and AI summaries in one workflow.

Section

Alert lifecycle

Alerts are the first operational unit created when suspicious transactions or monitoring events require review. They carry the decision context, triggered controls, supporting evidence, and customer or counterparty context needed for first-line triage.

An alert can be reviewed directly, resolved as safe, marked as a false positive, assigned to a user, or escalated into a case when the investigation needs more structure.

Alert inbox supports

  • open, investigating, resolved, and escalated review states
  • assignee visibility
  • severity and decision filtering
  • transaction and customer search
  • bulk queue review where available
  • escalation from alert to case
Section

What analysts see in an alert

A useful alert should explain why it exists. WatchTower presents the flagged transaction alongside the controls that contributed to the decision and the context an analyst needs to decide what to do next.

Alert context can include

  • transaction facts and amount
  • decision outcome and risk score
  • triggered controls
  • matched narration or payment-reference terms where applicable
  • customer and counterparty details
  • behavior baseline summary
  • related recent activity
  • AI-generated investigation summary
Section

Cases

Cases are used when an alert needs structured investigation. A case gives the risk team one workspace for ownership, status, notes, evidence, timeline, exports, and final outcome tracking.

In practice, cases prevent analysts from treating each transaction as an isolated fragment. The case view brings the transaction, customer, counterparty, related activity, and team collaboration into one operational record.

Case workflows support

  • assignment and reassignment
  • status transitions such as to do, investigating, and done
  • priority and SLA visibility
  • notes and analyst comments
  • mentions that can notify teammates
  • evidence and attachments
  • timeline and audit history
  • case exports and report generation
  • customer profile review
  • identity and onboarding context when Identity is linked
Section

Notes, evidence, and collaboration

Investigation work often depends on analyst reasoning, screenshots, documents, and internal handoff notes. WatchTower separates the operational case record from the original transaction so teams can add context without changing the source event.

Collaboration features

  • case notes and comments
  • user mentions for handoff or review
  • supporting attachments or evidence files
  • read-state indicators for new activity
  • notification triggers for assignments and mentions
Section

AI investigation summaries

WatchTower can generate investigation summaries that explain the likely reason an alert or case was created. These summaries are designed to help analysts orient quickly, not to replace human review or final compliance judgment.

Where relevant, summaries should reference the triggered controls and supporting signals in plain language, such as unusual velocity, suspicious narration terms, self-transfer behavior, malformed identifiers, or customer-context changes.

Human-in-the-loop review

AI summaries are operational guidance. Final disposition, escalation, and reporting decisions remain with the institution's authorized risk or compliance team.

Section

Typical operational flow

  1. A transaction or monitoring event triggers one or more controls
  2. WatchTower creates an alert with decision context and evidence
  3. An analyst triages the alert from the alert inbox
  4. The alert is resolved, marked false positive, assigned, or escalated into a case
  5. The case owner investigates with notes, evidence, customer context, and related activity
  6. The team closes the case with a final outcome and supporting record
Section

Useful API areas

Most teams manage alerts and cases through the WatchTower console, but API routes are available for integration, reporting, and operational workflows.

Alerts and cases API areas
GET /api/v1/alerts
PATCH /api/v1/alerts/{id}
POST /api/v1/alerts/{id}/open-case
GET /api/v1/cases
GET /api/v1/cases/{id}
PATCH /api/v1/cases/{id}
POST /api/v1/cases/{id}/notes
POST /api/v1/cases/{id}/attachments
GET /api/v1/cases/{id}/export
Section

Why this matters

The point of WatchTower is not only detection. It is to make transaction monitoring operationally usable by risk and compliance teams.

That is why alert and case workflows are connected to customer context, identity-safe evidence, linked identifiers, recent activity, notifications, reporting, and audit trails.

Next UpNotifications