SAS Visual Investigator now has a component called Scenario Administrator. Scenario Administrator provides fraud detection authoring and surveillance capabilities to the SAS Visual Investigator product. Scenario Administrator is a data-driven tool, designed to allow users to explore their data and author surveillance strategies and decision flows to generate Alerts with the SAS Visual Investigator interface.

The illustration below from the SAS Visual Investigator 10.2: Using the Scenario Administrator guide depicts the Scenario Administrator Process. In my previous article, the steps that are performed within the Scenario Administrator user interface (steps 1 – 5) were reviewed. Step 6 – Investigate, disposition, and triage generated alerts – which is performed in the SAS Visual Investigator user interface is the topic of this article.

6. Investigate, Disposition, and Triage Generated Alerts

When the flow run is complete, you can perform further review and analysis of the alerts generated in SAS Visual Investigator.  

If the administrator has added the Alert Summary section to your homepage, then you can view a summary of the alerts by strategy and queue. Note: You will only have the summary information for queues to which you or a group to which you belong has access.

Also, if your Homepage has the Personal Metrics section, you can view the metrics about your work with Alerts for Today, Yesterday, Last 7 days, or Last 30 days. These metrics can also be filtered for a particular Strategy that you or a group to which you are assigned has access.

To view the individual alerts, select the Alerts menu in SAS Visual Investigator. The Alerts tab is filtered by their strategy assignment. You will only be able to view strategies to which you or a group to which belong has access.

You can then open an Alert to start your investigation/triage of the alert. The alert will have alert detail information including its scorecard, network, triggers, scoring history, and alert history. 

 After reviewing the alert information, you can then select the appropriate disposition.  A disposition allows an analyst to apply specific actions such as:

• Closing the alert
• Suppressing the alert for a specified period of time
• Moving the alert to a different queue
• Linking the alert to an object.

Note:  The available dispositions will vary by queue and are setup by an administrator of the system.

For more information on working with Alerts, refer to the Understanding Alerts section of the SAS Visual Investigator documentation.  Note:  The SAS Visual Investigator documentation requires an access key, if you do not already have one, contact SAS Technical Support.