Hi Idan,   I don't think there is a way to configure that, but I have two follow-up questions. I assume you are talking about workspaces that were created during alert generation. Is that right?  If so, are the workspaces created according to the setting in the strategy or do the incoming alerting events include json that specifies exactly which entities should be in the workspace? When you say the network diagram should be expanded, are you saying that the nodes that were placed in the workspace during the alert generation are not initially visible? Or are you saying that the nodes that were added to the workspace are visible, but you would like the diagram to automatically expand out one level beyond what was originally added to the workspace. (Could you attach a screenshot of what you are seeing?) Thanks ... View more

Hi Alex, In alert management for Visual Investigator, a user has to be able to see the actionable entity for an alert - whatever entity the alert was on - to be able to disposition it. This was a feature added when we added entity-level security; we thought people should not be able to work an alert if they cannot see the entity related to the alert. So, when an analyst invokes a disposition, the system will verify that the user can see the alert. Note that the alert service cannot differentiate between "I cannot see this entity because of visibility rules" and "I cannot see this entity because there is no record in the database"; those 2 situations behave the same (for security reasons). You are not the first person who has asked about these visibility checks during disposition. I have heard of use cases where the current behavior causes challenges to the solution. I think it would be nice if the system had a setting at the domain level to let you control whether that check needs to be made or not.    So in answer to your questions: this is still the current behavior in all versions of Visual Investigator I don't think this check is made for automatic dispositions. To do a document visibility check, we would need to use the current user's credentials. Most of the alert creation process is done as "the service" which has all permissions. So in that path through the code, I believe the database check is short-circuited. I cannot explain what you are describing in question 3, could you give more background? I would expect a request for 10 new alerts to cause the system to read the 10 actionable entities, because the alert usually needs to compute and save the entity's label in the alert label. Is it possible that other things are happening coincidentally in the system, like an indexing run, and that is causing all the records to be read? Austin ... View more

Hi @agesser, that's correct; that is not supported today. I have added it to the list of potential new features. ... View more

Sorry, you cannot run procs within a DATA Step Scenario at this time. The code that you put in the scenario is fed to the CAS DATA Step action, so it can only include DATA statements. ... View more

Hello, If you are using the standard VI Child-Object Viewer, showing disposition reason cd is always going to be a problem because different domains will use different reference tables for their list of disposition reasons. The child object viewer is not flexible enough to know which table to look in. There is a better solution to viewing alert history though. In 10.8 you can add a history toolbar item to all Alert pages. If you add the history item to the toolbar, it will show the alert history and it is clever enough to use the relevant table based on the alert domain. It also shows you a lot more information in a much friendlier way.  ... View more

Hello, You may be able to use normal alert routing.  Does the new activity recommend a destination queue? If so, what are the routing priorities for the two queues? Is the routing priority for the suppression queue higher or lower than the routing priority for the destination queue? If your alerting event or scenario fired event recommends a queue and that queue has a higher routing priority than the suppression queue, the alert will get routed to the higher priority queue automatically. ... View more

Hello, The current behavior of a disposition that creates an investigation (or links to an existing investigation) is to create a link between the investigation and the subject of the alert, and not a link from the investigation to the alert object itself. The rationale was that the investigator is investigating *the subject*, not just the information identified in the alert and that is the relationship that matters when looking at the network. There is a link between the alert and the subject so you can traverse from the case to the alert if you need to. That was the guidance provided by product management at the time. You are not the first person to expect a link between the investigation and the alert, and there is a story in the background to add the flexibility you are asking for. Best regards ... View more

Hi Natthamon, No, I'm sorry. The datastep scenario functionality is limited to using just the one input table right now. This is a request we have received from other people and we have a feature request created for it. Austin ... View more