Notifications
Notifications help analysts track events that match specific risk criteria. Workstation supports two widgets for working with notifications:
- Notifications Widget: A real-time feed within a time window (up to 100 results).
- Notifications Explorer Widget: A searchable list not constrained to a time window (up to 100 results).
These two widgets will be deprecated at a future date.
Most workflows are identical across both widgets. This page documents the shared behavior first, then highlights differences where they matter.
The usage of either Notification widgets requires:
- Your event data includes a
risk_scorefield. - Event notification settings have been configured. For more information, see Creating Event Notification Settings.
If your data does not use a risk_score, use the Events Explorer widget to find and review events.
Opening Notifications
You can open a notification in an Object Details Viewer (ODV) in by right-clicking a notification and selecting:
- Send to Object Details Viewer
- Open in new viewer widget
- Send to another Workspace
Dragging Notifications into Other Widgets
Drag a notification into another widget to perform common analysis tasks:
- Object Details Viewer: Review and update notification fields (assignee, status, priority, tags), or open the underlying event.
- Collections: Create a collection from the event, or add the event to an existing collection.
- Collection Details: Add the event to the collection currently loaded in the widget.
- Map: Display any geo data (markers or polygons) available for the event.
- Link Analysis: Render linked entities and relationships (when available).
- Drilldown: Display the event’s drilldown hierarchy (when available from Authoring / HCEP).
- Event History: Show event history in a table (when available).
- Risk History: Show risk history on a timeline chart (when available).
Reviewing Notifications
When a notification is loaded into the Object Details Viewer, you can:
- View notification details and update assignee, status, priority, and tags.
- Open the event associated with the notification.
- See a count of related collections that contain the event, with links to those collections.
Sorting and Filtering Notifications
Sorting and filtering is the main way to narrow down the list of notifications.
To sort or filter notifications:
- In the Notifications or Notifications Explorer widget, click the filters dropdown icon.
- Configure one or more filters.
- Click Apply Filters to apply all selected filters, or Reset to Defaults to discard changes.
The two widgets support many of the same filters, but they are not identical.
Notifications Widget Filters
The following filters can be applied in the Notifications widget:
| Filter | Description |
|---|---|
| Sort By | Sort by last created/updated date, priority, risk score, or tag order priority. |
| Tags | Filter by one or more notification tags or system tags. |
| Users | Filter by a specific user, or the current user (me). |
| Time Window | Filter by a pre-defined time window for created/updated timestamps. |
Notifications Explorer Widget Filters
The following filters can be applied in the Notifications Explorer widget:
| Filter | Description |
|---|---|
| Filter | Choose which time-based field to filter by. |
| Date | Choose a pre-defined time period. |
| Sort by | Sort by last created/updated/occurred at dates, priority, risk score, tag order, or assigned user. |
| Tags | Filter by notification or system tags. |
| Users | Show notifications assigned to a specified user, or the current user (me). |
| Status | Filter by ingestion status: Active, Dismissed, or Archived. |
| Priority | Filter by notification priority. |
| Text Search | Match a text string within notification data fields. |
Managing Notifications
A notification can be Active, Archived, or Dismissed.
- If a notification is neither Archived nor Dismissed, it is Active.
- Archived and dismissed notifications are still accessible via filters in the Notifications Explorer widget.
- Once dismissed or archived, a notification cannot be returned to Active.
Dismissing Notifications
You can dismiss a notification either from the Object Details Viewer or directly from the Notifications widget.
Dismissing from Object Details Viewer
To dismiss a notification from Object Details Viewer:
- Load the notification into the Object Details Viewer.
- In the top-right of the Object Details Viewer, click the More menu (⋮).
- Select Mark as Reviewed
Dismissing from the Notifications Widget
To dismiss a notification from the Notifications widget:
- In the Notifications widget list, click the X icon on the right side of the notification.
- Confirm the dismissal, or click Cancel.
Archiving Notifications
A notification must be loaded into an Object Details Viewer before it can be archived.
To archive a notification:
- Load the notification into the Object Details Viewer.
- In the top-right of the Object Details Viewer, click the More menu (⋮).
- Select Archive.
Notifications Widget-Exclusive Features
The following features only apply to the Notifications widget.
Pinning Notifications
A notification can disappear from the Notifications widget if it no longer matches the notification settings, or it falls outside the widget’s time window.
Pin notifications to keep them visible in the list.
To pin a notification:
- In the Notifications widget, locate the notification in the list.
- Click the pin icon on the right side of the notification.
- Click the pin icon again to unpin.
Using the Time Chart
The Notifications widget includes a timeline representing the count of notifications generated within the current time window.
To toggle Time Chart Mode:
- In the upper-left of the Notifications widget, click the circle that displays the notification count.
- Toggle the plotted series by:
- Tag: Segment by notification tag.
- Risk history: Segment by risk level (low, medium, high, critical).
- User: Segment by assigned user (requires notifications to be assigned).
- Priority: Segment by notification priority.