Alert Management
When Kora Sentinel detects exploitation signals, it evaluates them against your tenant's risk thresholds to determine whether to generate alerts, open cases, or escalate to compliance. This guide covers the full alert lifecycle.
Risk tiers and automatic actions
Each elder profile has an Exploitation Risk Score (ERS) that maps to a risk tier. Crossing tier boundaries triggers automatic actions based on your tenant configuration:
| Tier | ERS Range | Automatic Actions |
|---|---|---|
NORMAL | 0-20 | No action — standard monitoring |
WATCH | 21-40 | Signal logged, no alert |
ELEVATED | 41-60 | Alert generated, webhook sent |
HIGH | 61-80 | Alert generated, case opened, webhook sent |
CRITICAL | 81-100 | Alert generated, case opened, escalation triggered, webhook sent |
The thresholds for auto-alert, auto-case, and auto-escalation are configurable:
curl -X PUT https://api.korastratum.com/sentinel/api/v1/elder/config \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID" \
-H "Content-Type: application/json" \
-d '{
"auto_alert_threshold": 41.0,
"auto_case_threshold": 61.0,
"auto_escalate_threshold": 81.0
}'
Signal lifecycle
Every detected signal goes through a lifecycle:
ACTIVE ──────► CONFIRMED ──────► (feeds into case/alert)
│
└──────────► DISMISSED ──────► (removed from ERS calculation)
│
└──────────► EXPIRED ────────► (auto-expired after window closes)
│
└──────────► MERGED ─────────► (combined with related signal)
Reviewing signals
Review a signal to confirm or dismiss it:
# Confirm a signal — it remains in the ERS calculation
curl -X PUT https://api.korastratum.com/sentinel/api/v1/elder/signals/$SIGNAL_ID/review \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID" \
-H "Content-Type: application/json" \
-d '{
"status": "CONFIRMED",
"review_notes": "Branch manager verified — unauthorized POA activity."
}'
# Dismiss a signal — it is removed from the ERS calculation
curl -X PUT https://api.korastratum.com/sentinel/api/v1/elder/signals/$SIGNAL_ID/review \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID" \
-H "Content-Type: application/json" \
-d '{
"status": "DISMISSED",
"review_notes": "Customer confirmed this was an authorized family transfer."
}'
Viewing signals by profile
List all signals for a specific elder profile, filtered by status:
# All active signals for a profile
curl "https://api.korastratum.com/sentinel/api/v1/elder/signals/by-profile/$PROFILE_ID?status=ACTIVE" \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID"
Filter signals by category and severity:
# Critical draining signals across all profiles
curl "https://api.korastratum.com/sentinel/api/v1/elder/signals?category=GRADUAL_DRAINING&severity=CRITICAL" \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID"
ERS history
Track how a profile's risk score has changed over time:
curl "https://api.korastratum.com/sentinel/api/v1/elder/profiles/$PROFILE_ID/ers-history?limit=30" \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID"
The response includes point-in-time ERS calculations with category breakdowns, score changes, and trend indicators (IMPROVING, STABLE, WORSENING, RAPID_DECLINE).
Profile status management
Update a profile's monitoring status as the situation evolves:
curl -X PUT https://api.korastratum.com/sentinel/api/v1/elder/profiles/$PROFILE_ID/status \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID" \
-H "Content-Type: application/json" \
-d '{"status": "PROTECTED"}'
Available statuses:
| Status | Description |
|---|---|
ACTIVE | Standard monitoring — baseline being maintained |
MONITORING | Enhanced monitoring — more frequent baseline recalculation |
ELEVATED | Elevated risk — additional detection rules activated |
PROTECTED | Active protection measures in place (e.g., transaction blocks, dual authorization) |
INACTIVE | Monitoring paused |
DECEASED | Customer deceased — monitoring terminated |
Dashboard overview
Get a high-level summary of your entire protected population:
curl https://api.korastratum.com/sentinel/api/v1/elder/dashboard/overview \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID"
The dashboard response includes:
- Total enrolled profiles and breakdown by risk tier
- Active signal count and critical profile count
- ERS trend data for charts
- Top signal categories by frequency
- Recent signals and highest-risk profiles
Top risk profiles
Retrieve the profiles with the highest exploitation risk scores:
curl "https://api.korastratum.com/sentinel/api/v1/elder/dashboard/top-risk-profiles?limit=10" \
-H "Authorization: Bearer $SENTINEL_API_KEY" \
-H "X-Tenant-ID: $SENTINEL_TENANT_ID"
Best practices
- Review signals promptly — Unreviewed signals remain in the ERS calculation. Dismissing false positives keeps scores accurate.
- Configure thresholds by market — Different markets have different transaction norms. Use the configuration API to tune thresholds per market.
- Use batch operations — Run periodic enrollment scans and baseline recalculations to catch newly eligible customers and keep baselines fresh.
- Monitor the dashboard — The dashboard overview provides early warning of systemic issues across your protected population.
- Set up webhooks — Don't poll for signals — use webhooks to get real-time notifications.