Skip to content
Mimir

The alert feed

The alert feed

The Alerts page is the analyst’s main triage surface. Every signal Mimir generates lands here as a row in a single feed: IOC matches from threat feeds, file-integrity tamper events, compliance failures, fleet-change events, and host-state transitions. The page is built for one workflow: open it in the morning, work down the list, close the loop on the unacknowledged rows that matter, and trust the rest to wait.

What you get

The page is three regions stacked vertically: a saved-views bar, a toolbar, and a list + detail two-pane layout that collapses into a drawer on narrow screens.

Saved views

Three preset chips at the top, each a category filter:

  • Security (the default) — IOC matches plus tamper events. The view most operators want first.
  • All — every category.
  • Compliance — only compliance failures, for posture review.

Click a chip to swap the category filter, or use Arrow Left / Arrow Right (the chips are a WAI-ARIA radiogroup). The chip updates the URL’s category query param so the view is bookmarkable and the browser back button works the way you’d expect.

Toolbar

The toolbar carries everything else: a debounced search box, severity chips, source chips, an acknowledged-state select, a group-mode segment, a clear-filters button, and the export buttons.

  • Search matches indicator values and hostnames (case-insensitive substring, 250 ms debounce). Press / to focus it; press Escape while it’s focused to clear and blur.
  • Severity chips (Critical, High, Medium, Low, Info) toggle membership. Click multiple to combine.
  • Source chips (Watchlist, Historical, Hunt) filter the IOC category by where the match came from. See Matching modes for what each source means.
  • Acknowledged select — Unacknowledged (the default), Acknowledged, or All. Round-trips through the URL’s acknowledged param.
  • Group mode — Flat (the default), By Host, or By Category. Group mode tucks the rows under collapsible headers and lets you acknowledge an entire group with one click.
  • Clear filters — appears once you’ve added any filter, and resets everything except the active saved view.
  • Export — CSV or JSONL. Exports the current filter scope, so what’s downloaded matches what’s on screen.

List + detail

On screens wider than 1200 px the layout is split: the alerts list on the left, the per-alert detail pane on the right. On narrower screens the list takes the full width and clicking a row opens the detail in a side-drawer.

Each list row shows the severity dot, the category icon, the title, the affected hostname, and a relative timestamp. The selected row is highlighted; rows with a pending acknowledge are dimmed (see Acknowledging alerts).

The detail pane is a locked four-section scaffold:

  1. Header band — severity dot, category chip, title, hostname, detection timestamp, optional acknowledged-by attribution. The shape is identical for every category, so j / k navigation doesn’t shift the layout.
  2. Summary line — one short synopsis (“File modified: …”, “Policy failed: …”, the IOC value for an IOC match).
  3. Polymorphic body — the only section whose content varies by category. IOC alerts get indicator + source + discovery path. Tamper alerts get expected vs actual hash. Compliance alerts get policy name + severity. Fleet-change alerts get the event type and any name / user / port context. Host-state alerts get the transition.
  4. Evidence / payload — the raw JSON payload from the agent, collapsible.

Below the four sections is a footer with Acknowledge, Open host, and (for IOC alerts) Open IOC action buttons, plus a keyboard-shortcut cheat strip.

Categories

Five alert categories Mimir tracks today:

  • IOC — an indicator of compromise matched on a host. The bread-and-butter of the feed. Tagged with one of four sources: watchlist_pack, historical_match, hunt, or campaign. The toolbar’s source-chip filters currently expose the first three; campaign-source alerts are reachable from the campaign detail page’s late-matches table.
  • Tamper — file integrity monitor detected an unexpected hash.
  • Compliance — a compliance policy failed evaluation.
  • Fleet change — a structural change to the fleet that may be signal (new admin user, unexpected listening port, software install).
  • Host state — a transition Mimir wants to surface (e.g., a critical host going offline).

Group mode “By Category” is the fastest way to see the breakdown when the feed is busy.

Keyboard navigation

Optimized for analysts who work the feed by keyboard. Inside the list / detail layout:

  • j / k — move selection down / up.
  • A — acknowledge the selected alert (with a 5-second undo window, see Dispositions).
  • U — undo the most recent acknowledge while it’s still pending.
  • 1 through 5 — jump to a category in the URL filter.
  • g — cycle group mode.
  • o — open the selected alert’s host page in a new tab.
  • / — focus the search box.
  • Esc — close the drawer on narrow screens, or blur the search box.

Shortcuts only fire when focus is outside any input. The cheat strip at the bottom of the detail pane lists them.

New-alerts chip

When new alerts arrive after the page loaded, Mimir doesn’t push them into your scroll. Instead a chip appears above the list: “3 new alerts · click to load.” Click to merge them in. This keeps the list stable while you’re reading a row in the detail pane — your selection doesn’t jump because the world changed.

Filter scope and exports

Every filter the toolbar applies is also passed to the export endpoint, so a CSV / JSONL download reflects exactly the rows on screen. The export uses a hidden-anchor click pattern, so a failed download is currently silent — if the file doesn’t appear, check that your session is still valid and retry.

Empty states

Two flavors:

  • No active alerts. Your fleet is clean. — there are zero rows that match the current filter scope, and the filter doesn’t look like a deliberate “show nothing” choice. Take the win.
  • No alerts match these filters. — you’ve narrowed the filter enough that nothing’s left. A Clear filters button is rendered inline so you can widen back without using the toolbar.

Permissions

GET /api/v1/alerts is gated by withAnyAuth; every signed-in user sees every alert. Acknowledge is also gated by withAnyAuth, so any user can clear the queue on behalf of the team. If your deployment needs read-only operator separation, that’s a deployment-time choice, not a row-level filter.

Where to next

  • Acknowledging alerts — how the acknowledge / undo flow works and what bulk-acknowledge does.
  • Webhook delivery — what happens downstream when your operator has wired Mimir to a SIEM or Slack.
  • Matching modes — what the three IOC source tags actually mean.