# Monitoring & Alerts

All Browser Security detections are reported to Highflame Studio in real time. Security teams have a unified view of violations, device health, and threat trends without needing a separate console.

***

## Violations

Navigate to **Highflame Studio** → **Browser Security** → **Violations** to see all recorded detections.

Each violation record includes:

| Field               | Description                                                                       |
| ------------------- | --------------------------------------------------------------------------------- |
| **Timestamp**       | When the violation occurred                                                       |
| **Device**          | The enrolled device and user it was detected on                                   |
| **Threat category** | The type of threat detected (prompt injection, data exfiltration, etc.)           |
| **Threat flags**    | Specific patterns matched (e.g., `prompt_injection:jailbreak`, `pii:credit_card`) |
| **Action taken**    | Whether the operation was blocked or monitored                                    |
| **Platform**        | The AI platform or domain involved                                                |
| **API**             | The browser API intercepted (`fetch`, `xhr`, `storage`, `clipboard`, etc.)        |

### Filtering violations

Filter by:

* Date range
* Device or user group
* Threat category
* Action (blocked / monitored)
* AI platform

### Exporting

Violations can be exported as CSV for reporting or ingestion into your SIEM. Use the **Export** button in the Violations view, or configure a [Splunk or webhook alert](/integrations/alerts.md) for real-time streaming.

***

## Device inventory

Navigate to **Highflame Studio** → **Browser Security** → **Devices** to see all enrolled devices.

| Column              | Description                                       |
| ------------------- | ------------------------------------------------- |
| **Device name**     | Hostname of the enrolled device                   |
| **User**            | Logged-in user at last check-in                   |
| **Browser**         | Browser type and version                          |
| **Status**          | Active, Inactive (no check-in in 24h), or Offline |
| **Policy**          | Active policy applied to this device              |
| **Last seen**       | Timestamp of most recent activity                 |
| **Violations (7d)** | Number of violations in the past 7 days           |

Devices that haven't reported in over 24 hours are marked **Inactive**. This typically means the browser extension was uninstalled, the device is powered off, or the managed configuration was removed.

***

## Threat analytics

The **Analytics** tab in Browser Security shows aggregated threat data across your organization:

* **Violation volume over time** — daily/hourly trend of blocked and monitored events
* **Top threat categories** — breakdown of which threat types are firing most
* **Top users** — users generating the highest violation counts
* **Top platforms** — which AI platforms are involved in the most violations
* **Detection rate by policy** — which policies are triggering and at what rate

Use the analytics view to identify anomalies (a spike in jailbreak attempts, a user sending PII to an unexpected platform) and to validate that Monitor mode detections are stable before moving to Block.

***

## Alerts

Browser Security violations can trigger alerts through the same alerting pipeline as other Highflame products.

In **Highflame Studio** → **Alerts**, configure alert rules scoped to Browser Security events:

```yaml
trigger_condition:
  product: browser_security
  action: block
  threat_category: prompt_injection
```

Supported destinations:

* **Slack** — post to a channel on violation
* **Webhook** — POST to any endpoint (SIEM, PagerDuty, custom)
* **Splunk HEC** — stream directly to Splunk

See [Alerts](/integrations/alerts.md) for full configuration details.

***

## Session context

When a Browser Security violation is associated with a session that is also tracked by Highflame Shield (via the Agent Gateway or SDK), the violation appears in the shared **Sessions** view in Observatory. This gives you a complete picture of a threat that spans both browser activity and agent/API traffic — for example, an employee attempting a jailbreak in ChatGPT that then propagates to an agent workflow.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.highflame.ai/browser-security/monitoring.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.