Alert types
Unsanctioned agent usage
Fires when an agent marked as disallowed in your agent catalog is detected, whether through an EDR scan, browser extension, or edge proxy traffic. This is enabled by default for disallowed agents. You can optionally enable it for unreviewed agents too, covering agents that haven’t been explicitly approved or denied.Content patterns
Detects sensitive data flowing through monitored agent sessions. Oso scans prompts and completions for patterns that indicate:- Secrets: API keys, tokens, credentials, connection strings
- PII: names, email addresses, phone numbers, social security numbers
Notification and investigation
Slack notifications
Alerts are delivered to Slack. Each notification includes:- What was detected
- Which agent and user were involved
- The detection source (CrowdStrike, Browser Extension, or Edge Proxy)
Investigating an alert
The trigger details page shows:- What happened: the specific event that triggered the alert
- Why it was flagged: which rule or pattern matched
- Context: the relevant agent, tool, user, and device
- Prior violations: previous alerts from the same trigger
Configuring alerts
Alerts are configured in the Oso UI:- Navigate to alert settings
- Choose which alert types to enable
- Configure notification channels (Slack) By default, Oso enables detection for disallowed agents.