Alert Classification Pipeline

SafeMode uses explicit classification to keep incident triage clear and low-noise.

Goals

• Distinguish blocking reasons precisely.
• Avoid labeling ad/tracker events as phishing.
• Surface secrets and suspicious JS with higher severity.

Pipeline Stages

1. Ingress

2. HTTPFlow enters request/response hooks.

3. Request typing

4. Infer document/script/xhr/media/etc from headers and URL hints.

5. Whitelist gating

6. Skip user-approved domains and selected trusted defaults.

7. Filter matching

8. Run Rust adblock engine match.

9. Run PhishTank URL/domain checks (domain match configurable).

10. False-positive guards

11. Known noisy domains can bypass phishing label while still allowing other controls.

12. Reason assignment

13. Assign one of: ublock, phishtank, secrets_detected, suspicious_patterns.

14. Event normalization

15. Normalize timestamps, URL/host fields, secret payload structure, and dedupe markers.

16. UI rendering model

17. Live cards group by deterministic keys.
18. Severity mapping drives visual emphasis and notification behavior.

Classification Rules

Phishing priority

If phishing hit passes false-positive guard, phishtank classification is prioritized.

uBlock path

uBlock matches classify as ublock with category breakdown (ads/trackers/social/etc).

Secret detection path

Secrets in response content may neutralize JS and classify event as secrets_detected.

Suspicious JS path

SUSPICIOUS_JS_LEVEL decides whether suspicious bundles are only logged or actively neutralized.

Notification Channel Mapping

Monitor panel maps classified events to notification channels:

• phishing
• secret
• malware/suspicious
• ad
• tracker

Per-channel settings determine whether a notification is emitted.

Why This Matters

Without strict labels:

• Teams cannot triage quickly.
• False urgency increases alert fatigue.
• Incidents lose audit value.

With strict labels, blocked traffic remains informative and actionable.