What is Proactive Context?
Context items teach Qevlar how to interpret recurring patterns in your environment. Until now, creating them was entirely manual: an analyst would notice a pattern, decide it was worth saving, and go through the creation flow themselves.
Proactive Context changes this : Qevlar analyses patterns across your team's investigations and automatically identifies context candidates that could improve detection accuracy. These candidates are surfaced to admin users for review , you stay in control, and Qevlar does the legwork.
This feature is available to admin users only. Analysts do not see Proactive Context suggestions.
Where do I find these suggestions?
There are two places :
1/ Inside an investigation When Qevlar has detected candidates pending your review, a button appears on the right edge of your investigation report. It shows the number of pending candidates (e.g. "New context item ยท 3"). Clicking it opens a panel where you can review, approve, edit, or dismiss each candidate without leaving the investigation.
This button is only visible to admin users.
2/ In the Organizational Context tab Navigate to Organizational Context in the left sidebar and open the Qevlar AI context sub-tab. This is your full review queue, all candidates Qevlar has ever surfaced, with their current status.
How do I review a candidate?
When you open the panel from inside an investigation, each candidate is displayed as a card showing:
- The suggested context item, what Qevlar identified
- The pre-filled observable, verdict, and explanation
- Three actions: Approve, Edit, Dismiss
Approve If the candidate looks correct as-is, click Approve. The item is saved to your context library and goes through the standard admin validation flow before becoming active.
Edit If you want to adjust anything before approving (the observable, the explanation, the verdict, or the expiry date), click Edit. A pre-filled form opens within the same panel. Fields populated by Qevlar are marked as pre-filled so you know what was inferred automatically. Make your changes and click Update & approve to save.
Dismiss If the candidate is not relevant for your environment, click Dismiss. The item is removed from your queue.
What do the status labels mean?
| Status | Meaning |
|---|---|
| Suggested | Qevlar has detected this candidate and it is waiting for your review |
| Active | The candidate was approved and is currently in use during investigations |
| Dismissed | The candidate was dismissed and is no longer surfaced |
Who can see and approve context candidates?
Only admin users can see Proactive Context suggestions, both inside investigations and in the Qevlar AI context tab. Analysts do not see the floating button on investigation reports and do not have access to the candidate review queue.
Once approved, active context items inform all investigations for your workspace regardless of who is running them.
Will Qevlar keep suggesting the same item if I dismiss it?
No, dismissed items remain visible in the Qevlar AI context tab with a Dismissed status but are not re-surfaced automatically.
How is this different from creating a context item manually?
Manually created context items live in the Team context sub-tab and are always initiated by a user. Qevlar AI context items are initiated by the AI and live in the Qevlar AI context sub-tab. The two are kept separate so you always know the origin of an item.
The approval process is the same for both, all items go through admin validation before becoming active.
Do I get notified about pending candidates?
Yes. If your workspace has pending Qevlar AI context candidates, you receive a weekly email listing them. The email shows each pending item and links directly to the review queue. You can also see the count badge on the Organizational Context tab in the sidebar at any time.
Tips for reviewing candidates effectively
- Check the explanation first. The pre-filled explanation tells you why Qevlar flagged the item. If the reasoning makes sense for your environment, approving without edits is usually the right call.
- Edit the observable if it is too broad. Qevlar may detect a pattern at a general level. If you want to limit it to a specific user, host, or scope, use the Edit flow to narrow it before approving.
- Use the expiry date for time-sensitive patterns. If a candidate is relevant only for a limited period, during an incident response, for example, set an expiry date so it deactivates automatically.
- Dismiss confidently. Dismissing a candidate does not affect Qevlar's ability to detect other patterns. If something is not relevant, dismiss it to keep your queue clean.