Background Investigations
The assistant can run investigations autonomously in the background and notify you of findings.
Background investigations let the assistant proactively monitor your systems without requiring your direct interaction. When enabled, the assistant periodically inspects logs, checks for anomalies, and creates alerts when it finds issues worth your attention.
How background investigations work
Background investigations run as scheduled heartbeats. Every 30 minutes, the system initiates an investigation for each project that has the feature enabled. The assistant:
- Loads context from recent alerts and known issues
- Inspects logs, traces, and infrastructure data
- Correlates signals to identify potential problems
- Creates alerts when it finds evidence of real impact
- Records a completion summary even when no issues are found
Background investigations run in hidden threads that do not appear in your sidebar. You only see the results when the assistant creates an alert.
Enabling background investigations
Background investigations are enabled per project.
Navigate to project settings
Go to Settings in your project, then select General from the sidebar.
Enable background investigations
Toggle on Background investigations to enable scheduled monitoring for this project.
Configure alert delivery
Ensure your alert notification settings are configured so you receive alerts when the assistant finds issues. See Alert notifications below.
Investigation triggers
Background investigations are triggered by:
| Trigger | Description |
|---|---|
| Scheduled heartbeat | Runs every 30 minutes for projects with background investigations enabled |
| Alert lifecycle events | Re-evaluates when related alerts are opened, updated, or resolved |
The assistant uses the same tools available in interactive conversations: log queries, code execution, web searches, and subagent delegation. The key difference is that background investigations operate autonomously and only surface results when they warrant attention.
Alert creation policy
Background investigations create alerts only when they find corroborated evidence of impact. This prevents alert fatigue from false positives.
Alerts are created when:
- User-facing degradation is detected (checkout failures, login errors, payment issues)
- Health checks are failing (readiness probes, liveness checks)
- At least two independent signals indicate a problem (e.g., elevated 5xx errors combined with increased latency)
Alerts are suppressed when:
- The only evidence is silence or missing telemetry without impact signals
- The issue matches expected states (decommissioned services, intentional deletions)
- An open alert already covers the same root cause
The assistant uses root-cause deduplication to avoid creating duplicate alerts for the same underlying issue. It searches open alerts and suppresses new alerts when an existing one already represents the problem.
Alert notifications
When a background investigation creates an alert, notifications are delivered through your configured channels.
Slack notifications
If your organization has Slack connected, alerts from background investigations are posted to your configured alerts channel. The message includes:
- Alert name and severity
- What happened
- Why it happened (root cause)
- How to fix it
- A link to the investigation thread
Disabling alert notifications
You can disable alert notifications at two levels:
Per project: Go to Settings > Notifications and toggle off alerts for the specific project. Background investigations continue running, but no alerts are created.
Per account: Go to your account settings and disable personal alert notifications. You will not receive alerts, but other team members still can.
Reviewing investigation results
Background investigation threads are hidden by default to keep your sidebar clean. However, when an investigation creates an alert, you can access the full investigation:
- Click the alert in Slack or the alerts list
- The alert links to the thread where it was created
- Expand tool calls to see the full investigation trajectory
This gives you complete visibility into what the assistant found and how it reached its conclusions.
Resource usage
Background investigations consume resources like any other assistant conversation. Each investigation:
| Resource | Limit |
|---|---|
| Execution time | Capped to prevent runaway investigations |
| Tool calls | Limited per investigation run |
| Subagent depth | Maximum 2 levels of nested subagent delegation |
These limits ensure background investigations do not consume excessive resources while still allowing thorough analysis.
Policies and controls
Disabling background investigations
To stop background investigations for a project:
- Go to Settings > General in the project
- Toggle off Background investigations
The change takes effect immediately. No new heartbeat runs will be scheduled for that project.
Alert suppression
If background investigations are generating alerts you do not want, you have several options:
- Disable alerts for the project: Investigations continue but do not create alerts. Useful for development or staging projects.
- Disable background investigations entirely: Stops all automated monitoring for the project.
- Resolve recurring false positives: The assistant learns from resolved alerts and uses deduplication to avoid repeating similar alerts.
Best practices
Start with one project: Enable background investigations on your most critical production project first. This helps you calibrate expectations before rolling out more broadly.
Configure Slack: Background investigations are most valuable when alerts reach you quickly. Connect Slack and configure an alerts channel.
Review early alerts: When you first enable background investigations, review the initial alerts carefully. Resolve false positives promptly so the deduplication system learns your preferences.
Check the investigation threads: When you receive an alert, take a moment to expand the investigation thread. Understanding what the assistant checked helps you trust the findings and identify gaps in coverage.
Troubleshooting
No alerts are being created
Check that:
- Background investigations are enabled for the project
- Alert notifications are not disabled at the project or account level
- Your data sources are connected and sending recent data
- The assistant has something to find (quiet systems produce no alerts)
Too many alerts
If you are receiving more alerts than expected:
- Resolve false positives so the deduplication system learns
- Check if multiple similar issues are occurring (each unique root cause generates a separate alert)
- Consider disabling alerts for non-production projects
Cannot find the investigation thread
Background investigations create hidden threads. When an alert is created, the alert includes a link to its thread. If you need to find past investigations:
- Check the alert in your alerts list
- The thread is accessible through the alert detail view