In security operations, which statement best describes alerting?

Alerting in security operations is the process of notifying when a detection criterion is met. It turns detected signals into timely alerts that prompt investigation or response, helping defenders act quickly. This is different from collecting logs, which is gathering data for analysis but does not by itself generate an alert. It’s also different from blocking access, which is a defensive action taken to prevent or stop an incident after an alert has been raised, and from documenting incident response steps, which records what was done after an incident rather than signaling its occurrence. In practice, alerts are triggered by detection rules or thresholds and are delivered through channels like SIEM dashboards, email, or SOAR integrations, including essential context such as time, source, affected asset, and severity.