How to review workflow runs

Workflow runs can be found in the Transaction page in SEON, which is central hub for investigating both individual fraud signals and end-to-end identity verification sessions. The page is divided into two tabs:

• Transactions tab: Displays individual API events (logins, payments, registrations) scored by the Fraud API.
• Workflow runs tab: Displays complete verification sessions orchestrated by your workflows by the IDV SDK.

Use the transactions tab when investigating specific fraud signals on individual events via direct API calls. Use the Workflow runs tab when you need to understand the full verification journey a user completed. This flexibility allows investigators multiple views to review suspicious activity.

The workflow runs list displays all identity verification sessions with key information at a glance: user details, status, date, workflow name, run ID and user ID.

Use the filter controls to narrow down results:

• Search: Find sessions by user name, email or workflow run ID.
• Status filter: Focus on specific outcomes (Pending, Approved, Review, Abandoned, Declined, Retry required).
• Workflow filter: View runs from a specific workflow template.
• Date range: Use presets (Today, 7D, 30D, 3M, 12M) or set a custom range.

Clicking on any workflow run opens the workflow run details page. This page is your primary tool for manual reviews, fraud investigations and understanding identity verification decisions.

Top section:

 Shows the user's basic information, the current status, and key identifiers including the Run ID.

Run steps panel: Shows the workflow steps in order, indicating which path the user took and where they are (or stopped). This is the run timeline showing how the user progressed through your workflow.

Main content area 

The scrollable main panel contains collapsible result sections organized by verification type and according to your nodes in order. Sections only appear if that check was part of the workflow. Common sections include:

• Summary: Run metadata and key identifiers
• Phone information: Phone verification and enrichment results
• Email information: Email verification and enrichment results
• IP information: Geolocation and proxy/VPN detection
• AML information: Sanctions, PEP and adverse media screening
• Document verification: ID document analysis and extracted data
• Selfie verification: Liveness and face match results
• Proof of address: Address document validation

For detailed information about each widget's fields and how to interpret them, see the Transaction Details documentation.

Run steps panel

A visual timeline showing the user's path through the workflow:

• Each node the user passed through is listed in order
• Timestamps show when each step completed

This panel quickly answers "where did verification fail?" or "where did the user drop off?"

Using the activity tab

The Activity tab shows all previous transactions from this user — not just the current workflow run. This context is essential for manual reviews.

Transactions are displayed in a table showing: fraud score, action type, workflow (if applicable), decision state, amount, device hash and country.

Events belonging to the current workflow run are marked with a "CURRENT RUN" badge, making it easy to distinguish the session under review from historical context.

What to look for:

• Is this a first-time user or do they have an established history?
• Have they attempted verification before? What happened?
• Are there patterns of suspicious behavior across runs?
• Have there been sudden changes in device or location?

Network Tab

Shows connections between this user and others based on shared data points (same device, IP, email domain, etc.). Use this to:

• Identify potential fraud rings
• Spot multi-accounting
• Understand relationships between flagged users

Raw Data Tab

Shows the complete technical response in JSON format. Useful for:

• Debugging integration issues
• Sharing details with your development team
• Answering specific technical questions

Analyst Log Tab

Shows all actions taken on this workflow run and lets you add notes. Always add a note when you:

• Investigate a Review case
• Override an automated decision
• Find something noteworthy for future reference

Taking action on workflow runs

From the workflow run details page, you can:

• Change status: Manually approve or decline a Review case using the status dropdown
• Add notes: Document your investigation findings in the Analyst log
• Add to lists: Place the user or their data points on allow/block lists

All manual actions are logged for audit purposes.

What gets logged?

Workflow-related actions are recorded in SEON's audit logs to support compliance and security requirements. The following actions are logged:

• Status change: When someone manually changes a workflow run's status (e.g., approving or declining a Review case)
• Run viewed: When someone opens a workflow run details page

These logs capture who performed the action, when it happened, and relevant details about the workflow run.

Viewing audit logs

To access audit logs, go to Transactions / Workflow runs / Select a workflow run to view / Select the tab Analyst log. You can filter by date range, user, and action type to find specific activity.

For complete information about SEON's logging capabilities, including how to export logs and retention policies, see the Logs documentation.

Every workflow session will end in one of five terminal or transitional states. Understanding these statuses is key to monitoring performance and diagnosing issues.

Changing a workflow run's status / Manual status overrides

An authorized users can manually change a workflow run's status from the details page for any of the following example scenarios:

• Override an automated Decline if the investigation reveals a false positive
• Move a Review to Approved or Declined after investigation
• Reopen an Approved run if new fraud evidence emerges

To change the status:

1. Open the workflow run details
2. Click the status dropdown in the top section
3. Select Approve or Decline
4. Enter a reason explaining your decision
5. Click Confirm

Your action is recorded in the Analyst Log with your name, the timestamp, and your reason.

When to approve

Approve when your investigation confirms the user is legitimate, even if automated checks flagged concerns. Common scenarios:

• Face match score was low but images clearly show the same person
• VPN was detected but user is a known customer with travel history
• AML hit is a false positive (common name, different person)

When to decline

Decline when your investigation reveals fraud or policy violations. Common scenarios:

• Document is clearly fake or tampered
• Selfie is obviously a different person than the ID photo
• User is on a sanctions list (confirmed, not just potential match)
• Multiple failed attempts suggesting fraud learning

When to leave as Review

Sometimes you need more information. You can:

• Add a note describing what's needed
• Reach out to the user through your normal support channels
• Escalate to compliance or management
• Wait for additional verification attempts

All manual status changes are logged in the Analyst Log for audit purposes.

Best practices for investigations

Before making a decision:

• Review all widgets, not just the one that failed
• Check the Activity tab for user history
• Look at the actual images, not just the automated results
• Consider the context (user tier, transaction value, risk tolerance)

Document your reasoning:

• Always add a note explaining non-obvious decisions
• Be specific enough that another analyst could understand your logic
• Note any external verification you performed

Maintain consistency:

• Follow your team's documented procedures
• When in doubt, escalate rather than guess
• Discuss edge cases with your team to establish precedents