Agentic AI · Intraday Trading Observability

Transaction Root Cause
Analysis Agent

AI-powered observability across 14 trading tables. Trace any failure, latency spike, or anomaly from customer to settlement — in seconds.

Tables Indexed
14 ↑ live
FK Chains
18 0 violations
Integrity Score
100% validated
Live Anomalies
6 4 HIGH
How TRCA Agent Works
Four-layer pipeline — structured trading data and observability logs (Dynatrace · ELK/SIEM · Redshift) flow through each layer together
LAYER 01
Core Data
Dual ingestion — structured trading tables from IntradayRTP and raw observability logs from three external systems, all treated as first-class data sources
CUST IDACCT NEWTRADECASH+10 tables
Dynatrace APM spans ELK/SIEM events Redshift query audit
↓ Structured fields extracted · Log text parsed by BERT/NLP · Entities normalised to shared schema
LAYER 02
Data in RAG
Structured records AND log payloads are chunked and vectorised together — each log span, SIEM event, and SQL audit entry becomes a retrievable semantic unit alongside trading table rows
Vector embeddingsSemantic chunkingBM25 + dense retrieval
Span text → embeddings SIEM JSON → chunks SQL query_text → vector
↓ BERT NER extracts entities from log text · IP linker · temporal NER · FinBERT compliance classifier
LAYER 03
Contextual Layer
Cross-source context assembly — structured FK chains resolved alongside log-derived entities. The IP entity 10.42.7.221 in ELK links CSH-002 and CSH-003 here; the Redshift pre-trade query establishes deliberate intent for TRD-001
Entity graph traversalTemporal correlationMulti-signal scoring
traceId → TRADE node src_ip → cross-acct link query_text → intent flag
↓ Correlation engine scores multi-signal confidence · routes to specialist agent
LAYER 04
Agents
Specialist AI agents receive a unified context packet containing both structured data fields and log-derived entities — reasoning over the complete signal set to produce grounded, evidence-based RCA
TraceAgentAnomalyAgentSettlementAgentCashFlowAgentRiskAgentReportAgent
Correlation Engine
How Multi-Signal RCA Is Established
Structured data signals and log signals converge through the BERT/NLP layer, resolve to shared graph nodes, and produce a confidence-scored anomaly. No single source is sufficient — correlation is the capability.
Signal Sources
Structured Data
TRADE · Price, Qty, MktClose, SettleDate
CASH · Amount, SourceCode, Timestamp
ACCT BAL · FundsAvailableAmt, TotalMktVal
ACCT POS · SecurityType, Quantity
CUST ID · TradingAuthority
ACCT DEMO · DOB, RiskTolerance
Dynatrace APM
traceId, spanId, duration_ms
tag.acctNo, tag.repId, tag.action
priceDelta_pct, productType
ELK / SIEM
user_id, account_id, src_ip
user_agent, event_type, amount
anomaly_flags[ ], beneficiary
Redshift Audit
query_text (raw SQL), user_id
tables_scanned, duration_ms
start_time (temporal anchor)
1
Field Extraction
Structured fields parsed directly. Log payloads tokenised — spaCy NER extracts named entities (account IDs, IPs, amounts, timestamps) from free-text fields.
spaCy v3 · regex · field mapping
2
BERT Entity Classification
Raw log text passed through domain BERT models. FinBERT classifies compliance text. RuleBERT matches regulatory rule patterns. IP entity linker resolves cross-source IP matches.
FinBERT · BERT-base · RuleBERT · temporal NER
3
Graph Node Resolution
Extracted entities resolved to knowledge graph nodes — traceId maps to TRADE, src_ip becomes a cross-account IP entity, query_text fields link to ACCT BAL and ACCT POS nodes via SQL parse.
Neo4j / graph traversal · FK resolution · entity linking
4
Temporal Alignment
All signals timestamped and aligned on a shared timeline. Temporal NER extracts relative references ("6 minutes before", "163 min past cutoff"). Causal sequences reconstructed.
Temporal NER · event sequencing · causal chain
5
Anomaly Confidence Scoring
Per-signal confidence scores combined with Bayesian fusion. Multi-signal anomaly confirmed only when structured data + at least one log source converge. Single-source alerts suppressed.
Bayesian fusion · threshold: ≥2 sources · confidence floor: 0.90
Confirmed Anomalies
TRD-001
TRADE · Dynatrace · Redshift
96% · 3 signals · FinBERT
CSH-002
CASH · ACCT BAL · ELK · Dynatrace
99% · 4 signals · BERT-base
CSH-003
CASH · ACCT BAL · ELK IP linker
98% · 3 signals · IP entity
POS-004
ACCT POS · CUST ID · ELK
99% · 3 signals · FinBERT
KYC-005
ACCT DEMO · CUST ID · ELK
97% · 3 signals · BERT-base
FND-006
FUND · ELK · Redshift
95% · 3 signals · RuleBERT
Suppressed (single-source only)
47 structured-data-only alerts below threshold
12 log events with no structured data match
Precision improvement: 82% fewer false positives
Solution Overview
Per-Anomaly Technical Implementation
How each anomaly is detected, the signals that fire, and the technology stack that establishes correlation. Each card represents a production-ready detection pattern.
HIGH TRD-001 Price Deviation — Inflated Annuity Trade
Confidence 96%
TRADE.Price vs MktClosePrice Dynatrace priceDelta_pct tag Redshift pre-trade position query
Detection Implementation
Signal 1 (Structured): Rule engine on TRADE table — flags records where |(Price − MktClosePrice) / MktClosePrice| > 0.05 (5% threshold). Fires on Acct10011003 at +12.7%.

Signal 2 (Dynatrace): Dynatrace Davis AI custom alert on tag.priceDelta_pct > 5 in the order-execution service. Span c7e02b3d44fa91c8 carries the tag as metadata. FinBERT extracts entity price_deviation from the span annotation text (confidence 0.97).

Signal 3 (Redshift): Audit log shows rep_r9zz ran SELECT curr_market_price FROM acct_pos WHERE security_type='C' at 12:52:17 — 6 minutes before execution. spaCy temporal NER extracts the 6-minute delta; FinBERT classifies the SQL pattern as pre_trade_recon (0.91).

Correlation: Bayesian fusion of 3 signals. The Redshift query proves the rep knew the market price before submitting at a premium — ruling out pricing feed error. Combined confidence: 96%.
HIGH CSH-002 Off-Hours ACH Drain — Scripted Execution
Confidence 99%
CASH -$4.85M · ACCT BAL negative ELK python-requests user-agent Dynatrace 0.9ms span duration
Detection Implementation
Signal 1 (Structured): CASH table rule: Amount < -500000 AND hour(Timestamp) NOT BETWEEN 7 AND 20 fires on -$4.85M at 01:47. ACCT BAL confirms FundsAvailableAmt → -$4,850,000.

Signal 2 (ELK): SIEM alert on user_agent LIKE 'python%' during off-hours login. BERT-base classifier (fine-tuned on 50K auth log samples) extracts entity automated_access from "non-human UA · off-hours login" text (confidence 0.99). Temporal NER links login at 01:43 to ACH at 01:44 (95-second gap).

Signal 3 (Dynatrace): Custom Davis alert on duration_ms < 1.0 for POST operations. Sub-millisecond HTTP POST is physically impossible for human UI interaction. BERT-base extracts scripted_execution from span annotation (0.98).

Correlation: 4 signals, highest confidence in session (99%). The 3-source corroboration eliminates all benign explanations — off-hours, non-human agent, sub-ms execution, limit breach 870%.
HIGH CSH-003 Cross-Account WIRE — IP Entity Linkage
Confidence 98%
CASH WIRE -$5M · ACCT BAL -$12.1M ELK src_ip 10.42.7.221 cross-match
Detection Implementation
Signal 1 (Structured): CASH table WIRE amount threshold rule. Standalone alert generated but insufficient for HIGH confidence without corroboration.

Signal 2 (ELK — critical): BERT-base NER + IP entity linker — a custom component that maintains a rolling in-session IP entity registry. When the WIRE event on Acct10011005 at 10:02 is ingested, the linker finds src_ip=10.42.7.221 in its registry, already linked to the CSH-002 ACH event on Acct10011003 at 01:47. IP entity 10.42.7.221 is extracted from both ELK events with 100% confidence and resolved to a single "operator session" node in the graph.

Key insight: The IP entity exists exclusively in ELK logs — it is absent from every structured trading table. This cross-account link is only discoverable through NLP entity resolution across log events. No SQL join, no FK relationship, no structured data query could surface it.

Correlation: 3 signals. Two large transactions, two different accounts, 8 hours apart — correlated by a single extracted IP entity. Combined outflow: $9.85M from one automated session.
HIGH POS-004 Suitability Violation — FinBERT Compliance Classifier
Confidence 99%
ACCT POS SecurityType=C · CUST ID TradingAuth=F ELK SUITABILITY_OVERRIDE event
Detection Implementation
Signal 1 (Structured): Rule: ACCT POS.SecurityType = 'C' AND ACCT MAINT.AccountType = 1. Annuities (SecurityType=C) must not be held in Type 1 brokerage accounts — a FINRA Rule 2330 violation. CUST ID confirms TradingAuthority=F — full discretionary authority for the rep on this account.

Signal 2 (ELK — FinBERT): The SUITABILITY_OVERRIDE compliance event contains the message: "SecurityType=C placed in AccountType=1 · RiskTolerance NULL · customer age 22". FinBERT — fine-tuned on 15,000 FINRA regulatory filings, Reg BI documents, and suitability case law — classifies this text as suitability_violation with 99% confidence. The model recognises "placed in AccountType=1" as the specific violation phrase from FINRA Rule 2330 training data.

Implementation note: FinBERT is the critical component here. The structured rule flags the data anomaly. FinBERT provides the regulatory classification that elevates it to a confirmed compliance violation requiring mandatory reporting — a distinction a simple rule engine cannot make.
MED KYC-005 Vulnerable Client Pattern — BERT Co-occurrence Detection
Confidence 97%
ACCT DEMO DOB · RiskTolerance=NULL · CUST ID TradingAuth=F ELK compliance event co-occurrence
Detection Implementation
Signals 1–3 (Structured): Three independent fields — HoldersBirthDate=2004-01-15 (age 22), RiskTolerance=NULL, TradingAuthority=F. No single field triggers a HIGH alert individually. A young account is not unusual. A NULL risk tolerance might be a pending update. TradingAuthority=F is legal. They only become a violation pattern in combination.

Signal 4 (ELK — BERT co-occurrence): The ELK compliance event carries all three as a combined message. BERT-base (age/risk vulnerability fine-tune, trained on 8,000 financial exploitation case notes) detects the vulnerable_client_pattern entity — the co-occurrence of young age + NULL risk profile + full rep discretion is a known financial exploitation signature. Confidence: 97%.

Why this matters architecturally: This is a case where structured rules fail by design — the individual fields are each "acceptable." Only NLP co-occurrence detection, trained on exploitation case data, can recognise the combination as a compliance risk. This is the clearest demonstration of why log-based NLP is required alongside structured data rules.
LOW FND-006 Late-Trading + Cross-Account Coordination — RuleBERT + Temporal NER
Confidence 95%
FUND TimeOfOrder=18:47 · 163min past NAV cutoff ELK LATE_ORDER_FLAG event Redshift cross-account DODGX query
Detection Implementation
Signal 1 (Structured): FUND table rule: TimeOfOrder > 160000 (16:00:00 NAV cutoff). Flags Acct10011003 sell at 18:47. Standalone flag: possible operational delay, not necessarily a violation.

Signal 2 (ELK — RuleBERT): SIEM LATE_ORDER_FLAG event contains "163 min past NAV cutoff — SEC Rule 22c-1 late-trading risk". RuleBERT — fine-tuned on SEC enforcement actions and no-action letters — recognises "SEC Rule 22c-1" and "NAV cutoff" as a late-trading violation pattern, extracting entity late_trading_flag (confidence 0.96).

Signal 3 (Redshift — Temporal NER): Audit log shows rep_r9zz queried DODGX positions across all 3 accounts at 18:51 — 8 minutes after the after-hours order. Temporal NER extracts the 8-minute post-submission window as a cross-account position verification event; RuleBERT classifies it as cross_account_awareness (0.94) — establishing that the rep knew the coordinated position before placing the order.

Correlation: The late-trade alone is LOW severity. The Redshift evidence of deliberate cross-account position awareness is what prevents this from being dismissed as a simple operational error. Combined evidence: SEC Rule 22c-1 risk + coordination intent.
Contextual Knowledge Graph
Entity Network Used for RAG Retrieval & RCA Reasoning
Every query traverses this live graph — resolving entities, FK chains, and temporal relationships before context is assembled for agents
Customer entities
Account entities
Order / Trade
Cash / Fund
Balance / Position
Suitability / KYC
Dynatrace APM
ELK / SIEM
Redshift audit
Hover nodes to explore relationships · Active path:
How an RCA Query Traverses the Graph
Query: "Investigate anomaly TRD-001 — price deviation on AccountNo 10011003 under Rep R9ZZ"
01
Query Parsing & Entity Extraction
The query is parsed to extract named entities: AccountNo=10011003, RepId=R9ZZ, anomaly_id=TRD-001. These anchors determine which graph nodes to activate.
AccountNo → 10011003 RepId → R9ZZ AnomalyID → TRD-001
↓ Graph traversal begins at ACCOUNT node
02
Contextual Graph Traversal
Starting from ACCOUNT(10011003), the graph engine follows FK edges — resolving CustomerID CUST10011003, OrderNo 90001047, and the anomalous TRADE record with Security 9532996.
CUSTOMER
CUST10011003
1:N ↓
ACCOUNT
10011003 · R9ZZ
1:N ↓
ORDER
90001047
1:N ↓
TRADE
Security 9532996
ACCT_BAL
$9.2M value
↓ Satellite nodes attached — suitability, balance, cash context
03
Context Chunk Assembly
Retrieved nodes are ranked and flattened into context chunks. Price deviation metadata (185.50 vs MktClose 164.65 = 12.7% premium), suspicious 1:47 AM ACH drain of $4.85M, and cross-account Rep R9ZZ pattern are injected.
Assembled Context Packet · 5 chunks · 1,480 tokens
TRADEAcct=10011003 · Sec=9532996 · Price=$185.50 · MktClose=$164.65 · Qty=15,000 · Amt=$2,782,500 · BuySellInd=P · ExecTime=12:58:17
CASHAcct=10011003 · ACH=-$4,850,000 · Timestamp=01:47:07 · off-hours drain detected
ACCT_BALTotalMarketValue=$9,200,000 · FundsAvailable=-$4,850,000 · TradeDateBalance=$4,850,000
REP PATTERNR9ZZ controls Acct10011003 + 10011005 + 20022001 · Cross-account wire $5M + ACH $4.85M same day
ANOMALYTRD-001 · Sev=HIGH · Price 12.7% above MktClose · Annuity in Type 1 acct · Student KYC gap · TradingAuth=F
↓ Context packet routed to AnomalyAgent with full cross-account Rep R9ZZ graph
04
Agent Reasoning & RCA Output
AnomalyAgent reasons over the assembled context. The key insight — all 6 anomalies share Rep R9ZZ — emerges from cross-sheet correlation that manual review would miss.
AnomalyAgent Output
Root Cause: Rep R9ZZ is the common thread across all 6 anomalies on 2026-03-17. AccountNo 10011003 shows a trade at $185.50 vs MktClose $164.65 (12.7% premium) on Security 9532996 (annuity) — combined with a 1:47 AM ACH drain of $4.85M that left FundsAvailable negative.

Cross-account pattern: R9ZZ also controls AccountNo 10011005 ($5M outgoing WIRE at 10:02) and AccountNo 20022001 (22-year-old student, RiskTolerance=NULL, TradingAuthority=F holding an annuity in a Type 1 account — unsuitable).

Remediation: Freeze R9ZZ trading authority · Escalate all 3 accounts to compliance · Reverse annuity position in 20022001 · File SAR for coordinated wire/ACH activity.
Observability Correlation
Cross-Source Log Entity Extraction
13 log samples from Dynatrace, ELK/SIEM, and Redshift — entities extracted and correlated to graph nodes. All anomalous logs trace back to Rep R9ZZ on 2026-03-17.
Entity Correlation Map
How Log Entities Resolve to Graph Nodes
Each log carries extractable entities — AccountNo, TradeId, RepId, IP address, query — that the RAG layer maps to graph nodes for cross-source anomaly detection.
Dynatrace
traceIdTRADE
spanId (order)ORDER
acctNo tagACCOUNT
repId tagREP cluster
latency spikeANOMALY flag
4 spans for Rep R9ZZ at 01:47 AM show zero latency — possible automated script execution
ELK / SIEM
account_idACCOUNT
rep_idREP cluster
transaction_idCASH
src_ipIP entity
auth eventCUST ID
ACH event at 01:47 triggered from IP 10.42.7.221 — same IP initiated all 3 R9ZZ account logins within 4 minutes
Redshift
account_id filterACCOUNT
table scannedACCT BAL
query_idTRADE / POS
query_textANOMALY flag
user_idREP cluster
Targeted SELECT on FundsAvailableAmt for all 3 R9ZZ accounts 8 minutes before the ACH drain — reconnaissance pattern
Specialist Reasoning Agents
TRC
TraceAgent
End-to-end tracing from OrderID through TRADE, CASH, and FUND. Reconstructs full event chains for any trade lifecycle.
→ ORDER · TRADE · ACCT
ANO
AnomalyAgent
Detects price outliers, timing gaps, unusual quantity patterns, and cross-account discrepancies in intraday feeds.
→ TRADE · ACCT_BAL · CASH
STL
SettlementAgent
Validates T+1/T+2 timelines, detects fails, and reconciles settle vs trade date balances across all account types.
→ TRADE · ACCT_BAL
CSH
CashFlowAgent
Traces ACH, WIRE, DIV, INT, and FEE transactions. Matches cash activity to account events and flags unexplained movements.
→ CASH · FUND · ACCT BAL
RSK
RiskAgent
Correlates suitability flags, margin balances, equity percentages, and house calls for compliance review.
→ ACCT_DEMO · ACCT_BAL
RPT
ReportAgent
Synthesises all agent findings into structured RCA reports with executive summaries and remediation plans.
→ All agents · Summary
TraceAgent
End-to-end transaction tracing
RAG Active Layer 3