Skip to main content

Incidents

The Incidents feature helps you track, respond to, and document security incidents within your organization.

Overview

Incident management provides:

  • Centralized tracking of all security incidents
  • Response coordination with assigned responders
  • Timeline documentation for post-incident analysis
  • Automated detection from platform monitoring signals

Incident Lifecycle

Detected → Triaging → Investigating → Containing → Resolved → Closed

Automatic Detection

Some incidents are created automatically based on:

  • Multiple failed login attempts
  • Unusual API activity patterns
  • Policy violations from governance packs
  • SIEM alerts from external integrations

Incident Severity

SeverityDescriptionResponse Time
CriticalActive breach or data lossImmediate
HighPotential breach or major policy violation1 hour
MediumSecurity anomaly requiring investigation4 hours
LowMinor security event24 hours

Feature Availability

FeatureGrowthEnterprise
Incident TrackingYesYes
Automated DetectionYesYes
Response Playbooks--Yes
Integration with SIEM--Yes

Managing Incidents

Access Incidents through the Security Center:

  1. Navigate to Security in the top bar
  2. Click on the Incidents tab
  3. View active and historical incidents

Creating an Incident Manually

  1. Click Create Incident
  2. Enter a title, severity, description, and category (e.g., unauthorized_access)
  3. Assign responders
  4. Save the incident

Working an Incident

  1. Update status as investigation progresses (triaging, investigating, containing)
  2. Add timeline entries to document findings, actions taken, and communications
  3. Resolve the incident with a resolution summary, root cause, and prevention measures

Resolution Fields

FieldDescription
ResolutionWhat was done to fix the issue
Root CauseWhat caused the incident
Prevention MeasuresSteps taken to prevent recurrence

Next: Learn about SIEM Integration for security event export.