Incidents
The Incidents feature helps you track, respond to, and document security incidents within your organization.
Overview
Incident management provides:
- Centralized tracking of all security incidents
- Response coordination with assigned responders
- Timeline documentation for post-incident analysis
- Automated detection from platform monitoring signals
Incident Lifecycle
Detected → Triaging → Investigating → Containing → Resolved → Closed
Automatic Detection
Some incidents are created automatically based on:
- Multiple failed login attempts
- Unusual API activity patterns
- Policy violations from governance packs
- SIEM alerts from external integrations
Incident Severity
| Severity | Description | Response Time |
|---|---|---|
| Critical | Active breach or data loss | Immediate |
| High | Potential breach or major policy violation | 1 hour |
| Medium | Security anomaly requiring investigation | 4 hours |
| Low | Minor security event | 24 hours |
Feature Availability
| Feature | Growth | Enterprise |
|---|---|---|
| Incident Tracking | Yes | Yes |
| Automated Detection | Yes | Yes |
| Response Playbooks | -- | Yes |
| Integration with SIEM | -- | Yes |
Managing Incidents
Access Incidents through the Security Center:
- Navigate to Security in the top bar
- Click on the Incidents tab
- View active and historical incidents
Creating an Incident Manually
- Click Create Incident
- Enter a title, severity, description, and category (e.g., unauthorized_access)
- Assign responders
- Save the incident
Working an Incident
- Update status as investigation progresses (triaging, investigating, containing)
- Add timeline entries to document findings, actions taken, and communications
- Resolve the incident with a resolution summary, root cause, and prevention measures
Resolution Fields
| Field | Description |
|---|---|
| Resolution | What was done to fix the issue |
| Root Cause | What caused the incident |
| Prevention Measures | Steps taken to prevent recurrence |
Next: Learn about SIEM Integration for security event export.