Incidents

The Incidents feature helps you track, respond to, and document security incidents within your organization.

Overview

Incident management provides:

• Centralized incident tracking
• Response coordination
• Timeline documentation
• Post-incident analysis

Access via Security Center

Incidents are managed through the Security Center:

1. Navigate to Security in the top bar
2. Click on the Incidents tab
3. View and manage security incidents

Incident Lifecycle

Detected → Triaging → Investigating → Containing → Resolved → Closed

Creating Incidents

Automatic Detection

Some incidents are created automatically based on:

• Multiple failed login attempts
• Unusual API activity
• Policy violations
• SIEM alerts

Manual Creation

const incident = await client.incidents.create({
  title: 'Suspicious login activity',
  severity: 'high',
  description: 'Multiple failed login attempts detected from unusual IP',
  category: 'unauthorized_access',
  assignees: ['user-security-123']
});

Managing Incidents

Update Status

await client.incidents.update('incident-123', {
  status: 'investigating',
  notes: 'Confirmed suspicious activity, investigating scope'
});

Add Timeline Entry

await client.incidents.addTimelineEntry('incident-123', {
  content: 'Identified affected accounts',
  type: 'finding'
});

Resolve Incident

await client.incidents.resolve('incident-123', {
  resolution: 'Credentials rotated, no data breach confirmed',
  rootCause: 'Credential stuffing attack',
  preventionMeasures: 'Enabled MFA for all affected accounts'
});

Incident Severity

Severity	Description	Response Time
Critical	Active breach or data loss	Immediate
High	Potential breach or major policy violation	1 hour
Medium	Security anomaly requiring investigation	4 hours
Low	Minor security event	24 hours

Feature Availability

Feature	Business	Enterprise
Incident Tracking	Yes	Yes
Automated Detection	Yes	Yes
Response Playbooks	-	Yes
Integration with SIEM	-	Yes

---

Next: Learn about SIEM Integration for security event export.