Incidents

The Incidents module manages the full lifecycle of operational incidents — from detection through resolution and post-mortem. Every incident is a structured record that captures what happened, why it happened, and how it was fixed.

When to use incidents

• Alert or event — When an integration or correlation rule creates an incident from alerts; or when you create one manually from the UI (e.g. from a war room or external report).
• RCA and runbooks — When you need root cause analysis and suggested or generated runbooks; attach evidence (metrics, logs, topology) first for best results.
• Resolution and learning — When you close an incident with a resolution summary and root cause category, the platform uses that for future RCA and runbook suggestions. See Alert to resolution for the full flow.

Why the incident record matters

A single incident ties together evidence, RCA, runbook execution, and resolution. That record feeds the learning loop so similar future incidents get better hypotheses and runbook suggestions. List views are paginated when you have many incidents — use filters and pagination to find the right one. See Using the interface and What’s new — lists.

Key Features

• Manual and automatic creation — Create incidents manually or let correlation rules generate them from grouped alerts
• Severity levels — P1 (Critical) through P5 (Informational) with configurable SLA timers per level
• Evidence attachments — Link metrics, logs, traces, alerts, and topology snapshots directly to incidents
• AI-powered RCA — One-click root cause analysis using the reasoning engine
• Runbook integration — Generate and execute remediation runbooks from within the incident
• Timeline view — Chronological record of every action, comment, status change, and automation event
• War room — Collaborative space for major incidents with real-time updates and stakeholder notifications
• Post-mortem templates — Structured post-incident reviews with auto-populated timelines

How to Access

Navigate to RESPOND → Incidents in the left sidebar (or use the command palette — e.g. Cmd+K / Ctrl+K — and type “Incidents”). The default view shows all active incidents sorted by severity and age (list is paginated when there are many). See Using the interface for navigation.

Capture from: Tenant Plane → RESPOND → Incidents, with sample data. Add as public/img/incidents-list.png.

Basic Usage

1. Click New Incident to create an incident manually
2. Fill in the title, severity, category, and affected service
3. Attach evidence by clicking Add Evidence in the incident detail view
4. Click Run RCA to trigger AI-powered root cause analysis
5. Review the RCA result and click Generate Runbook for automated remediation
6. After resolution, click Resolve and add a resolution summary
7. Use Create Post-Mortem to generate a structured review document

See also

• Alert to resolution — End-to-end flow with when/why for each step
• Your first incident — Step-by-step tutorial
• User Guide: War room & major incidents — Declaring major incidents, war room coordination, status updates, and action items
• Using the interface — Command palette and list navigation