Incidents
The Incidents screen at app.igrisecurity.com/incidents surfaces security events that require review. Denials, anomaly detections, and session-level events all flow into a single queue so your team has one place to triage.
Anomaly detections appear here — there is no separate Anomaly dashboard screen. The Anomalies tab on this page is where you find and action them.
Incident categories
| Category | What it represents |
|---|
denial | A tool call or LLM request blocked by a policy rule |
anomaly | A statistical or pattern-based anomaly flagged by the detector |
session | A session-level event (e.g. kill-switch suspension) |
Tabs
Four tabs filter the incident list:
| Tab | Shows |
|---|
| All | Every incident regardless of category, with a total count badge |
| Denials | denial category only |
| Anomalies | anomaly category only |
| Sessions | session category only |
Each tab label shows the count of incidents matching that category in the current result set.
Filters and search
The toolbar below the tabs provides additional scoping:
| Filter | Options |
|---|
| Severity | critical / high / medium / low / info |
| Status | open / investigating / resolved |
| Text search | Matches against title, summary, actor name, and connection slug |
| Group by | severity (default) |
Press Clear to reset all filters.
Incident list
Incidents are sorted by status (open → investigating → resolved), then by severity (critical → high → medium → low → info), then by most-recently-seen. Each row shows:
- Severity badge
- Title and summary
- Category
- Connection slug
- Actor name
- First seen / last seen timestamps
- Current status
Click a row to open the incident detail drawer.
Incident detail drawer
The drawer opens from the right and shows:
- Incident metadata — title, summary, severity, category, status, first/last seen, connection, actor
- Policy — the policy and rule that triggered the incident (if applicable)
- Impact counters — blocked events, allowed events, and redacted events linked to this incident
- 12-hour pulse — hourly bar chart of linked events over the past 12 hours
- Linked audit events — a paginated list of the raw
mcp.tool or llm.call events that were grouped into this incident
Deep-linking is supported: opening https://app.igrisecurity.com/incidents?id=<uuid> loads the drawer directly for that incident.
Triage actions
Three status transitions are available from the drawer:
| Action | Sets status to | Notes |
|---|
| Mark investigating | investigating | Signals the incident is being reviewed |
| Resolve | resolved | Requires a resolution note. Sets resolvedAt timestamp |
| Reopen | open | Clears the resolution note and resolvedAt |
These actions map to PATCH /api/v1/incidents/:id with { status, resolution_note }.
Severity
Severities are assigned automatically by the incident clustering logic. They can be overridden via the API by patching severity. Once a severity is manually set it is locked and will not be overwritten by future clustering.
API
| Method | Path | Purpose |
|---|
GET | /api/v1/incidents | List incidents (filter by category, severity, status, q) |
GET | /api/v1/incidents/:id | Incident detail with impact counters and pulse |
GET | /api/v1/incidents/:id/events | Linked audit events for an incident |
PATCH | /api/v1/incidents/:id | Update status, severity, or resolution note |
GET | /api/v1/incidents/count | Count by status (open, investigating, resolved) |