Skip to main content

Incidents

The Incidents screen at app.igrisecurity.com/incidents surfaces security events that require review. Denials, anomaly detections, and session-level events all flow into a single queue so your team has one place to triage.
Anomaly detections appear here — there is no separate Anomaly dashboard screen. The Anomalies tab on this page is where you find and action them.

Incident categories

CategoryWhat it represents
denialA tool call or LLM request blocked by a policy rule
anomalyA statistical or pattern-based anomaly flagged by the detector
sessionA session-level event (e.g. kill-switch suspension)

Tabs

Four tabs filter the incident list:
TabShows
AllEvery incident regardless of category, with a total count badge
Denialsdenial category only
Anomaliesanomaly category only
Sessionssession category only
Each tab label shows the count of incidents matching that category in the current result set.
The toolbar below the tabs provides additional scoping:
FilterOptions
Severitycritical / high / medium / low / info
Statusopen / investigating / resolved
Text searchMatches against title, summary, actor name, and connection slug
Group byseverity (default)
Press Clear to reset all filters.

Incident list

Incidents are sorted by status (open → investigating → resolved), then by severity (critical → high → medium → low → info), then by most-recently-seen. Each row shows:
  • Severity badge
  • Title and summary
  • Category
  • Connection slug
  • Actor name
  • First seen / last seen timestamps
  • Current status
Click a row to open the incident detail drawer.

Incident detail drawer

The drawer opens from the right and shows:
  • Incident metadata — title, summary, severity, category, status, first/last seen, connection, actor
  • Policy — the policy and rule that triggered the incident (if applicable)
  • Impact counters — blocked events, allowed events, and redacted events linked to this incident
  • 12-hour pulse — hourly bar chart of linked events over the past 12 hours
  • Linked audit events — a paginated list of the raw mcp.tool or llm.call events that were grouped into this incident
Deep-linking is supported: opening https://app.igrisecurity.com/incidents?id=<uuid> loads the drawer directly for that incident.

Triage actions

Three status transitions are available from the drawer:
ActionSets status toNotes
Mark investigatinginvestigatingSignals the incident is being reviewed
ResolveresolvedRequires a resolution note. Sets resolvedAt timestamp
ReopenopenClears the resolution note and resolvedAt
These actions map to PATCH /api/v1/incidents/:id with { status, resolution_note }.

Severity

Severities are assigned automatically by the incident clustering logic. They can be overridden via the API by patching severity. Once a severity is manually set it is locked and will not be overwritten by future clustering.

API

MethodPathPurpose
GET/api/v1/incidentsList incidents (filter by category, severity, status, q)
GET/api/v1/incidents/:idIncident detail with impact counters and pulse
GET/api/v1/incidents/:id/eventsLinked audit events for an incident
PATCH/api/v1/incidents/:idUpdate status, severity, or resolution note
GET/api/v1/incidents/countCount by status (open, investigating, resolved)