> ## Documentation Index
> Fetch the complete documentation index at: https://docs.igrisecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Incidents

> Triage and track security incidents — policy denials, anomalies, and session events — in a unified queue.

# Incidents

The Incidents screen at [app.igrisecurity.com/incidents](https://app.igrisecurity.com/incidents) surfaces security events that require review. Denials, anomaly detections, and session-level events all flow into a single queue so your team has one place to triage.

<Note>
  Anomaly detections appear here — there is no separate Anomaly dashboard screen. The **Anomalies** tab on this page is where you find and action them.
</Note>

***

## Incident categories

| Category  | What it represents                                             |
| --------- | -------------------------------------------------------------- |
| `denial`  | A tool call or LLM request blocked by a policy rule            |
| `anomaly` | A statistical or pattern-based anomaly flagged by the detector |
| `session` | A session-level event (e.g. kill-switch suspension)            |

***

## Tabs

Four tabs filter the incident list:

| Tab           | Shows                                                           |
| ------------- | --------------------------------------------------------------- |
| **All**       | Every incident regardless of category, with a total count badge |
| **Denials**   | `denial` category only                                          |
| **Anomalies** | `anomaly` category only                                         |
| **Sessions**  | `session` category only                                         |

Each tab label shows the count of incidents matching that category in the current result set.

***

## Filters and search

The toolbar below the tabs provides additional scoping:

| Filter          | Options                                                         |
| --------------- | --------------------------------------------------------------- |
| **Severity**    | `critical` / `high` / `medium` / `low` / `info`                 |
| **Status**      | `open` / `investigating` / `resolved`                           |
| **Text search** | Matches against title, summary, actor name, and connection slug |
| **Group by**    | `severity` (default)                                            |

Press **Clear** to reset all filters.

***

## Incident list

Incidents are sorted by status (open → investigating → resolved), then by severity (critical → high → medium → low → info), then by most-recently-seen. Each row shows:

* Severity badge
* Title and summary
* Category
* Connection slug
* Actor name
* First seen / last seen timestamps
* Current status

Click a row to open the **incident detail drawer**.

***

## Incident detail drawer

The drawer opens from the right and shows:

* **Incident metadata** — title, summary, severity, category, status, first/last seen, connection, actor
* **Policy** — the policy and rule that triggered the incident (if applicable)
* **Impact counters** — blocked events, allowed events, and redacted events linked to this incident
* **12-hour pulse** — hourly bar chart of linked events over the past 12 hours
* **Linked audit events** — a paginated list of the raw `mcp.tool` or `llm.call` events that were grouped into this incident

Deep-linking is supported: opening `https://app.igrisecurity.com/incidents?id=<uuid>` loads the drawer directly for that incident.

***

## Triage actions

Three status transitions are available from the drawer:

| Action                 | Sets status to  | Notes                                                   |
| ---------------------- | --------------- | ------------------------------------------------------- |
| **Mark investigating** | `investigating` | Signals the incident is being reviewed                  |
| **Resolve**            | `resolved`      | Requires a resolution note. Sets `resolvedAt` timestamp |
| **Reopen**             | `open`          | Clears the resolution note and `resolvedAt`             |

These actions map to `PATCH /api/v1/incidents/:id` with `{ status, resolution_note }`.

***

## Severity

Severities are assigned automatically by the incident clustering logic. They can be overridden via the API by patching `severity`. Once a severity is manually set it is locked and will not be overwritten by future clustering.

***

## API

| Method  | Path                           | Purpose                                                          |
| ------- | ------------------------------ | ---------------------------------------------------------------- |
| `GET`   | `/api/v1/incidents`            | List incidents (filter by `category`, `severity`, `status`, `q`) |
| `GET`   | `/api/v1/incidents/:id`        | Incident detail with impact counters and pulse                   |
| `GET`   | `/api/v1/incidents/:id/events` | Linked audit events for an incident                              |
| `PATCH` | `/api/v1/incidents/:id`        | Update status, severity, or resolution note                      |
| `GET`   | `/api/v1/incidents/count`      | Count by status (`open`, `investigating`, `resolved`)            |
