Query, manage, and respond to security incidents
Retrieve security incidents with filtering and pagination.
GET /v1/incidents?status=open&severity=high&limit=50
Response:
{
"incidents": [
{
"id": "inc_456",
"title": "Suspicious Login Attempt",
"severity": "high",
"status": "open",
"created_at": "2025-01-08T09:15:00Z",
"agent_id": "agent_123"
}
],
"pagination": {
"total": 127,
"page": 1,
"per_page": 50
}
}
Retrieve complete incident information including timeline and evidence.
GET /v1/incidents/:id
Response:
{
"id": "inc_456",
"title": "Suspicious Login Attempt",
"description": "Multiple failed login attempts detected",
"severity": "high",
"status": "open",
"timeline": [
{
"timestamp": "2025-01-08T09:15:00Z",
"action": "detected",
"details": "5 failed attempts from IP 192.168.1.100"
}
]
}
Change incident status and add resolution notes.
PATCH /v1/incidents/:id
Content-Type: application/json
{
"status": "resolved",
"resolution": "Blocked IP address and reset user password",
"assigned_to": "user_789"
}
status: open, investigating, resolved, closedseverity: low, medium, high, criticalagent_id: Filter by specific agentfrom, to: Date range filters