Incidents
An incident is the central unit of work in HLD Sentinel. Every detection, response action, and analyst note is tied to an incident with a full, immutable timeline.
The incident object
json
{
"id": "inc_01hxyz",
"tenant_id": "ten_01hxyz",
"title": "Ransomware staging detected on ACME-WIN-0042",
"severity": "critical",
"status": "contained",
"type": "ransomware",
"source": "sentinel_autonomous",
"affected_assets": [
{ "type": "device", "id": "dev_01hxyz", "label": "ACME-WIN-0042" },
{ "type": "user", "id": "idn_01hxyz", "label": "[email protected]" }
],
"response_actions_taken": ["isolate_device", "revoke_sessions"],
"response_time_seconds": 38,
"created_at": "2025-06-01T03:14:00Z",
"contained_at": "2025-06-01T03:14:38Z",
"resolved_at": null,
"timeline_entries": 12
}List incidents
bash
GET /v1/sentinel/incidents| Name | Type | Required | Description |
|---|---|---|---|
| filter[tenant_id] | string | No | Scope to a tenant. |
| filter[severity] | string | No | critical | high | medium | low |
| filter[status] | string | No | open | investigating | contained | resolved | false_positive |
| filter[type] | string | No | ransomware | data_exfil | lateral_movement | credential_attack | insider_threat | etc. |
| filter[created_after] | string | No | ISO 8601 timestamp. |
Get an incident
bash
GET /v1/sentinel/incidents/:idGet incident timeline
The timeline is a chronological, immutable log of every event in the incident — detections, actions, analyst notes, and state changes.
bash
GET /v1/sentinel/incidents/:id/timelinejson
{
"incident_id": "inc_01hxyz",
"entries": [
{
"timestamp": "2025-06-01T03:14:00Z",
"type": "detection",
"actor": "sentinel_autonomous",
"description": "Ransomware staging behaviour detected. Confidence: 97%."
},
{
"timestamp": "2025-06-01T03:14:09Z",
"type": "action",
"actor": "sentinel_autonomous",
"description": "Device ACME-WIN-0042 isolated from network."
},
{
"timestamp": "2025-06-01T03:14:38Z",
"type": "action",
"actor": "sentinel_autonomous",
"description": "All sessions for [email protected] revoked."
}
]
}Add analyst note
bash
POST /v1/sentinel/incidents/:id/notes
{
"content": "Confirmed ransomware — LockBit variant. Engaged IR team."
}Resolve an incident
bash
POST /v1/sentinel/incidents/:id/resolve
{
"outcome": "mitigated",
"note": "Threat contained. Device re-imaged. No data exfiltration detected."
}