Incidents#

Incidents are correlated groups of related alerts — the attack chains behind individual detections — available at /incidents for the queue and /incidents/:id for a single incident.

What it does#

Rather than leaving you to connect alerts by hand, AgentSOC correlates related alerts into a single incident that represents one likely chain of activity. Each incident carries its own severity and a confidence score reflecting how strongly the underlying alerts appear to belong together.

An incident also records why the alerts were grouped — the correlation reasoning and signals such as shared MITRE techniques and tactics — so you can evaluate the system's conclusion instead of taking it on faith.

Key actions#

• Filter the queue. Narrow /incidents by severity and status to focus your attention.
• Open an incident. Select a row to open /incidents/:id with the full picture: severity, confidence, and the correlation analysis.
• Review correlated alerts. Walk the alerts that make up the chain and pivot into any one of them for deeper detail.
• Read the correlation reasoning. Use the stated reason and shared signals to confirm the grouping makes sense.
• Resolve. Update the incident's status as you work it toward closure.

How incidents relate to alerts and cases#

An incident is system-correlated: the platform decides which alerts belong together. When an investigation needs human-driven structure — attaching evidence, recording analysis, and tracking it as a deliberate piece of work — open a Case instead. Incidents tell you what the platform connected; cases capture what you and your team conclude.

Tips#

• Treat confidence as a guide to scrutiny: lower confidence warrants a closer look at the correlation reasoning before you act.
• Investigate the incident as a whole before resolving its individual alerts, so you do not close part of an active attack chain.

Related#

• Cases
• Alerts
• Reports