Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Incidents are the top-level work items for your security team. Each incident groups related alerts, captures investigation context, and tracks the response from first signal to final resolution.

What an incident contains

  • Identifier: Auto-incrementing number (INC-001, INC-002).
  • Status: Active, Resolved, or Closed.
  • Severity: Critical, High, Medium, or Low, inherited from the highest-severity grouped alert.
  • Assignee: The team member responsible for driving the incident to resolution.
  • Description and structured data: Rich context, summary, and metadata about the event.
  • Linked alerts: One or more alerts the incident consolidates.
  • Linked tasks: Follow-up work tracked outside the incident lifecycle.

What you can do

  • Create incidents manually, or let Clarion roll them up from grouped alerts automatically.
  • Assign to a team member and update assignment as ownership changes.
  • Update status as you move through investigation, containment, and closeout.
  • Add notes and attach structured data discovered during the investigation.
  • Link tasks for follow-up work that outlives the incident itself.
  • Close the incident when the threat is contained.
Incidents inherit severity from their grouped alerts but can be overridden manually. If two alerts of different severities are grouped, the incident takes the higher severity.
Learn about Alerts →