Incident
/api/v1/grc/incidentsA security or compliance incident.
listgetcreateupdateSchema
| Field | Type | Notes |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | frontend | backend | server | system | apiWhere the write originated. Defaults to 'api'. |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| incident_number | string | Human-readable incident reference number. |
| title | string | Short title of the incident. |
| description | string | Detailed description of the incident. |
| category | string | Classification of the incident type. |
| severity | string | Severity rating of the incident. |
| status | string | Current lifecycle status of the incident. |
| detected_at | date-time | ISO 8601 timestamp when the incident was detected. |
| reported_at | date-time | ISO 8601 timestamp when the incident was formally reported. |
| contained_at | date-time | ISO 8601 timestamp when the incident was contained. |
| closed_at | date-time | ISO 8601 timestamp when the incident was closed. |
| realized_risk_ids | json | IDs of Risk records that were realized by this incident. |
| affected_asset_ids | json | IDs of assets affected by this incident. |
| affected_account_ids | json | IDs of accounts affected by this incident. |
| consolidated_investigation_ids | json | IDs of SOC Investigations rolled up into this incident. |
| triggered_by_alert_ids | json | IDs of SOC Alerts that triggered this incident. |
| owner_id | string | ID of the Person who owns this incident. |
| commander_ids | json | IDs of Persons serving as incident commanders. |
| root_cause | string | Root cause analysis summary. |
| lessons_learned | json | Lessons learned from this incident. |
| corrective_action_ids | json | IDs of follow-up tasks created as corrective actions. |
| reportable_to | json | IDs of regulators to whom this incident must be reported. |
| reported_to_regulators_at | date-time | ISO 8601 timestamp when the incident was reported to regulators. |
| customer_notified_at | date-time | ISO 8601 timestamp when affected customers were notified. |
| financial_impact | number | Estimated financial impact in USD. |
| mttd_minutes | number | Mean time to detect in minutes. |
| mttr_minutes | number | Mean time to recover in minutes. |
| tags | json | Free-form tags for filtering. |
API
client.grc.incidents.*Loading manifest…