Incidents

An incident is the unit of investigation in Culprit — a cluster of correlated events with a shared root cause. Incidents are created by the pipeline (events arrive, get tokenised, get embedded, get correlated against the existing open-incident set, attach or open a new one); humans investigate them in the dashboard.

Read-only in v1

This resource is LIST + GET only. Mutating actions — acknowledge, resolve, split, merge, rerun RCA — are first-party-only in v1: they're exposed in the dashboard, not on the public API. The reasoning is that those actions are inherently human in the loop (someone is deciding "this is the same incident as that one") and routing them through an external integration would invite drift between what the API says and what the on-call sees.

If you need to read incident state for an external dashboard or SIEM forwarder, this is the resource. If you need to act on an incident programmatically, the public API doesn't currently support that — write to us.

Notes

• status values: open, resolved, auto_resolved (closed by the auto-resolve cron after a quiet period), merged (folded into another incident via the dashboard's merge action).
• last_seen is the timestamp of the most recent attaching event; treat it as the incident's "last activity" marker.
• RCA detail (summary, call count, last-analysed timestamp) is not exposed in v1 and will land as a sub-resource (/v1/incidents/{id}/rca).

Endpoints

• GET/v1/incidents/{id}— Retrieve an incident
• GET/v1/incidents— List incidents