Events & Incident Response

    Correlate identity, device, and network signals, investigate incidents, and trigger safe responses with immutable evidence.

    Events
    Incidents
    SOC
    Evidence
    10 min
    Last updated: 2026-01-22

    Overview

    Events capture verification outcomes, policy decisions, anomalies, and enforcement actions. Incidents group related events for triage and response.

    Event types

    • Authentication and step-up verification.
    • Attestation and posture changes.
    • Policy decisions and enforcement outcomes.
    • Anomalies (unexpected lateral movement, integrity drift).

    Triage workflow

    • Confirm identity and asset criticality.
    • Review timeline and correlated signals.
    • Determine blast radius and impacted zones.
    • Choose containment action and verify outcome.

    Response actions

    • Quarantine/isolate a device or zone.
    • Revoke session or require step-up.
    • Block new access paths.
    • Trigger SOAR playbooks or open tickets.

    Evidence pack

    Evidence packs include event timelines, policy versions, decisions, actions, operator identity, and verification results.

    SIEM/SOAR integration
    Forward events to SIEM for correlation and to SOAR for automated containment workflows while preserving immutable evidence.