# Incidents API This documentation describes the API endpoints for retrieving and managing incident data. ## List Incidents This endpoint retrieves a list of incidents, which are aggregations of multiple alerts related to an asset. | Method | Path | | ------ | ---------------------------------------------------------- | | `GET` | `https://{telmai_endpoint}/api/backend/{tenant}/incidents` | **Query Parameters (Filters)** The request supports the following query parameters for filtering the incident list: | Parameter | Type | Description | Example | | ------------------ | ---------------------------------- | ------------------------------------------------------------------------ | -------------------------- | | `project_ids` | List of Integers (comma-separated) | Filters by a list of Project IDs. | `0,24` | | `connection_types` | List of Strings (comma-separated) | Filters by asset connection types (e.g., GCS, BIGQUERY). | `GCS,BIGQUERY` | | `alert_policy_ids` | List of Strings (comma-separated) | Filters by Alert Policy IDs. (IDs can be strings for prebuilt policies). | `4,5` | | `severities` | List of Strings (comma-separated) | Filters by severity (LOW, MEDIUM, HIGH). | `HIGH,MEDIUM` | | `impacts` | List of Strings (comma-separated) | Filters by impact (LOW, MEDIUM, HIGH). | `HIGH` | | `connection_ids` | List of Strings (comma-separated) | Filters by Connection IDs. | `conn-123,conn-456` | | `from_time` | String (ISO 8601 Timestamp) | Range start timestamp for filtering. | `2025-07-15T12:14:54.123Z` | | `to_time` | String (ISO 8601 Timestamp) | Range end timestamp for filtering. | `2025-07-15T12:14:54.123Z` | | `text_to_search` | String | A search string applied to policy names and source names. | `test_policy` | Example Request: ``` GET: https://{host:port}/api/backend/{tenant}/incidents?project_ids=0,24 ``` **Response Body (JSON Array)** Returns an array of incident objects. JSON ``` [ { "id": 1311, "project_id": 0, "asset_id": "5x0e34yk1re4", "last_upload_timestamp": "2025-06-30T14:12:51.871Z", "created_time": "2025-06-30T14:12:51.871Z", "severity": "HIGH", "impact": "HIGH", "status": "OPEN", // Can be one of OPEN / CLOSED "ticket_id": 2411, "alert_policy_id": "4", "alert_policy_name": "test_policy", "description": "...", "tags": ["T1", "PROD"] }, ... ] ``` *** ### Get Incident Details Retrieves the detailed information for a specific incident. | Method | Path | | ------ | ----------------------------------------------------------------------- | | `GET` | `https://{telmai_endpoint}/api/backend/{tenant}/incidents/{incidentId}` | **Path Parameter** | Parameter | Type | Description | | ------------ | ------- | ------------------------------ | | `incidentId` | Integer | The unique ID of the incident. | Example Request: ``` GET: https://{telmai_endpoint}/api/backend/{tenant}/incidents/1311 ``` **Response Body (JSON Object)** In addition to the fields in the list response, this endpoint returns detailed metrics and a history of state changes. JSON ``` { "id": 1311, "project_id": 0, "asset_id": "5x0e34yk1re4", "last_upload_timestamp": "2025-06-30T14:12:51.871Z", "severity": "HIGH", "impact": "HIGH", "status": "OPEN", // Can be one of OPEN / CLOSED "ticket_id": 2411, "alert_policy_id": "4", "alert_policy_name": "test_policy", "description": "...", "metrics": [ { "metric_name": "contains_pii", "metric_aggregation": "ratio", "display_metric_name": "PII %", "segment": null, "rule": null, // If populated, it indicates a virtual attribute for a correctness policy "attribute": null }, ... ], "tags": ["T1", "PROD"], "history": [ { "timestamp": "2025-06-30T14:12:51.871Z", "state": "NEW", // Can be one of NEW / ONGOING / RESOLVED / REOPENED "alert_refs": [ {"metric_time":"2025-06-30T14:12:51.871Z", "violation_name":"FEATURE.s132j7ja1"}, ... ] } ] } ``` *** ### Incidents Distribution This endpoint retrieves a day-by-day distribution of incident counts, categorized by severity and impact. | Method | Path | | ------ | ----------------------------------------------------------------------- | | `GET` | `https://{telmai_endpoint}/api/backend/{tenant}/incidents/distribution` | Filters: This endpoint supports the same filter set as the Incidents List endpoint. **Response Body (JSON Object)** JSON ``` { "incidents": [ { "date": "2025-07-22", "counts": { "LOW": 1, "MEDIUM": 4, "HIGH": 6, "": 8 // Incidents without a specified severity/impact }, "counts_by_impact": { "LOW": 1, "MEDIUM": 4, "HIGH": 6 } }, ... ] } ``` *** ### Incidents Summary Retrieves overall summary statistics for incidents. | Method | Path | | ------ | ------------------------------------------------------------ | | `GET` | `https://{host:port}/api/backend/{tenant}/incidents/summary` | **Response Body (JSON Object)** | Field | Type | Description | | ------------------------------- | ------- | ----------------------------------------------------- | | `total` | Integer | Total number of incidents. | | `open` | Integer | Total number of OPEN incidents. | | `closed` | Integer | Total number of CLOSED incidents. | | `mean_time_to_resolve` | Integer | Average time to resolve incidents (in hours). | | `previous_mean_time_to_resolve` | Integer | Previous period's average time to resolve (in hours). | | `open_by_tag` | Object | Count of OPEN incidents grouped by tag. | | `closed_by_tag` | Object | Count of CLOSED incidents grouped by tag. | JSON ``` { "total": 25, "open": 6, "closed": 19, "mean_time_to_resolve": 122, "previous_mean_time_to_resolve": 117, "open_by_tag": { "T1": 3, "prod": 12 }, "closed_by_tag": { "T1": 12, "prod": 67 } } ``` *** ### Retrieving Alerts for an Incident An Incident is an aggregation over time and refers to multiple uploads and alert objects, whereas an Alert refers to a specific upload and violation. To retrieve the individual alerts that compose an incident, you must use the `alert_refs` from the incident's history. #### POST Retrieve Alerts by Filters | Method | Path | | ------ | -------------------------------------------------------------------------- | | `POST` | `https://{host:port}/api/backend/{tenant}/configuration/alerts/by_filters` | **Request Body (JSON Object)** The request body is constructed using data extracted from the incident's `asset_id` and the `alert_refs` array (found within the `history` of the detailed incident response). Example: If an incident has an `asset_id` of `"5x0e34yk1re4"` and the following `alert_refs`: JSON ``` "alert_refs": [ {"metric_time":"2025-06-30T14:12:51.871Z", "violation_name":"FEATURE.s132j7ja1"}, {"metric_time":"2025-06-30T14:13:55.325Z", "violation_name":"DATA.a531"} ] ``` The request body should be: JSON ``` { "sources": ["5x0e34yk1re4"], // The asset_id from the incident "upload_dates": ["2025-06-30T14:12:51.871Z", "2025-06-30T14:13:55.325Z"], // metric_time from alert_refs "violation_names": ["FEATURE.s132j7ja1", "DATA.a531"] // violation_name from alert_refs } ``` **Alert Object Structure** The endpoint returns an array of detailed Alert objects. JSON ``` { "type": "SCHEMA_CHANGE", "source": "SNOWFLAKE.SALES_DB.PUBLIC.CUSTOMER_ORDERS", "attribute": "SHIPPING_ADDRESS", "job_id": "job-f8e2-4a1b-9c3d-5e6f7a8b9c0d", "create_time": "2023-10-27T10:30:00.123Z", "save_time": "2023-10-27T10:30:05.456Z", "violation_data": {}, "violation_name": "Customer Orders Schema Drift", "notification_channels": ["critical-alerts-slack", "data-team-email"], "is_notification_enabled": true, "metric_time": "2023-10-27T10:25:00.000Z", "is_notified": false, "metric_value": 1.0, "policy_name": "Monitor Production Schemas", "segment": "USA", "priority": "HIGH", "description": { "HIGH": [ "The data type for column 'SHIPPING_ADDRESS' was changed from VARCHAR(255) to VARCHAR(512)." ] }, "source_name": "CUSTOMER_ORDERS", "source_type": "SNOWFLAKE", "project_name": "E-commerce Analytics", "tags": ["production", "schema", "customer-data"] } ```