Skip to content

Review incidents

ScrinOps incidents are provider-neutral summaries for an exact project and workspace. The browser receives redacted metadata, not raw provider alerts, credentials, or log content.

Typical time
10–20 minutes
You need
An enabled incident feed in the selected scope
Outcome
A triaged incident with evidence readiness understood

Open ScrinOps, then Incidents. Select Project and Workspace. Every list, cursor, filter, detail request, and diagnosis action stays bound to that authenticated scope.

Use:

  • Search for an incident, service, or owner;
  • Status: All statuses, Open, Investigating, Mitigated, or Resolved;
  • Severity: All severities, Critical, High, Warning, or Info;
  • Provider: AWS or Azure;
  • Refresh for the current page; and
  • Previous, Next, and page size for bounded history navigation.

Incidents 1 of 5 · Screenshot placeholder

Filter incident history

Show synthetic project/workspace filters and provider-neutral incidents with status, severity, occurrence count, evidence count, owner, and update time.

Future capture briefHide real incident titles and IDs, project/workspace names, owners, services, timestamps, provider accounts, and customer metadata.

If Partial connector data appears, incident summaries remain available but evidence or work-item data is degraded. Do not interpret partial data as a full incident record.

Choose the incident title or View details. The right-side incident drawer contains Overview, Timeline, Evidence, and Audit.

Incidents 2 of 5 · Screenshot placeholder

Review incident Overview

Show synthetic status, severity, occurrences, evidence manifests, provider, service, owner, and safe timestamps.

Future capture briefHide incident and correlation IDs, provider resource names, account/subscription IDs, owner identities, and customer incident descriptions.

Timeline lists bounded occurrence summaries with firing or resolved state, severity, source kind, time, and correlation reference. It does not expose the raw CloudWatch or Azure Monitor alert body.

Incidents 3 of 5 · Screenshot placeholder

Read provider-neutral occurrences

Show synthetic firing and resolved occurrences from CloudWatch Alarm or Azure Monitor Alert sources.

Future capture briefReplace timestamps and correlation references. Hide raw payloads, dimensions, metrics, queries, resource IDs, and provider links.

Evidence shows manifest metadata only:

  • source kind;
  • ready, degraded, or unavailable status;
  • record and stored-size counts;
  • redaction and truncation state;
  • collection and expiry time; and
  • a shortened digest.

Only ready, unexpired evidence can make Start diagnosis available.

Incidents 4 of 5 · Screenshot placeholder

Assess evidence readiness

Show synthetic evidence manifests with ready, degraded, unavailable, truncated, redaction, expiry, and digest metadata.

Future capture briefHide raw logs, queries, object-store locations, full digests, evidence IDs, credentials, headers, and customer content.

Audit shows bounded ownership and lifecycle events such as created, assigned, status changed, evidence attached, and diagnosis started.

Incidents 5 of 5 · Screenshot placeholder

Review incident lifecycle audit

Show synthetic action summaries and safe actor labels for an incident.

Future capture briefHide actor identities, user IDs, tenant scope, request IDs, raw metadata, evidence content, and internal service details.

You understand the incident state, severity, occurrence history, evidence freshness, degraded sources, ownership, and whether diagnosis is eligible.

  • No incidents found: change filters, confirm scope, and verify live alert ingestion separately.
  • Partial connector data: continue only with the available evidence and note the gap.
  • Details unavailable: retain the summary and retry; do not infer missing timeline or evidence.
  • Diagnosis unavailable: refresh evidence or wait for a ready, unexpired manifest.
  • Access denied: request the correct project/workspace permission; do not reuse identifiers from another tenant.