Managing Incidents

Incidents allow you to group meetings and workflow executions that occur during operational issues like outages, security events, or maintenance windows. This makes it easy to track incident response activities and generate audit trails for compliance.

What are Incidents?

Incidents are operational events that require coordinated response and documentation. Use incidents to:

• Track incident response - Group all meetings and workflow executions during an incident
• Generate audit trails - Automatically capture all activities for compliance reporting
• Post-incident reviews - Review what happened and when during an incident
• Measure response time - See how long incidents take to resolve
• Link to external systems - Connect to Slack channels, Jira tickets, and documentation

Incidents vs. Meetings

Understanding when to use incidents:

---

Creating an Incident

From the Incidents Page

1. Navigate to Incidents in the sidebar
2. Click the + New Incident button
3. Fill in the incident details:
   • Name: Descriptive title (e.g., "API Gateway Outage - Jan 15")
   • Description: Details about what's happening
   • Severity: Critical, High, Medium, or Low
   • Tags: Keywords for categorization (e.g., "production", "database")
4. Click Create Incident

Your incident is now active and ready to track activities!

From a Workflow

You can also create incidents directly from workflows using the AI: Create Incident node:

1. Add the AI: Create Incident node to your workflow
2. Connect it to a trigger (e.g., Incident Created trigger)
3. Pass context data to let AI generate the incident details
4. The node will create the incident automatically when the workflow runs

Tip: Use workflow triggers to automatically create incidents when monitoring systems detect issues.

---

Working with Incidents

Viewing Incident Details

1. Go to Incidents in the sidebar
2. Click on an incident to view its details

You'll see:

• Overview: Incident name, status, severity, and timeline
• Description: Detailed information about the incident
• Tags: Categories and keywords
• Linked Resources: Meetings and workflow executions
• Timeline: When the incident started and when it was resolved

Understanding Incident Status

Incidents have three statuses:

• Active: Currently in progress, incident response is ongoing
• Resolved: Issue has been fixed, incident is complete
• Cancelled: Incident was resolved without action or created by mistake

Changing Incident Status

To update an incident's status:

1. Open the incident details
2. Click the Status dropdown
3. Select the new status:
   • Resolve - Mark the incident as resolved
   • Cancel - Cancel the incident

When you resolve an incident, the end timestamp is automatically recorded.

---

Linking Meetings to Incidents

Why Link Meetings?

When you link a meeting to an incident:

• All workflows triggered from that meeting are automatically attributed to the incident
• Meeting transcripts become part of the incident audit trail
• You can see which teams were involved in incident response

How to Link a Meeting

Option 1: From the Meeting

1. Open the meeting details page
2. Click Link to Incident
3. Select the incident from the dropdown
4. Click Link

Option 2: From the Incident

1. Open the incident details page
2. Go to the Meetings section
3. Click Link Meeting
4. Select the meeting from the list
5. Click Link

Viewing Linked Meetings

On the incident details page:

1. Scroll to the Meetings section
2. You'll see all meetings linked to this incident
3. Click a meeting to view its details

---

Tracking Workflow Executions

Automatic Attribution

When workflows are triggered from meetings or other activities linked to an incident, they're automatically attributed to that incident. This means:

• Incident-triggered workflows: Workflows that start when an incident is created are automatically linked
• Meeting workflows: Workflows executed during linked meetings are automatically linked
• Manual tracking: Workflow executions can also reference incidents directly

Viewing Workflow Executions

1. Open the incident details page
2. Go to the Workflows section
3. You'll see all workflow executions associated with this incident

Each execution shows:

• Workflow name
• Execution status (Running, Complete, Failed)
• Trigger source (Meeting, Incident Created, etc.)
• Timestamp

Filtering Executions

Use filters to find specific workflows:

• Status: Show only completed, failed, or running workflows
• Source: Filter by how the workflow was triggered

---

Using Incident Triggers in Workflows

Incident Created Trigger

This trigger starts workflows automatically when a new incident is created:

1. Create a new workflow
2. Add an Incident Created trigger node
3. Configure what happens when an incident starts:
   • Send notifications to Slack or email
   • Create tickets in Jira or PagerDuty
   • Update status pages
   • Generate incident reports

Example Workflow:

• Trigger: Incident Created
• Action 1: Send Slack notification to #incidents channel
• Action 2: Create Jira ticket
• Action 3: Update status page

Incident Closed Trigger

This trigger runs when an incident is resolved or cancelled:

1. Add an Incident Closed trigger to your workflow
2. Configure post-incident actions:
   • Send resolution notifications
   • Generate incident reports
   • Schedule post-mortem meetings
   • Archive incident documentation

---

Common Workflows

Production Outage Response

Scenario: Your monitoring system detects an API outage

1. Create incident via workflow automation

   • Trigger: Monitoring alert
   • Action: AI: Create Incident with severity "Critical"

2. Notify team via Slack integration

   • Send alert to #incidents channel
   • Tag on-call engineers

3. Track response meetings

   • Link all incident response meetings to the incident
   • Workflows run during meetings are auto-linked

4. Resolve and document

   • Update incident status to "Resolved"
   • Generate post-mortem report

Security Incident Tracking

Scenario: Security team detects suspicious activity

1. Create security incident manually

   • Name: "Unusual Login Activity - Jan 20"
   • Severity: High
   • Tags: "security", "access-control"

2. Link investigation meetings

   • Link security team meetings
   • Track all investigation workflows

3. Generate audit trail

   • View complete timeline of response
   • Export for compliance reporting

4. Close incident

   • Mark as resolved
   • Archive documentation

Planned Maintenance Windows

Scenario: Scheduled database migration

1. Create maintenance incident

   • Name: "Database Migration - Jan 25"
   • Severity: Medium
   • Tags: "maintenance", "planned"

2. Link coordination meetings

   • Pre-migration planning
   • Migration execution
   • Post-migration verification

3. Track deployment workflows

   • All automated deployments linked to incident
   • Verification checks recorded

4. Complete maintenance

   • Resolve incident when complete
   • Review what was done

---

Tips & Best Practices

Naming Conventions

• Be descriptive: "API Gateway Outage - Jan 15, 2025"
• Include date: Helps when searching for historical incidents
• Add severity prefix (optional): "[CRITICAL] Production Database Down"
• Use consistent format: Makes filtering and reporting easier

Tagging Strategy

Create a consistent tagging system:

• Environment: production, staging, development
• System: api, database, frontend, auth
• Type: outage, security, maintenance, performance
• Team: engineering, ops, security

Example: production, database, outage, ops

Real-Time Updates

• Create incidents immediately when issues are detected
• Link meetings as they happen - don't wait until after resolution
• Update status promptly when incidents are resolved
• Add notes in the description as you learn more

Post-Incident Review

After resolving an incident:

1. Review the timeline - What happened when?
2. Check linked resources - Were all meetings and workflows tracked?
3. Generate reports - Export audit trails if needed
4. Document learnings - Update description with root cause and resolution

---

Understanding Incident Data

What Gets Tracked?

When you create an incident, Tectra automatically tracks:

• Creation time: When the incident was first created
• Resolution time: When the incident was marked as resolved (if applicable)
• Duration: How long the incident lasted
• Meetings: All linked meetings and their participants
• Workflows: All workflow executions triggered during the incident
• Status changes: History of status updates

Audit Trail

The incident details page shows a complete audit trail:

• When the incident was created and by whom
• All linked meetings with timestamps
• All workflow executions with results
• When the incident was resolved or cancelled

This audit trail is useful for:

• Compliance reporting: Demonstrate proper incident response procedures
• Performance metrics: Measure mean time to resolution (MTTR)
• Post-mortems: Review what happened during the incident
• Process improvement: Identify patterns and opportunities

---

Troubleshooting

I can't create an incident

Possible causes:

• You need appropriate permissions in your organization
• Check that you're logged in and have access to the Incidents feature

Meeting workflows aren't showing up in my incident

Solution: Make sure the meeting is linked to the incident BEFORE the workflows are executed. Workflows triggered after linking will be automatically attributed to the incident.

I can't find an old incident

Solution: Use the search bar or filters on the Incidents page:

• Filter by status (Active, Resolved, Cancelled)
• Filter by severity
• Search by name or tags

Workflow execution is linked to the wrong incident

Explanation: Workflow executions are automatically linked based on:

1. The meeting they were triggered from (if meeting is linked to an incident)
2. The incident trigger that started them
3. The active incident context when they were manually triggered

If a workflow is linked to the wrong incident, it means one of these contexts was set incorrectly.

Can I delete an incident?

Answer: Tectra uses soft deletion - incidents can be archived but not permanently deleted. This preserves audit trails for compliance. Contact your organization admin to archive an incident if needed.

---

FAQ

How long can an incident stay active?

There's no time limit. Incidents can stay active for as long as needed. However, we recommend resolving incidents promptly to keep your incident list clean.

Can I link a meeting to multiple incidents?

No, each meeting can only be linked to one incident at a time. This keeps the audit trail clear and prevents confusion.

Do incidents cost extra?

No, incidents are included in all Tectra plans at no additional cost.

Can I edit an incident after it's resolved?

Yes, you can edit the description, tags, and other details of resolved incidents. However, you cannot change the resolution timestamp.

What's the difference between resolved and cancelled?

• Resolved: The incident was addressed and fixed
• Cancelled: The incident was created by mistake or resolved without action

Both move the incident to an inactive state.

Can I export incident data?

Yes, you can export incident details including the full audit trail. This is useful for compliance reporting and post-incident analysis.

How do I measure incident response time?

The incident details page shows the duration from creation to resolution. You can use this to calculate metrics like:

• Mean Time To Resolution (MTTR)
• Incident frequency
• Response time by severity

Are incident triggers automatic?

The Incident Created and Incident Closed triggers automatically start workflows when incidents change status. You configure what the workflows do.

Can workflows create incidents?

Yes! Use the AI: Create Incident node in your workflows to automatically create incidents when certain conditions are met (e.g., monitoring alerts, failed health checks).