# Incidents

An "Incident" in ITOC360 represents an active or past execution of an Escalation Policy. This is where you audit the system's attempts to notify your team, seeing exactly which policy was triggered and the current status of that notification chain.

#### Incident List

This dashboard provides a timeline of your team's response activities.

* **Alert:** The reference to the original triggering event. This links the incident back to the specific raw data received on the **Alerts** page.
* **Escalation:** The name of the specific Escalation Policy that matched the alert rules. This tells you *which* set of notification rules represents this incident (e.g., "Critical DB Policy" vs. "General Warning Policy").
* **Status:** The current state of the notification workflow.
  * *Running/Active:* The system is currently executing the levels (e.g., waiting for a timeout, calling the next person).
  * *Completed/Resolved:* The escalation chain has finished, either because someone acknowledged the alert or all steps were exhausted.
* **Started At:** The exact timestamp when the escalation policy was triggered.
* **Completed At:** The timestamp when the incident workflow ended.
  * *Pro Tip:* The difference between *Started At* and *Completed At* is effectively your MTTA (Mean Time to Acknowledge) for that specific incident.
* **Created At:** The record creation time in the system.

#### Understanding the Lifecycle

Unlike a static log, an Incident is dynamic.

1. **Trigger:** An alert matches a Rule in an Escalation Policy.
2. **Creation:** An Incident record is created, and the Status is set to Active/Running.
3. **Execution:** ITOC360 begins processing "Level 1", then "Level 2", notifying users via their defined Channels.
4. **Completion:** Once a user acknowledges the incident (or the policy runs out of steps), the Status updates to Completed, and the *Completed At* timestamp is stamped.

#### Why use this page?

* **Real-Time Auditing:** If you are wondering, "Is the system currently calling anyone regarding the server outage?", check the rows with Status: Running.
* **Post-Mortem Analysis:** Use the *Started At* and *Completed At* times to analyze how long it typically takes for your policies to find an available responder.