get_incident_timeline
Retrieve a complete forensic timeline for an incident, including state transitions, rule evaluations, and policy snapshots. Use it to audit detection decisions or understand why an incident changed status.
Instructions
Full forensic timeline for an incident.
Returns every recorded state transition for the incident, the rule evaluations that caused each triggering transition, and the policy snapshot in effect at the time.
Use this to explain why an incident was declared/confirmed/resolved, or to audit a past detection decision.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| incident_id | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |