Incident Investigation

An incident in Seliq is the container for everything related to a single security event: the alerts that triggered it, the AI analysis, the evidence your analyst collects, the notes they write, the playbook steps they run, and the final disposition. Every piece of information lives in one place.

Incident lifecycle

Seliq incidents move through the following statuses:

Status	Meaning
New	Incident created, not yet reviewed
In Progress	Analyst has opened and is actively investigating
Pending	Waiting on a third party, client, or external action
Escalated	Handed off to a senior analyst or incident response team
Closed	Investigation complete, disposition recorded

Status transitions are timestamped and recorded in the audit log. SLA timers are calculated from New → Closed (or from New → first response, depending on your SLA configuration).

The investigation view

When you open an incident, you see four panels:

Summary panel The AI-generated summary, updated in real time as new alerts are added. You can also write a manual summary that overrides the AI version for the client-facing report.

Timeline A chronological view of every event in the incident: alert arrivals, analyst actions, note additions, status changes, and entity lookups. The timeline is read-only and forms part of the audit trail.

Evidence Attach screenshots, log exports, PCAP files, or any other artefact to the incident. Files are stored securely and included in post-incident reports if you choose.

Notes Free-text notes visible to all analysts in the workspace. Use @username to notify a team member. Notes are included in internal reports but excluded from client-facing reports by default.

Playbooks

Seliq supports lightweight runbooks attached to incident types. When an incident matches a playbook trigger, the playbook checklist appears in the investigation view. Analysts can check off steps as they work through the response.

Coming soon

Automated playbook execution (triggering actions in connected tools — e.g. automatically isolating a host via EDR API) is on the roadmap. The current implementation is checklist-only.

Closing an incident

When you close an incident, Seliq asks for a disposition:

• True Positive — Contained — Real threat, successfully responded to
• True Positive — Escalated — Real threat, handed to IR team or client
• False Positive — Not a real threat; notes the source and reason
• Benign — Expected behaviour, no action required

The disposition feeds back into Seliq’s suppression and AI models over time, reducing noise for similar alerts in the future.

Incident metrics

Seliq tracks per-incident and aggregate metrics visible in Reports → Metrics:

• Mean time to acknowledge (MTTA)
• Mean time to respond (MTTR)
• False positive rate by source
• Incidents by severity, disposition, and analyst

MSSP reporting

These metrics are calculated per client workspace and can be included in automated client reports. See Client Communication & Reporting.