Skip to main content
Threats are canonical monitored events. They are not just raw event rows.

Threat status values

The internal threat model uses these lifecycle states:
  • active
  • monitoring
  • contained
  • resolved
  • dismissed
  • ended

Severity values

  • critical
  • high
  • medium
  • low
  • negligible

Risk fields

Threats can carry a structured likelihood × impact assessment:
  • likelihood
  • impact_severity
  • risk_score
  • risk_level
  • likelihood_rationale
  • impact_rationale
The API also supports manual risk overrides.

Affected assets

A threat response can include affected_assets, which is a proximity-sorted list of monitored assets impacted by the event. This is derived from:
  • threat coordinates
  • asset coordinates
  • asset monitoring radius

Development and version fields

Threats can evolve over time. The API exposes summary counters that mirror the internal event development/version model:
  • development_count
  • latest_development_title
  • version_count
  • last_version_at

Incidents

Use incidents when you need a grouped narrative across related threats. Incidents are especially useful for:
  • operational handoff
  • analyst review
  • report generation
  • timeline views