Status
Five statuses, moved manually as the situation evolves:| Status | When you’re here |
|---|---|
| Open | Just declared. Nobody assigned yet, or work hasn’t started. |
| Investigating | Responders are looking into it. |
| Identified | Root cause is understood; fix is being prepared or rolled out. |
| Monitoring | Fix is live; watching to make sure it sticks. |
| Resolved | Back to normal. Postmortem usually follows. |
Severity
Four severity levels with colour-coded badges:- Critical (sev1) - major customer impact.
- High (sev2) - significant degradation.
- Medium (sev3) - limited impact.
- Low (sev4) - minor.
The incidents list
/incidents shows everything in flight. Toggle between Kanban (columns per status, drag to move) and Table views. Filter by status, severity, service, team, or incident commander. Search across title and description. Admins can bulk-edit status, severity, commander, or delete.
Each row carries the incident identifier (e.g. INC-42), title, severity, status, when it was created, and avatars for the people on it.
The incident detail page
Three tabs:- Overview - title, description, linked alerts, customers affected, action items (tasks), external links, and the Scribe live panel if a call is being recorded.
- Timeline - chronological feed of every status change, responder join, IC handoff, alert link, comment, and SLA notification.
- Post-Mortem - the collaborative document where you write up what happened. See Postmortems.
Creating an incident
Three ways an incident gets created:- Manually. Click Create incident on the list. Fill in title, severity, services, teams, optional commander, and link any alerts you already have.
- From an alert. The Declare Incident button on an alert detail page opens the same dialog with the alert pre-linked and severity pre-filled.
- Automatically. If Auto-create incidents is on, Warrn opens an incident on its own when alert patterns cross a threshold you’ve configured. Auto-created incidents wear an “Auto-created” badge showing why the policy fired.
Roles
- Incident Commander. One per incident. Owns coordination and the decision to resolve. Assigned at creation; transferable to any acknowledged responder.
- Responders. People actively on it. They acknowledge to indicate they’re working it.
- Observers. Watching, not working. Useful for leadership, status-page editors, or adjacent teams.
- Scribe. If a war room is being recorded, the Scribe pulls live transcript and suggested action items onto the Overview tab.
Action items
Track follow-ups as Incident Tasks on the Overview tab: add them, assign, mark done. If Jira is configured for the org, you can push any task out as a Jira issue. Tasks can also be embedded inline in the postmortem document as a live-updating block.Postmortems
Postmortems live on the incident, in their own tab. You start one by clicking Create postmortem (the empty state), optionally from a template defined at/settings/incident-policies. It’s a collaborative editor with version history, AI assist, and Confluence export. Full details: Postmortems.
SLAs and reminders
Closure SLAs are configured per severity at/settings/incident-policies. While an incident is open, the properties panel shows a next update due or update overdue indicator. Warrn sends graduated Slack and email reminders as those deadlines approach, then again past breach.
Communications
- Slack channel. Auto-created per incident (configurable). Name format and archive behaviour live in the incident lifecycle settings.
- Google Meet war room. Create or join from the incident header.
- Status page. Publish updates from the incident detail page; severity maps to status-page state via your policy config.
Linked alerts
The Overview tab lists every alert linked to the incident. Click + Link alert to add more (the picker filters to open, unresolved, not-yet-linked alerts). For auto-created incidents, the alert that triggered the policy is linked automatically and noted in the timeline.Custom attributes
Org admins can define custom fields at/settings/incident-policies (text, boolean, single-select, multi-select). They show up in the properties panel on every incident and are editable by the Incident Commander.
Identifier
Every incident gets a per-org auto-incremented ID:INC-1, INC-2, and so on. It’s the only identifier you need to share - URLs, Slack mentions, postmortem titles all use it.