Using Northbeams
Investigate incidents
Last updated 2026-07-13
Open Activity, then Incidents for the events worth a second look: a blocked prompt, a high-risk paste, a lookup to a risky domain. It is where you go when something needs investigating.

Start with "What happened"
The page opens with an analyst summary: a plain-English narration of the latest incidents, grounded in the events below. You can ask the feed a question ("what got blocked in Sales today?") or draft a written report from the current view, so you get the story before you dig into individual rows.
What each incident shows
- Who, what, when, and which tool.
- The redacted detail of what was involved, so you understand the risk without exposing the sensitive content itself.
- A severity: critical, elevated, or watch.
What you can do
- Filter to the critical ones first, so the loudest signals rise to the top.
- Acknowledge an incident once you have looked at it.
- Turn a repeat offender into a block so it stops happening. Blocks flow straight into your policies.
Every incident is also written to your audit log, so the record is there when an auditor or an investigation asks.