What gets recorded
Three row types are written for every check that flows through detection:- Rule evaluations — one row per rule evaluated against a check result. Captures rule type (
consecutive_failures,response_time, …), region, inputs,outputMatchedflag, and the policy snapshot hash. - State transitions — one row per status edge walked (
WATCHING → TRIGGERED,TRIGGERED → CONFIRMED,CONFIRMED → RESOLVED, …). CarriestriggeringEvaluationIds,checkId,policySnapshotHashHex, andengineVersion. Thereasonfield distinguishes detection-engine causes (trigger,confirm,resolve,auto_clear,reopen) from user-driven actions (manually_resolved). - Policy snapshots — content-addressed by SHA-256 of the policy JSON. The exact policy that was active at evaluation time, even if the monitor has been edited since.
organizationId and the originating checkId, so you can thread a single check execution across both writes.
Endpoints
All endpoints are read-only and live under/api/v1/forensics/:
| Endpoint | Purpose |
|---|---|
GET /forensics/incidents/{id}/timeline | Full timeline for an incident: transitions + triggering evaluations + active policy snapshot |
GET /forensics/traces/{checkId} | Everything recorded for a single check execution |
GET /forensics/policy-snapshots/{hashHex} | Fetch a policy snapshot by its SHA-256 hash |
GET /forensics/monitors/{id}/rule-evaluations | Paginated list of rule evaluations for a monitor (filters: ruleType, region, onlyMatched, from, to) |
GET /forensics/monitors/{id}/transitions | Paginated list of state transitions for a monitor (filters: from, to) |
CLI
--output json|yaml|table and the standard auth flags.
SDKs
MCP tools
The DevHelm MCP server exposes the same read path to AI agents:get_incident_timeline(incident_id)— replay why an incident firedget_check_trace(check_id)— inspect a single check executionget_policy_snapshot(hash_hex)— fetch the exact policy active at a past momentlist_monitor_rule_evaluations(monitor_id, ...)— audit rule firingslist_monitor_transitions(monitor_id, ...)— reconstruct monitor lifecycle
Use cases
- Incident replay: a customer asks “why did we get paged?” — the timeline endpoint returns the check, policy, and rules involved, no log scraping needed.
- Policy change review: before editing a trigger rule, fetch the snapshot hash that fired the last incident and diff it against the new policy.
- False-positive audit: list
rule-evaluations?onlyMatched=truefor a monitor over the last 7 days to spot noisy rules. - Cross-region analysis: filter
rule-evaluations?region=us-eastto see how one region contributed to confirmation.
Retention
| Row type | Retention | Notes |
|---|---|---|
| Rule evaluations | 30 days | High-volume hypertable (~288M rows/day at scale); compressed at 7 days |
| State transitions | 2 years | Low-volume, high audit value |
| Policy snapshots | Indefinite | Content-addressed by SHA-256; deleting would orphan references |
Next steps
Incident Timeline
Human-facing view of an incident’s lifecycle — status changes, updates, and notifications.
Incident Policies
Configure the trigger and recovery rules that forensics record.
MCP Tools Reference
Let an AI agent query the forensic model directly.
API Reference
Full schema for every forensic endpoint.