HLD Sentinel API

The Sentinel API gives you programmatic access to incident data and autonomous response capabilities — so you can integrate HLD's detection-to-containment engine directly into your SOC tooling.

Overview

HLD Sentinel operates as an autonomous incident response engine. When it detects a threat, it opens an incident, takes automated response actions, and builds a full audit trail — all within 45 seconds. The API exposes this entire lifecycle.

Key concepts

• Incidents — a correlated security event requiring investigation or response. Incidents are created by Sentinel automatically, or manually via the API.
• Response actions — atomic containment operations (isolate device, disable account, block IP, kill process) taken by Sentinel or triggered via the API.
• Timeline — a chronological record of every detection, action, and decision in an incident, suitable for audit reports and post-incident review.
• Playbooks — automated response workflows that chain together multiple response actions based on incident type and severity.

Required scope

Reading incident data requires sentinel:read. Triggering response actions requires sentinel:respond. Keep these scopes separate in integrations where read-only access is sufficient.