Skip to main content

Overview

IncidentFox connects to your existing observability and data platforms to investigate incidents. This section covers how to configure each data source.

Supported Data Sources

Observability Platforms

PlatformStatusCapabilities
CoralogixSupportedLog search, metrics, alerts, Olly integration
DatadogSupportedMetrics, logs, APM traces
GrafanaSupportedPrometheus queries, dashboards, alerts
New RelicSupportedNRQL queries, APM summary
ElasticsearchSupportedLog search, aggregations

Cloud Providers

PlatformStatusCapabilities
AWSSupportedCloudWatch, EC2, Lambda, RDS, ECS, CodePipeline
GCPRoadmapCloud Logging, GKE, Cloud Run
AzureRoadmapMonitor, AKS, Functions

Infrastructure

PlatformStatusCapabilities
KubernetesSupportedPod logs, events, deployments, metrics
DockerSupportedContainer logs, exec, compose

Data & CI/CD

PlatformStatusCapabilities
SnowflakeSupportedSQL queries, data enrichment
GitHubSupportedCode search, PRs, Actions, webhooks
ConfluenceSupportedDocumentation search
Google DocsSupportedRunbook search

Data Source Architecture

Credential Management

All credentials should be stored securely using vault references: 
{
  "tools": {
    "coralogix": {
      "api_key": "vault://secrets/coralogix-api-key"
    }
  }
}
Never store credentials in plain text in configuration files.

Vault Reference Format

vault://path/to/secret
IncidentFox supports:
  • AWS Secrets Manager
  • HashiCorp Vault
  • Environment variables (for development)

Quick Setup

1

Choose Your Data Sources

Identify which platforms you want IncidentFox to access
2

Create API Keys

Generate read-only API keys for each platform
3

Store in Vault

Add credentials to your secrets manager
4

Configure in Web UI

Add data source configuration in Team Console
5

Test Connection

Verify IncidentFox can access each data source

Required Permissions

Each data source requires specific permissions. Generally, IncidentFox needs read-only access for investigation.
Data SourceRequired Permissions
CoralogixAPI key with read access
AWSCloudWatch read, EC2 describe, RDS read
KubernetesPod logs, events, describe resources
GitHubRepo read, issues read, PRs read
SnowflakeSELECT on relevant tables
DatadogAPI key + App key with read access
Principle of least privilege: Only grant permissions that are necessary for investigation. IncidentFox doesn’t need write access unless you enable auto-remediation.

Data Flow

When IncidentFox investigates an incident:
  1. Agent determines which data sources are relevant
  2. Tools are invoked to query each data source
  3. Data is retrieved and processed locally
  4. Results are correlated across sources
  5. Findings are reported back to the user
Data is:
  • Retrieved on-demand (not continuously polled)
  • Processed in-memory (not stored long-term)
  • Filtered by time range (typically last 1-24 hours)

Next Steps

Coralogix

Connect your Coralogix account

Snowflake

Set up data enrichment

AWS

Configure AWS access

Kubernetes

Connect to your clusters