An incident manager application (IM) for responding to data security incidents in enterprise networks is disclosed. An IM tracks the incidents in an enterprise network by storing incident objects and incident artifact (IA) metadata created for the incidents, where the incident objects and IAs include information concerning the incidents. Incident response team (IRT) personnel of the enterprise networks can define action conditions within the IM that are associated with the incident objects. When the information within the incident objects and/or IAs meets the defined action conditions, the IM includes the objects that cause the action conditions to be satisfied in messages. Devices such as user account databases and configuration servers within the enterprise network can then download the messages and execute actions that reference the objects extracted from the downloaded messages to implement a response to the incidents.