Each trigger is a set of one or more indicators that have been correlated based on certain relationships. A trigger can be the result of a manual action, also. Triggers are grouped into incidents. One or more indicators that are correlated constitute a detection which may act as a trigger.
Relationships between indicators that constitute a basis for correlation include:
Time (indicators occurring at approximately the same time)
Metric type (e.g.: RTT increase, drop increase, bandwidth exceeds 85%)
For example: “30 indicators are identified for slower-than-expected RTT for application Acme for 10 different endpoints at location: Vancouver”. The trigger contains all 30 indicators because of relationship “application” and relationship “location”.