Incident Lifecycle

The incident lifecycle is the sequence of states and events that an incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. goes through from creation to closure. Understanding the lifecycle helps you triage incidents, see what changed and when, and use lifecycle events to drive automation (for example, lifecycle runbooks that notify external systems).

You see lifecycle information on the Incident Details page (state, timestamps, Activity Log) and on the incident timeline. For how an incident report is structured and where lifecycle data appears in it, see Incidents.

Creating an incident

When Riverbed Console creates an incident from a new detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution., the incident starts in New state. The analytics pipeline (Ingest & Analytics and Correlation) populates the following areas:

  • Priority: Default is Low (the runbook can update it later).

  • Description: From the primary indicator.

  • State: New.

  • Start Timestamp: When the platform created the incident.

  • Ongoing: Indicates the incident has not yet ended.

  • Primary Indicator: The anomaly Correlation chose as the main cause.

  • Correlated Indicators: Any additional indicators grouped with the primary.

  • Trigger Summary: From Correlation and is used to select the runbook.

State changes

Users control incident statusClosed The current state of an incident or runbook, indicating its progress through investigation and resolution workflows.. You can change state as you work the incident:

  • Investigating: The incident is under active investigation.

  • Closed: The incident is closed.

State changes appear in the Activity Log on the Incident Details page.

Lifecycle events

Over an incident's life, various events occur. Each event reflects a change to the incident (for example, runbook completed, indicators updated, or note added). The same events can be used to trigger lifecycle runbooks for integration with messaging or service management tools.

The table below summarizes the lifecycle events. Details follow.

Event

Description

Impact Analysis Ready

Runbook has executed and impact assessment is complete.

Incident Indicators Updated

Pipeline identified a recurrence of indicators tied to this incident.

Incident Note Added

A user added a note to the incident.

Incident Note Updated

A user updated a note on the incident.

Ongoing Incident Changed

The incident has ended. End Timestamp is set and the incident is no longer Ongoing.

Incident Status Changed

A user changed the incident status (e.g. to Investigating or Closed).

Impact analysis ready

The runbook has finished and impact assessment is complete. The runbook populates or updates the following areas:

  • Priority, Impacts (Users, Locations, Applications), Prioritization Factors

  • Runbook history, execution status, execution disposition

  • Runbook visualizations (tables, charts, and similar)

Incident indicators updated

The analytics pipeline (Ingest & Analytics and Correlation) has identified a recurrence of indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents. related to this incident. The platform updates Primary Indicator and Correlated Indicators (for example, recurrence count or correlation start).

Incident note added and incident note updated

A user added or edited a note on the incident. Notes appear in the Management and lifecycle area of the Incident Details page.

Ongoing incident changed

The incident has ended. The platform records an End Timestamp and the incident is no longer Ongoing. The incident ends when:

  • Performance-based incidents: No recurrence of associated indicators for a period of time (e.g. one hour).

  • State-based incidents: A period of time has passed after the last indicator entered the expected state.

Incident status changed

A user changed the incident status (for example, from New to Investigating, or to Closed). Status changes appear in the Activity Log.