Incidents

Riverbed Console surfaces anomalous events (represented by a detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution.) in an incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. report.

For new events, Riverbed Console generates a new incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. to contain the event-information gathered so far (i.e. the detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution.). So, an incident contains Primary Indicator information, and Correlated Indicators information (if any exist). Whenever a new incident is created, the platform automatically executes an associated runbookClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. and its output is associated with the incident (in the Runbook Analysis section).

For recurring events, Riverbed Console matches the recurrent detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution. to an existing active incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself.. The platform does not automatically execute runbooks for recurrences.

Each incident is a combination of the information gathered throughout the Analytics Pipeline (i.e. detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution., Primary Indicator, and Correlated Indicators), and the result of the runbook execution (i.e. Impacts, Prioritization, Prioritization Factors, and Runbook Analysis).

Basic anatomy of an incident

An incident report combines information from the analytics pipeline (the detection, primary indicator, and any correlated indicators) with the result of runbook execution (impact, prioritization, and runbook analysis). Runbook-generated content can differ each time a runbook runs. The Incident Details page is organized into the following areas.

The table below summarizes each area, its source, and what it shows. Details follow in the sections below.

Section

Source

Description

Header (summary)

Pipeline + Runbook

Priority and description

Management and lifecycle

Pipeline + User

State, timestamps, Notes, Activity Log, Share

Impact Summary

Runbook

Users, locations, and applications potentially impacted

Prioritization Factors

Runbook

Information used to set incident priority

Incident Source

Pipeline

Primary indicator and correlated indicators (the detection)

Runbook Analysis

Runbook

Trigger summary, execution history, status, and visualizations

Header (summary)

Top-level summary for the incident.

  • Priority: Default is Low when the incident is created. The runbook can update it. Runbook logic determines the final priority.

  • Description: Taken from the primary indicator (e.g. "MS Teams at Boston shows an increase in % Retrans Packets").

Management and lifecycle

Information and tools for the incident lifecycle.

  • State: New when created. You can change it to Investigating or Closed.

  • Start Timestamp: When the platform created the incident.

  • End Timestamp / Ongoing: When the incident ended, or Ongoing if it has not ended.

  • Notes: Add and view comments on the incident.

  • Activity Log: List of actions (e.g. Runbook status changed to Completed) with timestamps.

  • Share: Copy the incident URL to share it.

Impact Summary

Runbook-generated assessment of potential business impact.

  • Impacts: Users: Users potentially impacted (from runbook execution).

  • Impacts: Locations: Locations potentially impacted.

  • Impacts: Applications: Applications potentially impacted.

Note: If the list is long, a View All link appears so you can see the full list.

Prioritization Factors

Information the runbook used to set the incident priority.

Incident Source

Shows the detection from Correlation: the Primary Indicator (the anomaly Correlation chose as the main cause) and any Correlated Indicators. Each includes a short summary (entity, metric, location, timestamp) and a timeline chart. The charts show annotations (e.g. when the indicator fired, incident start, runbook execution, incident end, and for correlated indicators, when correlation started) and controls to move the time window (rewind, fast-forward, home in six-hour steps).

For where to find this on the page and how to read the timeline, see Incident Details page and Incident timeline.

Runbook Analysis

Shows which runbook ran, its execution status, and the outputs (tables, charts, cards, and similar) produced by that run. Execution starts with the detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution./triggerClosed A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. from Correlation and then runs through the runbook nodes. Visualization nodes surface their output here.

  • Trigger Summary: From Correlation, based on the primary indicator entity type and is used to select the runbook.

  • Runbook history: List of runs for this incident (usually one, or more if you rerun). Each entry shows priority, runbook name, and timestamp.

  • Execution status: Icon that opens a window with errors, warnings, and variables. Completed vs. Completed with errors.

  • Ellipses menu: Rerun Runbook (new execution and analysis), Open Runbook (read-only view. An Edit link opens the Runbook Editor).

  • Per-run output: Tables, pie/bar/timeseries/bubble/correlation charts, cards, gauges, connection graphs, and text from runbook visualization nodes.

Note: In rare cases when runbook execution is throttled, Runbook Analysis may show "No Runbook Analysis Available", no execution-status icon, and Last Run: Unknown. Runbooks that complete with errors have usually still run some nodes. Check the execution-status window for details (e.g. a query against a data source that does not have the entity).

For more on the Incident Details page and Runbook Analysis output, see Incident Details page.

Incident lifecycle

Incident Lifecycle describes how incidents are created, how their state changes, and what events can occur over their life.