Incident_identifier*

During alert correlation, BigPanda assigns correlated events an incident identifier. This identifier is used throughout the BigPanda system to recognize if two events are related to each other and is critical to ensure that BigPanda events can be resolved. Incident identifiers are created based on the tags and event data sent to BigPanda for each event.

By default, the incident identifier is a combination of the correlating events’ primary and secondary properties.

The incident_identifier may also be called the incident_key. The value for the incident_key can be overridden by explicitly setting a property in an alert payload, such as"incident_identifier": "${field1}${field2}".

🚧

Reserved Word

Incident-identifier is a reserved system word within BigPanda and cannot be changed or redefined for use in custom enrichment. When sending incident_identifier fields to BigPanda ensure that incident_identifier is lowercase only.