Incident Correlation

Use BigPanda to automatically cluster related incidents based on shared attributes, infrastructure dependencies, and behaviors. You can run cluster analysis for specific time periods or view live correlation analysis for active incidents. This accelerates root cause identification and provides a clearer look at what’s happening in your environments.

This feature leverages the IT Knowledge Graph and AI to detect patterns across high-volume alert streams—identifying when multiple seemingly separate alerts are actually part of the same larger incident.

Assistance required

Enabling Incident Correlation requires close coordination with the BigPanda team. Contact your BigPanda account manager if you’d like to enable this feature.

Key features

AI-powered analysis: BigPanda uses generative AI to analyze data from multiple data sources and infrastructure points to provide you with a comprehensive look at your incident history.
Accelerated root cause identification: Incident clusters make it easier to identify root cause and recurring issues.
Visualize downstream effects: Get a clearer picture of incident impact using interactive topology maps.

How to use incident correlation

Incident correlation generates incident clusters based on AI analysis of both live and historical incidents. These clusters show the relationships between similar incidents, suggest root causes, and categorize incidents based on their type. They can be generated for both live and past incidents.

To generate a cluster for a live incident, use the Cluster tab in the incident details pane. This cluster will only cover incidents that are correlated to that specific incident at the time that you open the tab. This cluster will be cached for several hours, so if you want to update the cluster, you will need to click Rerun analysis. This will generate a new analysis of the incident and may return different results based on new data.

Processing time for live incidents

Depending on how many incidents need to be correlated, it may take several minutes to finish generating an incident cluster. Partial results will be available within a few seconds, and results will be auto-updated until the analysis is successfully completed.

To run correlation analysis for all incidents in a specified time period, use the Incident Correlation tab in the incident console and create a new report. This will correlate all incidents during that time period into clusters that can then be analyzed individually.

Incident relationships

There are six different relationships that may occur between incidents:

Source Caused Target: The source incident is assessed as upstream cause of the target.
Target Caused Source: The target incident is assessed as upstream cause of the source.
Bidirectional Cause: Mutual causality/feedback loop, represented with links in both directions.
Common External Cause: Incidents share the same upstream external factor (non-directional).
Recurrence: The same or highly similar incident repeating at a different time; for recurrence-only clusters, the oldest occurrence is chosen as the primary by default.
General: Strongly related incidents (semantic/topological similarity) without asserted causality or recurrence.

Analyze correlated incident clusters

When you click on the Cluster tab inside a specific incident or open a cluster from a historical incident correlation report, you will see a graph that maps the relationships between correlated incidents, as well as a side panel that provides additional details.

Primary incident

The cluster centers on a primary incident, which is usually the suspected root cause. If a cluster has no causality relationships, however, the primary incident will be the oldest incident in the cluster.

If you want to set a different incident as the primary, you can do so by clicking on the incident within the graph and choosing Set as Primary from the right-hand panel.

Cluster analysis

Field	Description
1 - Cluster Overview	At-a-glance view of the key information for this cluster. Includes four sections: High-level overview with the number of incidents and relationships, average confidence score, and affected service categories. AI summary explaining why BigPanda correlated these incidents into a cluster. Use the Cluster Feedback field to send your BigPanda team feedback about the accuracy and usefulness of the AI summary. A tally of the different relationship types in this cluster. A list of the incidents in the cluster, including a direct link to each incident.
2 - Layout	Change the data visualization style. Circular - View incidents on a radial graph centered around the primary incident. Hierarchical - View incidents based on the degree of connection to the primary incident. Layered - View incidents based on their incident type. In all layouts, you can click an incident and drag it to reposition it on the graph.
3 - Graph Controls	Filter incidents based on relationship type and AI confidence score. Note that changing relationship and confidence filters will only hide the connection lines between incidents, not the incidents themselves. If you wish to remove incidents from the view, select Only connected incidents.
4 - Types Legend	A legend explaining the types and subtypes of incidents and the associated icons.

Incident details

Click on any incident in the graph to see more details about that particular incident and the incidents connected to it.

Field	Description
1 - Incident overview	An overview of the incident, including a link to the incident page. Click Add feedback to send your BigPanda team feedback about the accuracy and usefulness of the incident summary. If the incident you select is not the primary incident, you will have the option to Set as primary.
2 - Connected incidents	Overview of all the incidents directly connected to this incident, including a link to the incident page.
3 - Relationships	A breakdown of the different relationships between this incident and those it’s connected to.

Field

Description

1 - Incident overview

An overview of the incident, including a link to the incident page. Click Add feedback to send your BigPanda team feedback about the accuracy and usefulness of the incident summary.

If the incident you select is not the primary incident, you will have the option to Set as primary.

2 - Connected incidents

Overview of all the incidents directly connected to this incident, including a link to the incident page.

3 - Relationships

A breakdown of the different relationships between this incident and those it’s connected to.

Historical incident correlation reports

To create a new incident correlation analysis and view existing reports, navigate to the Incident Correlation tab in your BigPanda instance.

On this page, generate a new analysis by clicking + New Analysis Request or click the dropdown to view previous analysis periods.

Create a new incident correlation report

Create a new cluster analysis by navigating to Incident Correlation > + New Analysis Request, then define the time period you want to analyze.

Field	Description
1 - End date and time	The end of the analysis period.
2 - Look back period	The amount of time before the end date that you want to analyze. You can set a custom time range or choose from: 30 minutes 1 hour 2 hours 4 hours 8 hours 24 hours
3 - Minutes	If you selected a custom look back period, define the amount of time in minutes that you want BigPanda to analyze. (For example, if you wanted to analyze three days, you would input 4320 minutes.) To optimize data accessibility and accuracy, we recommend that you cover no more than 1-2 days in one report.
4 - Selected analysis period	A confirmation of the days and times you set as your start and end dates. Note that date/time defaults to UTC time zone.
5 - Custom label	The name that will appear next to the analysis period in the results dropdown.
6 - Advanced edit	A customizable JSON script where you can view advanced settings for clustering. This should only be configured by your BigPanda account team. Coordinate with your team to explore customization options.

Processing time

Once you create a request, it could take anywhere from 15 minutes to a few hours for the analysis to be available. This is affected by several factors, such as the amount of data customers have, the configuration of the algorithm, and the lookback period.

View cluster analysis results

Generated cluster analyses can be viewed in the Incident Correlation tab. Select a desired analysis from the dropdown The title of each analysis shows both the custom label and time period.

Each analysis lists a table of all the clusters generated during the selected time period. Select one of the following columns to sort the results by that metric.

Importance: An AI-generated score calculated from the priorities of the correlated incidents.
Incidents: The number of incidents included in this cluster.
Edges: The number of relationships between incidents.
Causation Edges: The number of causal relationships in a single cluster.
General Edges: The number of uncategorized relationships between incidents.

This table also provides an AI-generated summary of the correlation analysis. You can easily copy and paste this into another program by clicking the copy icon on the right side of the column.

In this section: