Terms like ‘incident’ play an important role in understanding IT and OT operations. There is usually an abundance of interpretations and definitions. You will also find different naming conventions with each vendor of tools for monitoring and service management. So, let’s dive in. How is an incident defined?
ITIL (v2) defines incidents as follows: “An event which is not part of the standard operation of a service and which causes or may cause disruption to or a reduction in the quality of services and Customer productivity.”
In ITIL v3 it is defined as “An unplanned interruption to an IT Service or a reduction in the Quality of an IT Service. Failure of a Configuration Item that has not yet impacted Service is also an Incident. For example, Failure of one disk from a mirror set.”
Is says “event”, not “alert”. Again, a bit confusing because we somewhat agreed on the sequence event->alert->incident. Not all alerts are incidents, nor is there necessarily a 1:1 relation between alerts and incidents. Incidents can be linked to alerts, i.e. certain alerts indicate an incident. In many scenarios, alerts of certain severity are automatically transferred to an service management system and are the basis for the creation of an incident ticket.
Just for completeness – here is another definion which is probably too limited:
“An incident is a human-caused, malicious event that leads to (or may lead to) a significant disruption of business.” Source: danielmiessner.com
Why should an incident only be caused by humans? If a manufacturing robot fails, this IS an incident. And it is not caused by humans (except you wish to blame it on the designer of that machine).
How SIGNL4 relates to an incident
SIGNL4 not necessarily differentiates alerts from incidents. But SIGNL4 can easily be configured to tag alerts as incidents, i.e. to automatically qualify certain alerts based on scope and payload as incidents. Using rule-based logic such incidents can then be distributed to different teams and in a different way and can also be visually and acoustically notified in a particular manner (e.g. using mute override).