Skip to Content
User JourneysFrom Data to Incident

User Journey: From Data to Incident

This journey is for platform and observability teams who want to go from raw data to incidents without manual creation. It covers connecting sources, discovery, correlation, and how incidents are created automatically.

Overview

Data sources → Discovery (optional) → Events/Alerts → Correlation rules → Incident

Step 1: Connect data sources

What to connect:

  • Metrics: Prometheus, Datadog, cloud metrics (e.g. AWS CloudWatch), or metrics from the Edge Agent.
  • Logs: Datadog, Splunk, Elastic, or log collectors (e.g. Edge Agent).
  • Traces: OpenTelemetry, Jaeger, or APM integrations.
  • Alerts/events: PagerDuty, ServiceNow, Jira, or webhooks that send alert payloads.

Where: CONFIGUREIntegrations or Data Sources (or Discovery) in the sidebar.

How to use:

  1. Choose the integration (e.g. Prometheus, Datadog).
  2. Enter endpoint URL and credentials (API key, OAuth, etc.).
  3. Configure what to pull (e.g. scrape targets, log indexes).
  4. Save and verify: check that metrics or logs appear in the platform (e.g. in a dashboard or log explorer).

Outcome: Telemetry and/or alert events are flowing into AtlasAI.

Discovery turns raw data into entities and relationships (services, hosts, dependencies). That improves correlation and RCA.

Where: Discovery is often under Data Sources, Discovery, or Topology.

How to use:

  1. Create or run a discovery job (e.g. Kubernetes cluster, cloud account, or CMDB sync).
  2. Discovery runs on a schedule or on-demand; it populates the dependency graph and CMDB.
  3. Check Topology or CMDB to see discovered services and relationships.

Outcome: You have a graph of services and dependencies; correlation and RCA can use it.

Step 3: Events and alerts in the system

How events get in:

  • Integrations: Prometheus alertmanager, Datadog monitors, PagerDuty, ServiceNow — each can send events or webhooks.
  • Internal rules: Threshold or anomaly rules on ingested metrics/logs can generate events.
  • Edge Agent: Alert rules in the agent can push events to the control plane.

Where to see them: Event stream or Correlation view (depending on your deployment). Alerts may also show in Command Center or Incidents if they’re already correlated.

Outcome: Events are in the platform; the next step is to turn them into incidents via correlation.

Step 4: Configure correlation rules

Correlation rules group related events and create (or attach to) an incident.

Where: Correlation (sidebar or under Modules).

How to use:

  1. Create a correlation rule:
    • Name and description
    • Conditions: e.g. same service, same time window, same alert type, or same topology subtree
    • Action: Create new incident, or attach to existing incident (e.g. same service)
  2. Set default severity and category for the created incident if needed.
  3. Save and enable the rule.

Examples:

  • “All alerts for service X in a 5-minute window → one incident.”
  • “Any P1 from PagerDuty → create incident and set P1.”
  • “Events with same host or pod → attach to same incident.”

Outcome: When matching events arrive, the platform creates or updates an incident automatically.

Step 5: Incidents created automatically

Once correlation rules are in place:

  • Incoming events that match a rule create (or update) an incident.
  • The incident appears in Command Center and Incidents with:
    • Title (e.g. from rule or first alert)
    • Severity and category
    • Linked evidence (the events that were correlated)

What you do next: Follow the Alert to resolution journey: add evidence, run RCA, runbook, execute, resolve.

Summary: where to go in the UI

StepWhere in AtlasAI
Connect dataCONFIGURE → Integrations, Data Sources, or Discovery
Run discoveryDiscovery, OBSERVE → Topology (Service Map)
See eventsEvent stream, Correlation view
Define groupingCorrelation → rules
See resulting incidentsCommand Center, Incidents

See also

Pipeline: Connect → ImproveOverview