diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index ebd93545ab90f..8fd879640b87e 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -2033,26 +2033,31 @@ menu: parent: service_management_heading identifier: incidents weight: 20000 + - name: Declare an Incident + url: service_management/incident_management/declare + parent: incidents + identifier: incident_declare + weight: 1 - name: Incident Details url: service_management/incident_management/incident_details parent: incidents identifier: incident_details - weight: 1 + weight: 2 - name: Incident Settings url: service_management/incident_management/incident_settings parent: incidents identifier: incidents_settings - weight: 2 + weight: 3 - name: Incident Analytics url: service_management/incident_management/analytics parent: incidents identifier: analytics - weight: 3 + weight: 4 - name: Datadog Clipboard url: service_management/incident_management/datadog_clipboard parent: incidents identifier: incidents_clipboard - weight: 4 + weight: 5 - name: Guides url: service_management/incident_management/guides parent: incidents diff --git a/content/en/security/threats/security_signals.md b/content/en/security/threats/security_signals.md index 7f9a0ad400078..f5c7e78af4b90 100644 --- a/content/en/security/threats/security_signals.md +++ b/content/en/security/threats/security_signals.md @@ -55,8 +55,9 @@ Use [Case Management][6] to track, triage, and investigate security signals. Use [Incident Management][5] to create an incident for a security signal. 1. On the [Signals Explorer][4], select a security signal. -2. On the signal side panel, click the **Escalate Investigation** dropdown menu and select **Declare incident**. Alternatively, select **Add to incident** to add the signal to an existing incident. -3. On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander. +1. On the signal side panel under *Next Steps*, click the **Show all actions** dropdown menu and select **Declare incident**. +1. Alternatively, select **Add to incident** to add the signal to an existing incident. +1. On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander. 4. Click **Declare Incident**. ## Run a workflow diff --git a/content/en/service_management/incident_management/_index.md b/content/en/service_management/incident_management/_index.md index 06ba8d5cb043b..bc05053990ab8 100644 --- a/content/en/service_management/incident_management/_index.md +++ b/content/en/service_management/incident_management/_index.md @@ -32,80 +32,24 @@ Any event that may lead to a disruption in your organization's services can be d Incidents live in Datadog alongside the metrics, traces, and logs you are collecting. You can view and filter incidents that are relevant to you. -In the Datadog paradigm, any of the following are appropriate situations for declaring an incident: +## Get Started -* An issue is or may be impacting customers or services. -* You do not know whether you should call an incident. Notify other people and increase severity appropriately. +Incident Management requires no installation. Get started by taking a Learning Center course, reading our guided walkthrough, or declaring an incident. -## Usage +{{< whatsnext desc="Learn more about Incident Management:">}} + {{< nextlink href="https://learn.datadoghq.com/courses/intro-to-incident-management" >}}Learn about Datadog Incident Management by working through a hands-on examples{{< /nextlink >}} + {{< nextlink href="https://docs.datadoghq.com/getting_started/incident_management/" >}}Guided walkthrough of an Incident workflow{{< /nextlink >}} + {{< nextlink href="/service_management/incident_management/declare" >}}Declare an incident{{< /nextlink >}} +{{< /whatsnext >}} -Incident Management requires no installation. To view your incidents, go to the [Incidents][1] page to see a feed of all ongoing incidents. You can configure additional fields that appear for all incidents in [Incident Settings][2]. +## View your incidents +To view your incidents, go to the [Incidents][1] page to see a feed of all ongoing incidents. +- Filter your incidents through the properties listed on the left, including Status, Severity, and Time To Repair (hours). +- Use the Search field to enter tag attributes or keywords. +- Export your search results with the Export button at the top of the incident list. +- Configure additional fields that appear for all incidents in [Incident Settings][2]. -**Note**: View your Incidents list from your mobile device home screen and manage/create incidents by downloading the [Datadog Mobile App][3], available on the [Apple App Store][4] and [Google Play Store][5]. - -{{< img src="service_management/incidents/incidents-list-mobile.png" style="width:100%; background:none; border:none; box-shadow:none;" alt="Incidents on Mobile App">}} - -### Creating an incident - -#### From a graph - -You can declare an incident directly from a graph by clicking the export button on the graph and then clicking **Declare incident**. The incident creation modal appears, and the graph is added to the incident as a signal. - -{{< img src="service_management/incidents/from-a-graph.png" alt="Create in incident from a graph" style="width:80%;">}} - -#### From the Clipboard - -Use the Datadog Clipboard to gather multiple monitors and graphs and to generate an incident. To add a dashboard to the Clipboard, copy any graph, and then select **Open Clipboard**. Add all of the relevant graphs and monitors to the Clipboard and then click **Add to New Incident**. Everything on the Clipboard is added to the incident as a signal. - -{{< img src="service_management/incidents/from-clipboard.png" alt="Add a dashboard to the clipboard" style="width:80%;">}} - -{{< img src="service_management/incidents/clipboard.png" alt="Create in incident from the clipboard" style="width:80%;">}} - -**Note**: In addition to exporting from an incident, data on the Clipboard can be exported to a new dashboard or a notebook. - -#### From a monitor - -You can declare an incident directly from a monitor by clicking **Declare incident**. The incident creation modal appears, and the monitor is added into the incident as a signal. - -{{< img src="service_management/incidents/incident-from-monitor.png" alt="Create an incident from a monitor" style="width:80%;">}} - -You can also add a monitor to an existing incident. - -{{< img src="service_management/incidents/existing.png" alt="Add a monitor to an existing incident" style="width:80%;">}} - -#### From a Security Signal - -Declare an incident directly from a Cloud SIEM or Cloud Security Management Threats signal by clicking the kebab button on the top right of the side panel, and clicking **Declare incident**. - -Declare an incident from an Application Security Management signal by selecting the export button on the top right of the side panel, and clicking **Export to incident**. - -{{< img src="service_management/incidents/security-signal-incidents.png" alt="Create an incident from a security signal" style="width:80%;">}} - -#### From the Incidents page - -In the [Datadog UI][1], click **Declare Incident** to create an incident. - -{{< img src="/service_management/incidents/declare_incident_make_private.png" alt="Incident Declaration Modal" style="width:80%;">}} - -The incident creation modal provides responders with a collapsible side panel that contains helper text and descriptions for the severities and statuses used by your organization. The helper text and descriptions are customizable in the [Incident Settings][6]. You also have the option to make the incident private to limit access to only responders. - -#### From Slack - -Once you have the [Datadog integration enabled on Slack][7], from any Slack channel you can use the slash command `/datadog incident` to declare a new incident. - -In the creation modal, you add a descriptive title, select whether customers were impacted (yes, no, or unknown) and select a severity level (1-5, unknown). - -If the user declaring the incident has connected their Slack to their Datadog account, then by default that user becomes the Incident Commander (IC). If the person declaring an incident is not a member of a Datadog account, then the IC is unassigned. You can change the IC on the [incidents page][1] later if necessary. - -After you declare an incident from Slack, it generates an incident channel. - -{{< img src="service_management/incidents/from-slack.png" alt="Create in incident from Slack" style="width:60%;">}} - -Read more about using the Datadog Slack App [here][8]. - -{{< site-region region="eu" >}} -For {{< region-param key="dd_site_name" >}} customers who use Slack, stay informed about the Slack app by filing a ticket at https://help.datadoghq.com/. -{{< /site-region >}} +You can also view your Incidents list from your mobile device home screen and manage/create incidents by downloading the [Datadog Mobile App][3], available on the [Apple App Store][4] and [Google Play Store][5]. ## Describing the incident diff --git a/content/en/service_management/incident_management/declare.md b/content/en/service_management/incident_management/declare.md new file mode 100644 index 0000000000000..04b53391d97b9 --- /dev/null +++ b/content/en/service_management/incident_management/declare.md @@ -0,0 +1,73 @@ +--- +title: Declare an Incident +--- + +## Overview + +In the Datadog paradigm, any of the following are appropriate situations for declaring an incident: +- An issue is or may be impacting customers. +- You believe an issue (including an internal one) needs to be addressed as an emergency. +- You don't know if you should call an incident - notify other people and increase severity appropriately. + +You can declare an incident from multiple places within the Datadog platform, such as a graph widget on a dashboard, the Incidents UI, or any alert reporting into Datadog. + +## From the Incident page + +In the [Datadog UI][1], click **Declare Incident** to create an incident. + +The *Declare Incident* modal displays a collapsible side panel that contains helper text and descriptions for the severities and statuses used by your organization. The helper text and descriptions are customizable in [Incident Settings][2]. + +## From a monitor + +You can declare an incident directly from a monitor from the Actions dropdown. Select **Declare incident** to open an incident creation modal, and the monitor is added into the incident as a signal. You can also add a monitor to an existing incident. + +{{< img src="service_management/incidents/declare/declare_monitor.png" alt="Actions dropdown menu on monitors where you can select the Declare incident option" style="width:50%;" >}} + +## From a Security Signal + +Declare an incident directly from a Cloud SIEM or Cloud Security Management Threats signal side panel, by clicking **Declare incident** or **Escalate Investigation**. For more information, see [Investigate Security Signals][3] for Cloud Security Management. + +Declare an incident from an Application Security Management signal through the actions listed in the signal side panel. Click **Show all actions** and click **Declare Incident**. +For more information, see [Investigate Security Signals][4] for Application Security Management. + +{{< img src="/service_management/incidents/declare/declare_asm.png" alt="Your image description" style="width:90%;" >}} + +## From a case + +Declare an incident from [Case Management][5]. From the individual case detail page, click **Declare incident** to escalate a case to an incident. + +{{< img src="service_management/incidents/declare/declare_case_management.png" alt="An example case page highlighting the Declare Incident button at the top of the page" style="width:90%;" >}} + +## From a graph +You can declare an incident directly from a graph by clicking the export button on the graph and then clicking **Declare incident**. The incident creation modal appears, and the graph is added to the incident as a signal. + +{{< img src="service_management/incidents/from-a-graph.png" alt="Create in incident from a graph" style="width:80%;">}} + +## From the Datadog Clipboard +Use the [Datadog Clipboard][6] to gather multiple monitors and graphs and to generate an incident. To declare an incident from the Clipboard, copy a graph you want to investigate and open the Clipboard with the command `Cmd/Ctrl + Shift + K`. Click **Declare Incident** or the export icon to add to the incident as a signal. + +{{< img src="service_management/incidents/declare/declare_clipboard.png" alt="Declare an incident from the Datadog Clipboard" style="width:90%;" >}} + +## From Slack + +If you have the [Datadog integration enabled on Slack][7], you can declare a new incident with the slash command `/datadog incident` from any Slack channel. + +If the user declaring the incident connected their Slack to their Datadog account, by default, that user is listed as the Incident Commander. The Incident Commander (IC) can be changed later in-app if necessary. If the user declaring an incident is not a member of a Datadog account, then the IC is assigned to a generic `Slack app user` and can be assigned to another IC in-app. + +{{< img src="service_management/incidents/from-slack.png" alt="Create in incident from Slack" style="width:60%;">}} + +After you declare an incident from Slack, it generates an incident channel. + +## What's next + +{{< whatsnext desc="Add helpful information to your incident and give context to everyone that is involved in the investigation.">}} + {{< nextlink href="/service_management/incident_management/#describing-the-incident" >}}Describe the Incident: Add context and details{{< /nextlink >}} +{{< /whatsnext >}} + +[1]: https://app.datadoghq.com/incidents +[2]: /service_management/incident_management/incident_settings#information +[3]: /security/threats/security_signals/#declare-an-incident +[4]:/security/application_security/threats/security_signals/#declare-an-incident +[5]: /service_management/case_management/view_and_manage +[6]: /service_management/incident_management/datadog_clipboard +[7]: /integrations/slack/?tab=slackapplicationbeta#using-the-slack-app diff --git a/content/en/service_management/incident_management/incident_details.md b/content/en/service_management/incident_management/incident_details.md index 5b642c7aa7d0b..2775eaefcef3b 100644 --- a/content/en/service_management/incident_management/incident_details.md +++ b/content/en/service_management/incident_management/incident_details.md @@ -13,7 +13,7 @@ further_reading: {{< img src="/service_management/incidents/incident_details/incident_overview_page.png" alt="Incident details page of an Active SEV-4 incident." style="width:100%;">}} -Every incident in Datadog has its own Incident Details page where you can manage your incident's property fields, signals, tasks, documents, responders, and notifications. An Incident Details page is available after you [create a new incident][1]. The Incident Details page contains a global header for quick access to key actions, while the remaining body of the page is divided into different sections using tabs to group related incident data together. The first of these sections is the Overview. +Every incident in Datadog has its own Incident Details page where you can manage your incident's property fields, signals, tasks, documents, responders, and notifications. An Incident Details page is available after you [create a new incident][1]. The Incident Details page contains a global header for quick access to key actions, while the remaining body of the page is divided into different sections using tabs to group related incident data together. The first of these sections is the Overview tab. ## Global header @@ -21,9 +21,9 @@ The global header provides access to the [Status and Severity][2] selectors, and After you've moved an incident to the resolved status, an option appears in the header to generate a postmortem Notebook using a [postmortem template][5]. Configure your postmortem templates in the [Incident Settings][6] page to predefine the structure and content of your postmortems. -## Incident details overview section +## Incident details overview tab -Use the Overview section to specify an incident's properties and define customer impact. +Use the Overview tab to specify an incident's properties and define customer impact. By default, all incidents have the following properties: @@ -49,7 +49,7 @@ If your incident is customer-facing, specify the details in the Impact section: 4. Describe the nature of the impact on customers in `Scope of impact`. 5. Click **Save**. -In addition to housing your property fields, the Overview section also provides the following at-a-glance summary modules: +In addition to housing your property fields, the Overview tab also provides the following at-a-glance summary modules: 1. *Condensed Timeline*: Displays the times when the incident changes state as well as when impact started and ended for a high-level view of the incident's lifecycle. 2. *Latest Notifications*: Displays the most recent notification sent for the incident, with quick access to the full list of notifications in the [Notification section](#notifications-section). @@ -150,7 +150,7 @@ Work through an example workflow in the [Getting Started with Incident Managemen {{< partial name="whats-next/whats-next.html" >}} -[1]: /service_management/incident_management/#creating-an-incident +[1]: /service_management/incident_management/declare [2]: /service_management/incident_management/#describing-the-incident [3]: /service_management/incident_management/#integrations [4]: /service_management/incident_management/incident_settings#integrations diff --git a/content/en/service_management/incident_management/incident_settings.md b/content/en/service_management/incident_management/incident_settings.md index ebc4f07a3f219..1e97bb7a169fa 100644 --- a/content/en/service_management/incident_management/incident_settings.md +++ b/content/en/service_management/incident_management/incident_settings.md @@ -62,7 +62,7 @@ The `Teams` property field automatically populates from the [teams][6] defined i You can add more property fields to your settings by selecting one of your existing `key:value` pair [metric tags][7]. When you do this, the key of your property field is the start case of your metric tag's key (each word is capitalized and separated by spaces), and the values for the property field are equal to the values reported by the metric tag. -Property fields are organized into three tables that correspond to where the fields appear in the [Overview section][8] of the Incident Details page: +Property fields are organized into three tables that correspond to where the fields appear in the [Overview tab][8] of the Incident Details page: 1. `What Happened` 2. `Why It Happened` diff --git a/static/images/service_management/incidents/declare/declare_asm.png b/static/images/service_management/incidents/declare/declare_asm.png new file mode 100644 index 0000000000000..667a1a64fa55c Binary files /dev/null and b/static/images/service_management/incidents/declare/declare_asm.png differ diff --git a/static/images/service_management/incidents/declare/declare_case_management.png b/static/images/service_management/incidents/declare/declare_case_management.png new file mode 100644 index 0000000000000..0456e972c7421 Binary files /dev/null and b/static/images/service_management/incidents/declare/declare_case_management.png differ diff --git a/static/images/service_management/incidents/declare/declare_clipboard.png b/static/images/service_management/incidents/declare/declare_clipboard.png new file mode 100644 index 0000000000000..a5d5e679c75fd Binary files /dev/null and b/static/images/service_management/incidents/declare/declare_clipboard.png differ diff --git a/static/images/service_management/incidents/declare/declare_monitor.png b/static/images/service_management/incidents/declare/declare_monitor.png new file mode 100644 index 0000000000000..e55a4941b62b7 Binary files /dev/null and b/static/images/service_management/incidents/declare/declare_monitor.png differ