Incident XML reference

Use the following response hierarchies as a reference to XML returned in response to any requests you send to incident data API.

Hierarchy

<incidents>
 <incident>
 <startTime> ... </startTime>
 <endTime> ... </endTime>
 <age> ... </age>
 <detectionTrace> ... </detectionTrace>
 <abnormality> ... </abnormality>
 <urgency> ... </urgency>
 <signalHighlights> ... </signalHighlights>
 <source>
   <signalName>
     <watchpoint>
       <name> ... </name>
     </watchpoint>
   </signalName>
 </source>
 </alert>
 <symptoms>
   <symptom>
     <metric>
       <name> ... </name>
     </metric>
     <symptomElements>
       <elements>
         <element> ... </element>
       </elements>
     </symptomElements>
   </symptom>
 </symptoms>
 </incident>
 <timezone>
   <offset> ... </offset>
 </timezone>
</incidents>

<incidents>

The <incidents> element is the container for multiple incidents.

<incidents> child elements

<incidents> attributes

<incident>

The <incident> element includes the following information about a single incident:

  • The time when the incident started and ended
  • How old the incident is
  • What triggered the incident
  • The incident abnormality rating
  • The number of user sessions that the incident affected
  • The incident urgency rating
  • Important values identified during the incident
  • The Watchpoint and Incident detection rule associated with the incident.
  • Any alerting settings configured for the incident
  • (for some requests) Information about elements that changed significantly during the incident (symptoms).

<incident> child elements

<incident> attributes

<abnormality>

The <abnormality> element indicates how abnormal an incident was.

The system calculates abnormality by counting the number of standard deviations away from the baseline your traffic behavior was during the incident.

The system represents abnormality as an index value from 1 to 4.

Measuring abnormality

<abnormality> attributes

<age>

The <age> element indicates how old the incident is, measured from the start time, expressed in weeks, days, hours, and minutes.

<age> attributes

<affectedSessions>

The <affectedSessions> element contains the number of user sessions the incident affected.

<affectedSessions> attributes

<detectionTrace>

The <detectionTrace> element contains Information about how the system detected the incident.

<detectionTrace> attributes

<urgency>

The <urgency> element contains the urgency rating for the incident.

To calculate urgency, the system takes into account the duration of the incident, the number of user sessions it affected, and how abnormal it was.

<urgency> attributes

<signalHighlights>

The <signalHighlights> element indicates the highest and lowest boundary values the system calculated for the duration of the incident, and the highest and lowest values it observed during the incident.

<signalHighlights> attributes

<source>

The <source> element identifies the incident detection rule that generated the incident.

<source> child elements

<source> attributes

<signalName>

The <signalName> element contains the name of the incident detection rule that generated the incident and identifies the Watchpoint associated with the rule.

<signalName> child elements

<watchpoint>

The <watchpoint> element identifies the Watchpoint associated with the incident detection rule that generated the incident.

<watchpoint> child elements

<symptoms>

The <symptoms> element is the container for all traffic properties (symptoms) the system measures change for during an incident.

<symptoms> child elements

<symptom>

The <symptom> element contains information about how values for a single traffic property, such as URI stem or Error code, changed during the incident.

<symptom> child elements

<metric>

The <metric> element identifies the traffic property the system observed changed values for.

Examples of traffic properties include:

  • URI host
  • Browser Name
  • URI stem
  • Server ID
  • Web Server ID

<metric> child elements

<metric> attributes

<symptomElements>

The <symptomElements> element is the container element for a list of values that changed significantly for the traffic property during the incident.

<symptomElements> child elements

<symptomElements> attributes

<elements>

The <elements> element contains a list of elements which changed significantly during the incident for the traffic property. For example, for the URI stem traffic property, this details a list of URI stem for which the system observed a significant change in traffic during the incident.

<elements> child elements

<element>

The <element> element defines a single element which changed significantly during the incident for the traffic property.

<element> attributes

<timezone>

The <timezone> element identifies the timezone you want to view the data in.

<timezone> child elements

back to top

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*