This page provides details on insights in Incident Response and Management (IRM).

IRM insights help you accelerate your incident investigation process and ultimately reduce your incident mitigation and resolution time.

Insights point you to the potential triggers and contributing factors for an alert, steering your investigation in an appropriate direction and enabling you to address the root-cause issues.

Viewing insights

Where available for a given alert, insights are shown in the Alert Details view in an Insights panel under the alerting metric chart. For example, your alert might contain metric correlation insights:


"No insights to display" indicates that IRM currently has no insights for this alert. In some cases, insights might be discovered later and will be displayed automatically.

Types of insights

The following section lists the types of insights available in IRM. These insights, if available for an alert, are generated automatically; you don't need to configure them.

Metric correlation

Metric correlation insights identify a metric that is strongly correlated (positively or negatively) with the time series that triggered the alert. The correlated metric might indicate a cause of the problem, or possibly a secondary effect that didn't trigger an alert.

A predetermined set of metrics is used for the correlation.

Anomalous behavior

Anomalous behavior insights identify any Google Cloud services that exhibited anomalous behavior near the time the alerting policy was triggered. These insights indicate that the problem might have been caused by an issue in the Google Cloud service.

For instance, an anomalous behavior insight might include the following type of statement:

"The service at us-east1 experienced recent anomalous behavior in the google.longrunning.Operations.GetOperation method for the request_latency_50 health metric."

Alerting policy modified

Alerting policy modified insights report whether the alerting policy that triggered the alert was recently modified. These insights indicate that the policy might have been misconfigured, thereby triggering a false positive alert, or that the condition was pre-existing.

For instance, an alerting policy modified insight might include a similar statement:

"The alerting policy was modified 2 mins prior to this alert firing."

What's next

Use insights to investigate an alert; for details, go to Investigating an alert.