Step 4: Set Up Incident Response
10 min · Connect your incident platform and create a response plan. When incidents arrive, your agent automatically investigates and generates detailed execution plans.
What you'll accomplish
By the end of this step, your agent will:
- Receive incidents from Azure Monitor, PagerDuty, or ServiceNow
- Automatically investigate matching incidents
- Generate AI execution plans from your instructions
- Collect evidence and provide recommendations
Prerequisites
| Requirement | Details |
|---|---|
| Agent created | Complete Step 1 first |
| Incident platform | Azure Monitor (default), PagerDuty, or ServiceNow |
While not required, completing Step 2: Add Knowledge and Step 3: Connect Source Code significantly enhances incident response. Your agent will reference YOUR runbooks and correlate issues to specific code changes—turning generic investigations into team-specific root cause analysis.
Step 1: Connect your incident platform
Azure Monitor (default)
Azure Monitor is connected automatically when you create your agent. No additional configuration needed.
PagerDuty or ServiceNow
- Click Settings in the left sidebar.
- Select Incident platform.
- Choose your platform from the dropdown:
- PagerDuty — Enter your REST API access key
- ServiceNow — Enter instance URL and credentials
- Click Save.
Your agent now receives incidents from your platform.
Step 2: Create a response plan
The recommended way to create response plans is from the Subagent builder canvas, where you can visualize which triggers route to which subagents.
- Click Builder in the left sidebar.
- Select Subagent builder.
- Find the subagent you want to handle incidents and click the + button on its left side.
- Select Add incident trigger.
- Configure the trigger: set a name, select severity levels (e.g., P1 + P2), choose the impacted service, and optionally add a title keyword filter.
- Choose the autonomy level (Review recommended to start).
- Preview matching incidents, then click Create.
Your trigger appears as a node connected to the subagent on the canvas.
When you first connect an incident platform, a default quickstart response plan may be created automatically. If you're setting up your own triggers through the Subagent builder, delete the default plan from Builder → Incident response plans to avoid conflicts — two overlapping plans can cause incidents to be handled by the wrong subagent or duplicated.
For the full step-by-step guide with screenshots, see the Set up an incident trigger tutorial.
What happens when an incident arrives
When an incident matches your plan, the agent handles it automatically:
- Retrieves incident details from your platform
- Searches memory for similar past incidents and relevant docs
- Executes the plan — running commands, collecting evidence
- Summarizes findings with timestamps and recommendations
Example findings
From a real container app incident:
Summary:
- Container restarted around 01:27Z with memory dropping sharply
- Current config: 2Gi memory, 1 CPU, minReplicas=2, maxReplicas=4
Likely cause: Transient container restart (OOM or deployment)
Recommended actions:
- Increase minReplicas to 3-4 to reduce restart impact
- Review container health probes
Your agent provides actionable recommendations based on evidence—not generic advice.
What you unlocked
✅ Your agent now:
- Receives incidents from your platform automatically
- Investigates using memory and past incident context
- Executes response plans without manual intervention
- Collects evidence and provides actionable recommendations
Next step
�→ Step 5: Automate and Extend
Learn more
- Incident response — Full capability details
- Incident response plans — Advanced filtering and configuration
- Tutorial: Set up response plans — Step-by-step guide with screenshots
- Tutorial: Scheduled health checks — Proactive monitoring