Behavioral Incidents

Detect, investigate, and resolve community anomalies

What is an Incident?

An incident is a detected behavioral anomaly—a deviation from your server's established patterns that is significant enough to warrant attention. BIE automatically detects incidents and alerts you based on their severity.

Incident Characteristics

  • Measurable Deviation

    Clear statistical deviation from baseline (typically >15% change)

  • Time-Bounded

    Occurs within a specific hour/day, not a gradual trend

  • Categorized Type

    Classified into specific anomaly types for easier identification

  • Severity Assessed

    Assigned a severity level (critical, high, medium, low)

  • Correlated Events

    Linked to related incidents or events for context

Not All Anomalies Are Bad

An incident simply indicates an unusual pattern, not necessarily a problem. Positive anomalies (engagement spikes during events) are detected too. Context matters.

Incident Types

BIE categorizes incidents by their behavioral pattern. Understanding the type helps you respond appropriately.

Activity Drop

Sudden significant decrease in overall server activity (messages, voice, events) compared to baseline.

When It Happens

Often indicates member exodus, server outage, or scheduled quiet period

Suggested Action

Check server status, investigate member retention, post engagement content

Activity Spike

Unusual surge in messages, voice activity, or member joins beyond expected patterns.

When It Happens

May indicate external event, content viral moment, or raiding/spam activity

Suggested Action

Verify legitimacy, investigate source, check for coordinated activity

Engagement Cliff

Rapid decline in member interactions (reactions, replies, participation) despite ongoing activity.

When It Happens

Suggests loss of community interest, controversial content, or moderation action

Suggested Action

Review recent discussions, assess content quality, gather member feedback

Mass Membership Change

Unusual number of members joining or leaving within a short timeframe.

When It Happens

Can indicate successful recruitment drive, external raid, or mass removal

Suggested Action

Verify member legitimacy, review recent invites, assess quality of new members

Pattern Deviation

Activity occurring at unusual times or from unusual channels, breaking established patterns.

When It Happens

May indicate bot activity, timezone changes, or unusual behavior from regular members

Suggested Action

Investigate source, check automation settings, verify member status

Voice Anomaly

Unusual voice channel activity, duration, or participant patterns.

When It Happens

Could indicate scheduled event, gaming marathon, or unusual gathering

Suggested Action

Check channel history, verify participants, assess legitimacy

Incident Severity Levels

Each incident is assigned a severity level that indicates urgency and potential community impact.

CRITICAL

Severe deviation (>50% change)

Significant community impact requiring immediate review. Examples: 70% activity drop, mass member exodus, repeated spike incidents.

HIGH

Major deviation (30-50% change)

Notable impact on community metrics. Close monitoring recommended. Examples: 40% activity increase, sudden engagement cliff, moderate mass joins.

MEDIUM

Moderate deviation (15-30% change)

Noteworthy but not emergency-level. Worth investigating. Examples: 25% spike, channel-specific changes, isolated pattern deviation.

LOW

Minor deviation (<15% change)

Typical daily fluctuations or minor anomalies. Usually not actionable alone. Examples: slight time-of-day variations, single-channel blips.

Severity is Not Judgment

High severity doesn't mean the incident is bad—just that it's significant. A 60% spike in engagement during a successful event is critical severity but positive. Use severity as urgency level, not valence.

Investigating Incidents

When you receive an incident alert, follow these steps to understand what happened and determine appropriate action.

1

Review Incident Details

Open the incident from your alerts or incident dashboard. Review:

  • • Type and severity classification
  • • Specific metrics that changed
  • • Comparison to baseline values
  • • Exact time window of the anomaly
  • • Affected channels or metrics
2

Check Activity Heatmaps

Navigate to the Activity Heatmaps section and:

  • • Verify if the time window is an expected peak or trough
  • • Check if the pattern matches established day/hour norms
  • • Compare to previous weeks for recurring patterns
  • • Identify if other activity types show similar anomalies
3

Review Channel History

Go to relevant channels and review activity during the incident window:

  • • Look for announcements, controversial discussions, or moderation actions
  • • Check pinned messages or recent thread activity
  • • Verify if bot activity might have influenced metrics
  • • Note any major community events or scheduled activities
4

Investigate Member Activity

For membership-related incidents:

  • • Review recent member joins/leaves in member management
  • • Check for invite links shared externally
  • • Verify roles and permissions of new/departing members
  • • Look for patterns suggesting organized activity
5

Consider External Context

Think about factors outside your server:

  • • Marketing campaigns or content going viral
  • • Scheduled events or live streams
  • • External community news or drama
  • • Timezone-specific events or holidays
  • • Planned server downtime or maintenance

Create an Investigation Template

Keep notes on frequent incident types. Over time, you'll recognize patterns and be able to respond faster without detailed investigation.

Correlating Incidents

BIE automatically identifies relationships between incidents that appear causally connected. Understanding correlations helps you see the full picture.

Common Correlation Examples

Mass Join → Activity Spike

New members joining causes increase in messages and activity as they introduce themselves and explore.

Announcement → Engagement Spike

Major announcement triggers reactions and discussions, showing community engagement with important news.

Moderation Action → Activity Drop

Deletion of spammy messages or removal of disruptive members immediately reduces anomalous activity.

Event Scheduling → Voice Spike

Organized gaming event or hangout causes burst of voice channel usage at scheduled time.

Pattern Deviation → Health Drop

Persistent unusual patterns across multiple incident types causes overall health score to decline.

Bidirectional Relationships

Some incidents are cause and effect while others are simply co-occurring. An activity spike might cause an engagement cliff if the new activity is low-quality or off-topic. Review both directions.

Resolving Incidents

After investigating an incident, you can mark it with a resolution status and optional notes. This helps BIE learn your community's patterns and improves future detection.

Resolution Actions

Resolved - Expected

The incident was expected/planned (scheduled event, announced change). Helps BIE distinguish between anomalies and planned activities.

Resolved - Addressed

You took action to address the incident (removed spam, posted announcement, etc.). Mark when problem is fixed.

Dismissed - False Positive

The incident was a false alarm or normal fluctuation. Mark incorrect detections to improve algorithm accuracy.

Dismissed - Benign

The incident is harmless (e.g., normal weekly pattern variation). Helps BIE learn your server's baseline.

Escalated - Needs Review

Flag serious incidents for leadership review or external investigation. Creates a review queue for moderation team.

Resolution Workflow

1

Acknowledge

Note the incident in your incident dashboard. Read the full details and severity assessment.

2

Investigate

Review correlated events, check channel activity, examine member behavior, look for external factors.

3

Context

Determine if the incident is expected (scheduled events, external collaborations) or concerning.

4

Action

Take appropriate action if needed (post announcement, investigate members, check settings).

5

Close

Mark incident as resolved, dismissed, or escalated. Provide optional notes for future reference.

Add Notes to Incidents

When resolving incidents, add contextual notes (e.g., "Scheduled bot maintenance," "External raid attempt," "New community event"). This helps leadership understand patterns and improves future analysis.

Incident Alert Notifications

BIE can notify you about detected incidents through various channels. Configure alerts to match your monitoring preferences.

Notification Channels

Discord Direct Message

Receive DM alerts directly for critical/high incidents in real-time

Dedicated Alerts Channel

Post incident alerts to a specific channel (e.g., #incidents or #mod-alerts)

Webhook Integration

Send alerts to external services (Slack, custom integrations) for multi-tool monitoring

Dashboard Notifications

View all incidents in the BIE dashboard with persistent history

Alert Customization

Severity Filtering

Choose which severity levels trigger alerts (only critical, critical+high, all levels)

Type-Specific Alerts

Configure different alert settings for different incident types

Quiet Hours

Set time windows to suppress non-critical alerts (e.g., night hours)

Threshold Adjustment

Fine-tune detection sensitivity based on your community's normal behavior

Alert Fatigue

Too many alerts can lead to ignoring them. Configure alerts conservatively—focus on critical incidents that actually need response. You can always check the dashboard for lower-severity incidents.

Frequently Asked Questions

What exactly is an incident in BIE?
An incident is a detected anomaly in your server's behavioral patterns that deviates significantly from established baselines. Incidents are categorized by type (drop, spike, cliff, etc.) and severity (critical, high, medium, low).
Why did I get an alert for a specific incident?
You receive alerts based on your notification settings. Critical and high-severity incidents trigger notifications by default. You can customize thresholds and notification channels in your BIE settings.
How long does it take for BIE to detect an incident?
Detection is near-instantaneous for real-time events (mass joins, sudden spikes), though analysis may take a few minutes to compile. Historical anomalies are detected during scheduled analysis runs (typically hourly).
Can I manually mark an incident as resolved?
Yes. You can mark incidents as resolved, dismissed, or escalated. This helps BIE learn your community's normal fluctuations and improves future anomaly detection accuracy.
What does it mean when incidents are correlated?
Correlated incidents are linked events that appear to have a causal relationship. For example, an activity spike might be correlated with a mass join event, suggesting the spike was caused by new members.' activity.
Should I respond to every incident?
Not necessarily. Low-severity incidents are often normal fluctuations. Focus on critical and high-severity incidents that indicate significant community changes. Use context to determine if action is needed.
How can I reduce false positive incident alerts?
Configure exclusions for scheduled bot activity, mark routine incidents as expected, and adjust severity thresholds based on your community's typical patterns. BIE learns from your feedback.
Activity HeatmapsData Controls