Alert process flow

Alert action rules and alert correlation rules run on the Alert [em_alert] table.

Alert process flow

Actions are taken on alerts according to this process flow:

  • Match the alert action rule to an alert.
    • If the source of the event matches the source specified in an existing rule, then a rule is matched. You can define any kind of condition, on the source of the alert or any other field, and combination of fields.
    • If multiple alert action rules are defined for the same type of alert, use the rule Order to determine the order of rule application.
  • Match the alert correlation rule to an alert.
Figure 1. Alert process flow

Task/Incident fields that are populated from the alert by default

  • alert.description is copied to incident.short_description and incident.description
  • alert.cmdb_ci is copied to incident.cmdb_ci
  • alert.severity is transformed into incident.urgency

For automatically opened incidents:

  • Alert value is copied to incident.contact_type
  • sys_user value is copied to incident.caller_id

Business Rules/Jobs that perform the alert processing actions

Action Name of Business Rule/Job Type
Apply alert template Apply overwrite rule and validate Business rule
Open incident Event Management - create/resolved incidents by alerts Scheduled job
Fill KB Event Management - create/resolved incidents by alerts Scheduled job
Acknowledge Event Management - create/resolved incidents by alerts Scheduled job
Remediation Run automatic remediation actions Business rule
Reopen incident Reopen associated closed incident Business rule
Close Alert by closed incident Event Management - create/resolved incidents by alerts Scheduled job
Close incident by closed Alert Close associated incident Business rule