Alert First Response OverviewProvides information about the definitions of policy modes as well as the usage of various settings.Leave FeedbackIntroductionAn alert correlation policy defines user settings (described below) that OpsRamp applies in taking first response actions on alerts.Policy modesThe following policy modes are supported:OffObservedRecommendOnOffIn this mode, the policy is inactive and has no effect on your alerts. You can use this mode to review a newly defined policy, before changing into one of the other modes.ObservedThis mode allows you to simulate the effect of a policy, without impacting your alerts.In this mode, the policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would have been taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.RecommendIn this mode, the policy creates a recommendation for actions that you should take on the alert. Recommendations are based on OpsRamp’s learning from historical alerts. The recommendation includes a link to take the action.OnIn this mode, the policy takes automated actions on your alerts.Filter criteria settingThis setting helps select alerts to which the policy applies.Alert Pattern ActionsSuppress seasonal alerts settingWith this setting, the system suppresses alerts that occur regularly, at around the same time. For example, a high CPU utilization alert that occurs nightly at around 1:00 AM due to a scheduled backup job on a server that usually goes back to the OK state, by 1:30 AM.Alert Attribute ActionsSuppress alertsWith this setting, you can create suppression conditions to suppress alerts that have certain alert attributes.User-defined configurationThe following are the user-defined suppression conditions. These suppression conditions are applicable to the alerts filtered using the Native and Custom attributes in Filter Criteria.Do not suppress: Refers to never suppressing an alert.Suppress Always: Refers to suppressing an alert every time it occurs.Suppress for a specific duration: Refers to suppressing an alert for a specific duration. After the duration is over, the system un-suppresses the alert.Learned configurationTrain the system to suppress alerts using a training file or through continuous learning of the historical data (machine-learning).Continuous LearningTrain the system to learn the alert patterns from historical data and suppress accordingly. The continuous learning option instructs the system to continuously update its learning models, from recent data.Training fileTrain the system to detect and suppress alerts with specific characteristics added to a training file.Run processesWith this setting, a process definition runs on alerts that are expected. For example, assigning an alert as a user task to an assignee.User-defined configurationAdd the required process definition ID(s) to the policy.Learned ConfigurationTrain the system to run process definitions for specific alerts.Continuous LearningThe system can learn and run process definitions on specific alerts by analyzing the historical data.NoteThe continuous learning option instructs the system to continuously update its learning models, from recent data.Training fileIn addition to continuous learning, train the system to run specific process definitions on known alerts. The training data can be provided using a training file. Specify the list of processes to run for certain types of alerts. In the runtime, the corresponding processes are invoked using the alert as the input.Key ConsiderationsIf the data is not accurate in the training file, the system uses the learned historical data (Continuous Learning).If the alert is suppressed, the run process is not applied. The run process is applied later only when the alert is unsuppressed.Higher priority is given to a policy that is in Enabled mode and contains the user-defined conditions.An action can have one or more policies. The priority rule is applied only when one action qualifies for multiple policies. For multiple policies, during the run time, the system initially checks the policy mode and gives higher priority to the policy having the ON mode. If the policy contains user-defined conditions (Suppress for a specific duration), then the alert is suppressed accordingly.The system provides the following order of priority for the execution of a policy:Policy modes: ON —-> Recommend —-> ObservedFirst response conditions: User-defined setting —-> Training file —-> Machine-learningWhat to do nextReview Event Management in the Concept Guide as background on this topic.Review Training File.See Managing First Response Policy.