An alert correlation policy defines user settings, described below, that are applied when taking first response actions on alerts.

View First Response Policies

  1. Ensure that you have selected a client from the ALL Clients list.
  2. Go to Setup > Alerts > First Response.
  3. You can select the number of first response policies to display per page.
Alert Correlation Policies

Each first response policy contains the following information:

First Response Policy NameName of the first response policy.
Last Updated ByName of the user who last modified the policy.
Last Updated TimeTime the policy was last modified.
Number of SuppressionsIndicates the number of suppressed alerts.
Number of RunProcessesIndicates the number of alerts on which the processes has been executed.
ML StatusIndicates the Machine Learning status.
ModeYou can select supported policy modes from the drop-down list.

Policy modes

The following policy modes are supported:

Policy ModeDescription
ONThe policy drives automated actions on alerts.
OFFThe policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
RecommendThe policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action.
ObservedThis mode permits you to simulate a policy without affecting alerts.
The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
Recommend and Observed modes apply to incident actions.

Filter criteria setting

This setting helps select alerts to which the policy applies.

Alert Pattern Actions

There is one alert pattern action available.

Suppress seasonal alerts setting

With this setting, the system suppresses alerts that occur regularly, at around the same time. For example, a high CPU utilization alert that occurs nightly at around 1:00 AM due to a scheduled backup job on a server that usually goes back to the OK state by 1:30 AM.

Alert Attribute Actions

There are two alert attribute actions.

Suppress alerts

With this setting, you can create suppression conditions to suppress alerts that have certain alert attributes.

User-defined configurationThe following are the user-defined suppression conditions. These suppression conditions are applicable to the alerts filtered using the Native and Custom attributes in Filter Criteria.
  • Do not suppress: Never suppress an alert.
  • Suppress Always: Suppress an alert every time it occurs.
  • Suppress for a specific duration: Suppress an alert for a specific duration. After the duration is over, the system does not suppress the alert.
Learned configurationTrain the system to suppress alerts using a training file or through continuous learning of the historical data (machine-learning).
Continuous LearningTrain the system to learn the alert patterns from historical data and suppress them accordingly. The continuous learning option instructs the system to continuously update its learning models, from recent data.
Training fileTrain the system to detect and suppress alerts with specific characteristics added to a training file.

Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.

Run processes

With this setting, a process definition runs on alerts that are expected. For example, assigning an alert as a user task to an assignee.

User-defined configurationAdd the required process definition IDs to the policy.
Learned ConfigurationTrain the system to run process definitions for specific alerts.
Continuous LearningThe system can learn and run process definitions on specific alerts by analyzing the historical data.
The continuous learning option instructs the system to continuously update its learning models, from recent data.
Training fileIn addition to continuous learning, train the system to run specific process definitions on known alerts. The training data can be provided using a training file. Specify the list of processes to run for certain types of alerts. In the runtime, the corresponding processes are invoked using the alert as the input.

Key Considerations

First response considerations:

  • If the data is not accurate in the training file, the system uses the learned historical data (Continuous Learning).
  • If the alert is suppressed, the run process is not applied. The run process is applied later only when the alert is unsuppressed.
  • Higher priority is given to a policy that is in enabled mode and includes the user-defined conditions.

An action can have one or more policies. The priority rule is applied only when one action qualifies for multiple policies. For multiple policies, during the run time, the system initially checks the policy mode and gives higher priority to the policy with the ON mode. If the policy has user-defined conditions (Suppress for a specific duration), the alert is suppressed accordingly.

The system provides the following order of priority for the execution of a policy:

  • Policy modes: ON > Recommend > Observed
  • First response conditions: User-defined setting > Training file > Machine learning

Next steps