A first response policy autosuppresses alerts as a first response for non-significant alerts.

Prerequisites

You must have OpsQ View and OpsQ Manage permissions to manage first response and alert escalation policies.

A training file is required to suppress specific alerts or snooze specific alerts. The training file includes examples of alerts to be suppressed. See Alert Management Training File for more information.

Step 1: Policy name, scope, and mode

Define the policy name, scope, and mode.

  1. Go to Setup > Alerts > First Response.

  2. Select a client.

  3. Click Create New or + Add, depending on whether you have any existing policies.

    Enter policy name and mode

  4. Enter a Name for the policy.

  5. Ensure the Policy Scope is CLIENT.

  6. Ensure you have the correct Client selected.

  7. From the Mode list, select a policy mode.

    Policy ModeDescription
    ONThe policy drives automated actions on alerts.
    OFFThe policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
    RecommendThe policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action.
    ObservedThis mode permits you to simulate a policy without affecting alerts.
    The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
    Recommend and Observed modes apply to incident actions.

Step 2: Filter criteria

Select the filter criteria for the alerts.

  1. Select Filter Criteria.

    Filter criteria

  2. Choose from Any or All of the defined conditions to apply a filter for the alerts.

  3. Select one of the following attribute types:

    • Native Attributes are the predefined attributes.
    • Resource Custom Attributes are user-defined attributes.
  4. Select the required attribute, logical operator, and enter the value.

  5. Click + to add multiple filter conditions.

Step 3: Policy definition

The continuous learning option is only available for client-level policies. To apply first-response actions using machine-learning, ensure Continuous Learning is enabled by default to suppress alerts using historical data. If you do not want machine-learning suppression, disable the toggle button.

Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.

Alert pattern actions

Train the system to suppress alerts that have a common pattern:

Alert Pattern Action Seasonality Timeframe
  1. Select Suppress alerts that happen regularly, at around the same time to suppress alerts that happen regularly at around the same time.
  2. Specify the Seasonality Timeframe.
  3. Click Save.

Alert attribute actions

Assign the first-response actions or train the system to apply the selected first-response actions on the alerts with specific characteristics:

Alert Attribute Actions
  • Suppress Alerts: To manually suppress alerts, from the Suppress Alerts drop-down, select the required suppress action, and click Save.
  • Run Processes: To manually add a process definition, from the Run Processes section, click Add, select the required process definition and click Save.
  • Learned Configuration: To train the system to run first-response actions on the alerts. This option applies to both the Suppress Alerts and Run Processes options.

Use a training file or machine learning

Use a training file for machine learning.

  1. Select Learned Configuration.

  2. To add a training file, click Drop the training data file here, or browse to upload a training file.

    One client can upload only one training file. Changing the training file affects all the learned policies of the client.

  3. Select the file from your local folder. When the file is loaded, Input and Output columns are displayed.

    Verify Input and Output Columns
  4. Verify the Input and Output columns:

  5. Click Continue to Model Training.

  6. Click Train Model. The accuracy of the trained first-response policy is displayed in the Summary section.

  7. Click Review.

  8. Click Save.

The first response policy is created and displays on the First Response Policies page. Click the Number of suppressions to view detailed information.