A first response policy permits you to auto-suppress alerts as a first response for non-significant alerts.
You must have OpsQ View and OpsQ Manage permissions to manage first response and alert escalation policies.
A training file is required to suppress specific alerts or snooze specific alerts. The training file includes examples of alerts to be suppressed. See Alert Management Training File for more information.
Step 1: Define policy name, scope, and mode
Go to Setup > Alerts > First Response.
Specify Client Select but do not select a client.
Click Create New or + Add, depending on whether you have any existing policies.
Enter a Name for the policy.
Verify that the Policy Scope is PARTNER.
For Client, choose Include All Clients or Include Clients.
If you selected Include Clients, click Add Clients and select the clients to include.
From the Mode list, select a policy mode.
Policy Mode Description ON The policy drives automated actions on alerts. OFF The policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes. Recommend The policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action. Observed This mode permits you to simulate a policy without affecting alerts.
The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in
Onmode. The observed alert includes a link to the original alert.
Recommend and Observed modes apply to incident actions.
Step 2: Select filter criteria
Select Filter Criteria.
Choose from Any or All of the defined conditions to apply a filter for the alerts.
Select one of the following attribute types:
- Native Attributes are the predefined attributes.
- Resource Custom Attributes are user-defined attributes.
Select the required attribute, logical operator, and enter the value.
Click + to add multiple filter conditions.
The continuous learning option is only available for client-level policies.
Step 3: Suppress Alerts
Select the first response suppression setting.
Select the Suppress Alerts value:
- Do Not Suppress
- Suppress Always
- Suppress for (minutes or hours)
The First Response Policies page shows the newly created First Response policy. Click Number of suppressions to view more detailed information.
Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.