An alert correlation policy defines user settings, described below, that are applied when taking first response actions on alerts.
View First Response Policies
- Ensure that you have selected a client from the ALL Clients list.
- Go to Setup > Alerts > First Response.
- You can select the number of first response policies to display per page.
Each first response policy contains the following information:
| Attribute | Description |
|---|---|
| First Response Policy Name | Name of the first response policy. |
| Last Updated By | Name of the user who last modified the policy. |
| Last Updated Time | Time the policy was last modified. |
| Number of Suppressions | Indicates the number of suppressed alerts. |
| Number of RunProcesses | Indicates the number of alerts on which the processes has been executed. |
| ML Status | Indicates the Machine Learning status. |
| Mode | You can select supported policy modes from the drop-down list. |
Policy modes
The following policy modes are supported:
| Policy Mode | Description |
|---|---|
| ON | The policy drives automated actions on alerts. |
| OFF | The policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes. |
| Recommend | The policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action. |
| Observed | This mode permits you to simulate a policy without affecting alerts. The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert. |
| Recommend and Observed modes apply to incident actions. | |
Filter criteria setting
This setting helps select alerts to which the policy applies.
Alert Pattern Actions
There is one alert pattern action available.
Suppress seasonal alerts setting
With this setting, the system suppresses alerts that occur regularly, at around the same time. For example, a high CPU utilization alert that occurs nightly at around 1:00 AM due to a scheduled backup job on a server that usually goes back to the OK state by 1:30 AM.
Alert Attribute Actions
There are two alert attribute actions.
Suppress alerts
With this setting, you can create suppression conditions to suppress alerts that have certain alert attributes.
| Attribute | Description |
|---|---|
| User-defined configuration | The following are the user-defined suppression conditions. These suppression conditions are applicable to the alerts filtered using the Native and Custom attributes in Filter Criteria.
|
| Learned configuration | Train the system to suppress alerts using a training file or through continuous learning of the historical data (machine-learning). |
| Continuous Learning | Train the system to learn the alert patterns from historical data and suppress them accordingly. The continuous learning option instructs the system to continuously update its learning models, from recent data. |
| Training file | Train the system to detect and suppress alerts with specific characteristics added to a training file. |
Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.
Run processes
With this setting, a process definition runs on alerts that are expected. For example, assigning an alert as a user task to an assignee.
| Attribute | Description |
|---|---|
| User-defined configuration | Add the required process definition IDs to the policy. |
| Learned Configuration | Train the system to run process definitions for specific alerts. |
| Continuous Learning | The system can learn and run process definitions on specific alerts by analyzing the historical data.The continuous learning option instructs the system to continuously update its learning models, from recent data. |
| Training file | In addition to continuous learning, train the system to run specific process definitions on known alerts. The training data can be provided using a training file. Specify the list of processes to run for certain types of alerts. In the runtime, the corresponding processes are invoked using the alert as the input. |
Key Considerations
First response considerations:
- If the data is not accurate in the training file, the system uses the learned historical data (Continuous Learning).
- If the alert is suppressed, the run process is not applied. The run process is applied later only when the alert is unsuppressed.
- Higher priority is given to a policy that is in enabled mode and includes the user-defined conditions.
An action can have one or more policies. The priority rule is applied only when one action qualifies for multiple policies. For multiple policies, during the run time, the system initially checks the policy mode and gives higher priority to the policy with the ON mode. If the policy has user-defined conditions (Suppress for a specific duration), the alert is suppressed accordingly.
The system provides the following order of priority for the execution of a policy:
- Policy modes: ON > Recommend > Observed
- First response conditions: User-defined setting > Training file > Machine learning
Next steps
- Review Training File.
- See Managing First Response Policy.