Incident Response Automation
Automation contains response rules that are conditional triggers that execute response actions automatically, based on the contents of the alert.
An alert is created in Incident Response when a third-party monitoring tool has an event. Use response rules to automatically assign and respond to those alerts. Response rules are routing that helps you adapt your response to specific conditions. Each rule combines a set of filters and an outcome, usually setting who is assigned, priority, or creating email, Slack channels, or Zoom meetings.
View the response rules by navigating to the Automation module from your Home page.
- If an alert is imported, and rule 1 is the only rule, it runs only once on that alert.
- If you add rules 2 and 3 after that alert was imported, they will not run on it unless the alert is updated. Those rules were never run on the alert to begin with.
- If you close and reopen the alert, all three rules run on it.
Order is important for alert rules because the lower-order rules run first. This can impact whether the conditions of higher-order rules are met, or will process. Lower-order rules can adjust field values or even stop processing.
- Order: Order they are in, ascending - Default.
- Order: Order they are in, descending
- Last Modified: Recent
- Last Modified: Oldest
- System Generated Rules: Displays only rules that were created automatically when your account was provisioned.
- My Team's Rules: Displays only those rules your team created.
- Rules I created: Displays only those rules you created.
- Active: Displays only active alerts.
- Inactive: Displays only inactive alerts.
Name & Description represents the alert rule name and description.
Scope represents who or what is impacted by this rule. Whether the impact is Global or to a team or service.
Stop after run contains a pause icon if you wanted processing to stop after that rule runs.
Only administrators can activate or deactivate any rule, including global rules.
Alert rule examples
For detailed information on alert rules and alert actions, see Create a response rule.
- If an alert description contains 'critical' or 'outage', set the Priority group to 1.
- If the Metric Name field value in an alert is not empty, send an email to the Assignment team's manager.
If an alert is P1-Critical and you want to create a Zoom meeting for it:Note: This rule requires the Zoom application integration.
If an alert is P1-Critical and you want to create an incident for it.