Alerts in Incident Response

From creation to resolution, Incident Response enables you to manage your alerts through the entire alert life cycle.

Create alerts within Incident Response using different sources, such as:

Alerts are automatically grouped during ingestion and before Response rules are run. See Incident Response Automation.

The Assigned to and Responder list fields on an alert specify who should be notified. When a team is selected as a responder, team rules are checked to determine which schedule to use for the notifications. An alert can be assigned to multiple teams.

The Assigned to field is cleared when the Assigned-team or Service field is updated on an alert. Escalation policies run on newly assigned teams. The field remains cleared until a user on the new team acknowledges an escalation notification.
Note:

If the Service is changed and the new Service does not have an assigned team, no changes occur.

When a Service is deleted, its integrations, alerts, incidents, and automation rules are removed. This is not a recoverable action so consider deactivating the service instead.

Responders and above are notified for updates to alerts based on their notification preferences. If you made the update, you won't be notified. See Profile management. Stakeholders do not have notifications preferences, so they are sent an email, by default.

For more information on the areas and fields available in an alert, see Alert workspace.

You can export your alert data to a comma-separated values (CSV) file. See Export alert information to a CSV file for more information.
Note: The export contains all alert data that matches your filtered list including any related alerts that match, whether their primary alert matches or not.
Respond to an alert in the following ways:

If there have been no updates, open alerts are automatically closed after 7 days. Closed alerts are automatically deleted after 90 days.