Alert workspace

The alert workspace contains various areas containing alert details and possible actions.

The base state of an alert in a configured system is open and unacknowledged, with the team assigned automatically. Only an acknowledged alert can be promoted to an incident.

For information on Response rules which can automate some aspects of an alert, see Incident Response Automation.

The top header contains the standard buttons and list menu item to:
  • Acknowledge or unacknowledge the alert.
  • Promote the alert to an incident.
  • Close the alert record.
  • Save the alert record. The Save becomes available once you have made a change.
Note: Managers or responders can assign individual alerts to someone without acknowledging the alert. The assigned responder is notified and can choose to acknowledge or reassign them.
The header also contains editable descriptions including tags, acknowledgment information, and priority.
Note: Tags are imported from third-party integrations, such as Datadog, and attached to alerts. However, you can also create tags to categorize data and drive system logic in response or grouping rules or using the tag icon Tag icon. For more information on creating and viewing tags, see Manually create Incident Response tags.
Alert header


This section contains four content panels: Alert, Compose, Activity, and Attachments
Note: When an editable field is updated, notifications are sent based on user notification preferences.
Table 1. Alert
Field Description
Service Imported service associated with the alert, if available. You can edit this field from a list menu.
Note: When you set a service, and that service has an assigned team, the assigned team of that service is automatically assigned to the incident.
Priority Imported priority on the alert. You can edit this field.
Choices are:
  • P1- Critical
  • P2 - High
  • P3 - Moderate
  • P4 - Low
  • P5 - Informational
Assigned team Team of the alert assignee. You can edit this field.
Status Alert state. See Incident Response alert states for more information.
Assigned to Individual assigned to the alert. This assignee can be the person who acknowledged it or the one reassigned to it. You can edit this field.
Parent alert The alert this alert is related to, if it is a related alert.
Incident Incident identifier if there is one. You can select one from a list menu.
Source Imported source of the alert. If a source URL is provided that is used, otherwise the text field for source is used.
Resource Imported node resource (process or service) associated with the alert.
Node Imported name of the node (FQDN, IP address or MAC address) associated with the alert.
Metric Name Imported name of the metric associated with the alert.
Message key Identifier for multiple events related to the same alert.
Note: If this value is empty on import, then it is generated from the Source, Node, Type, Resource, and Metric Name field values.
Additional information Imported request payload that generated the alert.
Related Alerts tab

This tab contains any alerts associated with this alert.

In addition to the incident header information, a grouped, related alert contains a Grouped by field. This field indicates how the related alert was grouped.

  • Manual - Group created manually.
  • Automated - Group created automatically during import.
  • Grouping rule - Group created by a rule with a link to that rule.

Each record contains the following fields: (You can filter and refresh the list.)

Note: All field values are imported from the related alert record.
Field Description
Number & Description Related alert identifier and short description.
Service Service related to the related alert.
Priority Priority of the related alert.
Status Related alert state.

Whether the alert has been acknowledged or not. Values are true or false.

Clicking the Acknowledged state opens the related alert.

Team Assigned team for the related alert.
Assigned to Responder assigned to the related alert.
Source Source of the related alert.
Remove alert button This button becomes available when you choose the alert by clicking the check box next to it. If you had more than one alert to remove from the alert group, this option lets you choose multiple alerts and remove them all at once.
Response rules
This tab contains the response rules, actions taken, and status messages.
Field Description
Name & Description ID and short description of the response rule that ran on this alert.
Action Action icon that the alert rule specified.
Status Icon shows whether the action executed successfully or not.
Log Message Error messages. Empty if the action succeeded.
Execution date & time Date and time the action was taken.

Work notes: Add work notes and Post work notes (Private) to the Incident timeline. Visible to responders and above. Notifications are sent for all updates based on user notification preferences.

Alert timeline

Activity stream that contains all the system activity, comments, and work notes. You can filter, sort, expand or collapse all posts using the header icons.

Incident timeline header icons


The Attachments panel is hidden until you click the attachment icon attachment icon.

On the Attachments panel, you can initially Browse your local hard drive for files.

Once you have added attachments, you can:
  • Search for an attachment based on its name or extension
    Note: You must have two or more attachments to search.

    Search attachments
  • Upload a new attachment using the (add icon) icon
  • Download an existing attachment using the More actions icon (More actions icon) to the right of the attachment.
  • Remove an existing attachment using the More actions icon to the right of the attachment.
  • Rename an existing attachment using the More actions icon to the right of the attachment.

    Attachments menu

Displays available Zoom meeting or Slack channel to start or join.Collaboration panel

To start or join a Zoom meeting:
Note: The Zoom integration and recognized IDs must be active in your instance. If you see a Setup Zoom meeting button on your alert, and you do not have Zoom administrator account credentials, contact your administrator. See Zoom integration with Incident Response for more information.
  1. Click Start Zoom.
    • A meeting pop-up appears.
    • Add participants.
    • Click Create Meeting.
    • The meeting is created, invitations are sent, and you join the meeting.
  2. Click Join Meeting
    • Sign in to your Zoom account.
    • You join the Zoom meeting.
Start or join a Slack channel:
Note: The Slack integration and recognized IDs must be active in your instance. If you see a Setup Slack channel button on your alert, and you and do not have Slack admin account credentials, contact your admin. See Slack integration with Incident Response for more information.
  1. Click Start Slack.
    • Add participants in the Create a Slack channel pop-up.
    • Click Create. You are redirected to the Slack application.
    • Back in the Collaboration column, the Join Slack button is activated.
  2. Click Join Channel in the Slack application window.
    • Sign into your Slack account.

      You are taken to the Slack channel.

Note: When a Zoom meeting or Slack channel is created, details for the meeting or channel are posted as work notes to the timeline.

Responders tab

Add responders from the list menu and click the Add iconAdd icon. Responders are notified based on their notification preferences.