Create a response rule

Create a response rule to automatically triage alerts according to selected criteria.

Before you begin

New rules only run on alerts ingested after the rule is created. Evaluated open alerts are not seen by new rules or by changes to existing rules.

If you change an existing rule that an existing alert would have been captured by, it won’t be. Whatever criteria or actions you have changed won’t be addressed unless the existing alert is closed and reopened. Then, whatever changed rule actions are will take place.

The order that response rules run in is important because the lower-order rules run first. This can impact whether the conditions of higher-order rules are met, or will process. Lower-order rules can adjust field values or even stop processing.
Note: Set the order for your rule using the Rules Order icon alert rules order icon in the Response rules list view. See Incident Response Automation for more information on response rule order.

Role required: Manager, Administrator, or Responder

Procedure

  1. Log in to Incident Response.
  2. In the left navigation pane, click Automation.
  3. Click Create new rule.
  4. In the form, fill in the fields.

    The administrator view of this form contains an Apply rule to all teams and services check box, not available to managers or responders. Global rule checkbox

    Teams or Services are not required for the admin.

    Initial response rule page
    Table 1. Response rule setup from
    Fields Description
    Rule name Name of the rule.
    Description Text description of the rule.
    Global (check box) (Only visible to Administrators) Sets the rule to run for all teams and all services. This field is useful for rules that make team assignments or that should be run for all teams or services.
    Teams Select your team. You can select multiple teams, if available.
    Service Select one or more services associated with this alert.
    Condition filters Creates filter criteria that identifies alerts to capture from list menus.
    Filter properties Sets criteria for when to run the filter and for how long.
    Choices are:
    • Yes, continue processing rules ordered after this rule.
    • No, stop processing rules after this rule.
  5. Click Save and Continue.
  6. On the Response rule actions form, select an action. You can choose any or all actions.

    This screenshot shows authorized Slack channel and Zoom meeting actions.

    Set actions initial page
    Note:

    If you choose multiple actions, the forms for each appear on the same screen successively. You can save once and be done.

    A default message is provided in the Preview/customize message text box for Email, Webhook, Slack, and Zoom.

    Choices are:

    OptionDescription
    Modify field values
    Choose the fields, operators, and values you want to modify when an alert is captured by this rule.
    Modifying a field value

    When you choose the Tags field, the tag you enter is created when the rule runs and the other criteria is met. It is also added to the list of available tags going forward.

    Send an email Configure an email message to send. Enter a subject, choose recipients, and preview/customize your message with alert information. You can choose from the Add fields menu to add variables to your message.

    For Custom recipients, you can add an email address for anyone you think might be interested.

    Sending an email
    Create a Slack channel

    If the Create a Slack channel action is available, not grayed out, it creates a channel for this alert. By default, the channel name is ${number} and is not editable.

    If Create a Slack channel is not available, see Integrations in Incident Response for the appropriate integration topic you want to use.

    Select participants. Choices are:
    • Primary On-Call
    • Assignment team
    • Responder list
    • Custom
    • Back-up On-Call
    • Assignment team's manager

    Customize your initial Slack message by entering whatever text you like in the Preview /customize message text box. You can choose from the Add fields menu to add variables to your message.

    Once you save the rule, Slack creates a channel for any alert meeting the rule criteria, with the specified participants, and posts your message.
    Note: If Slack in your workspace is configured to send email notifications to the participants it will, but otherwise this action does not do that.
    Slack channel from alert rule

    For Custom recipients, you can add an email address for anyone you think might be interested.

    If a Slack channel already exists, it won't create another one. The alert has already been evaluated. However, if the alert is updated, or closed and reopened, then the rule adds the specified participants or other updates to the existing channel and post your message.

    Create a Zoom meeting

    If the Create a Zoom meeting action is available, not grayed out, it creates a Zoom meeting for this alert. By default, the meeting name is ${number} (the alert number) and not editable.

    If Create a Zoom meeting is not available, see Integrations in Incident Response for the appropriate integration topic you want to use.

    Enter a Zoom meeting host.
    Note: The zoom meeting host must have a valid Zoom ID and is added as a participant to the meeting. Because anyone can be the host, select someone you are sure will attend or will reassign host functions within Zoom.
    Select recipients. Choices are:
    • Primary On-Call
    • Assignment team
    • Responder list
    • Custom: (Choose from a list menu)
    • Back-up On-Call
    • Assignment team's manager

    Customize your email message by entering whatever text you like. You can choose from the fields listed in the right column to add variables to your message.

    Zoom sends an email to the host and invitees. It contains this message in the Description section of the email. So, you might want to include any relevant information you have in preparation for the meeting.
    Note: The meeting time in the message is in the UTC time zone and not local time.
    Zoom meeting from alert rule

    For Custom recipients, you can add an email address for anyone you think might be interested.

    API/Webhook
    Note: This action requires JSON Payload expertise.
    Enter the URL for your destination site and enter the JSON comment code to POST to that destination. You can choose from the Add fields menu to add variables to your payload.
    Note: The URL must use https:// and not http://.
    EPI Webhook entries

    Test the code prior to saving and receive a STATUS CODE along with the Response Payload. Any status code in the 400–500 range indicates an error. Any lower code indicates that the code passed, however, it could contain other errors in the payload.

    Create an incident

    Choose the incident fields, operators, and values you want to set when an incident is created by this rule. Fields from the alert are copied over to the incident, if they are set by the rule. These filters are for values you want to set on the incident. They take precedence over whatever is on the alert.

    Incident settings to specify another stakeholder for the incident

    The incident is linked to the current alert. Fields from the alert are copied over to the incident.

    If multiple alerts are grouped, then only once an incident is created as the parent. Duplicates are not created.

    This action runs last, so that any rules that change field values on the alert are propagated to the incident.

    Note: For some examples of different types of actions, see Response rule examples.
  7. Click Save Actions.
    You are returned to the Automation landing page.

    The rule takes effect for any alerts that arrive after it is created. It does not reevaluate existing alerts unless they are closed and reopened.

    Note: As you add rules, remember that the order that they are listed in is the order they are processed. Order can change the outcome. So, be sure to test them out as you create new rules.