Create a response rule

Create a response rule to automatically triage alerts according to selected criteria.

Before you begin

New rules only run on alerts ingested after the rule is created. Evaluated open alerts are not seen by new rules or by changes to existing rules.
Note: Response rules do not run on incidents.

If you change an existing rule that an existing alert would have been captured by, it won’t be. Whatever criteria or actions you have changed won’t be addressed unless the existing alert is closed and reopened. Then, whatever changed rule actions are will take place.

The order that response rules run in is important because the lower-order rules run first. This can impact whether the conditions of higher-order rules are met, or will process. Lower-order rules can adjust field values or even stop processing.
Note: Set the order for your rule using the Rules Order icon alert rules order icon in the Response rules list view. See Incident Response Automation for more information on response rule order.

Watch this quick video to learn how to create a response rule.

Role required: Manager, Administrator, or Responder

Procedure

  1. Log in to Lightstep Incident Response.
  2. In the left navigation pane, select Automation.
    The Response rules tab is selected by default.
  3. Select Create new rule.
  4. In the form, fill in the fields.

    The administrator view of this form contains an All teams and services choice in the list menu, not available to managers or responders. Global group rule selection

    Teams or Services are not required for the admin.

    Initial response rule page

    Table 1. Response rule setup form
    Fields Description
    Rule name Name of the rule.
    Description Text description of the rule.
    This rule applies to Select Services (default) or Teams.

    (Only visible to Administrators.) Select All teams and services. Sets the rule to run for all teams and all services. This field is useful for rules that make team assignments or that should be run for all teams or services.

    Teams or Services this rule applies to You can select multiple teams or services.
    Condition filters Creates filter criteria that identifies alerts to capture from list menus.
    Filter properties Sets criteria for when to run the filter and for how long.
    Choices are:
    • Yes, continue processing rules ordered after this rule.
    • No, stop processing rules after this rule.
  5. Select Save and Continue.
  6. On the Response rule actions form, select an action. You can choose any or all actions.
    \Set actions initial page
    Note:

    If you choose multiple actions, the forms for each appear on the same screen successively. You can save once and be done.

    A default message is provided in the Preview/customize message text box for Email, Webhook, Zoom, Microsoft Teams, and Slack.

    Choices are:

    OptionDescription
    Modify field values
    Choose the fields, operators, and values you want to modify when an alert is captured by this rule.
    Modifying a field value

    When you choose the Tags field, the tag you enter is created when the rule runs and the other criteria is met. It is also added to the list of available tags going forward.

    Send an email Configure an email message to send. Enter a subject, choose recipients, and preview/customize your message with alert information. You can choose from the Add fields menu to add variables to your message.

    For Custom recipients, you can add an email address for anyone you think might be interested.

    Sending an email
    Create a Slack channel

    If the Create a Slack channel action is available, not grayed out, it creates a channel for this alert. By default, the channel name is ${number} and is not editable.

    If Create a Slack channel is not available, see Slack integration with Incident Response to authorize the application.

    Select participants. Choices are:
    • Primary On-Call
    • Assignment team
    • Responder list
    • Custom
    • Back-up On-Call
    • Assignment team's manager

    Customize your initial Slack message by entering whatever text you like in the Preview /customize message text box. You can choose from the Add fields menu to add variables to your message.

    Once you save the rule, Slack creates a channel for any alert meeting the rule criteria, with the specified participants, and posts your message.
    Note: If Slack, in your workspace, is configured to send email notifications to the participants it will, but otherwise this action does not do that.
    Slack channel from alert rule

    For Custom recipients, you can add an email address for anyone you think might be interested.

    If a Slack channel already exists, it won't create another one. The alert has already been evaluated. However, if the alert is updated, or closed and reopened, then the rule adds the specified participants or other updates to the existing channel and post your message.

    Create a Microsoft Teams channel

    If the Create a Microsoft Teams channel action is available, not grayed out, it creates a channel for this alert.

    If Create a Microsoft Teams channel is not available, see Microsoft Teams integration with Incident Response to authorize the application.

    Customize your initial Microsoft Teams message by entering whatever text you like in the Preview /customize message text box. You can choose from the Add fields menu to add variables to your message.

    Once you save the rule, Microsoft Teams creates a channel for any alert meeting the rule criteria and posts your message.
    Note: If Microsoft Teams, in your Incident Response workspace, is configured to send notifications to the participants it will, but otherwise this action does not do that.

    If a Microsoft Teams channel already exists, it won't create another one. The alert has already been evaluated. However, if the alert is updated, or closed and reopened, then the rule updates to the existing channel and post your message.

    Create a Zoom meeting

    If the Create a Zoom meeting action is available, not grayed out, it creates a Zoom meeting for this alert. By default, the meeting name is ${number} (the alert number) and not editable.

    If Create a Zoom meeting is not available, see Zoom integration with Incident Response to authorize the application.

    Enter a Zoom meeting host.
    Note: The zoom meeting host must have a valid Zoom ID and is added as a participant to the meeting. Because anyone can be the host, select someone you are sure will attend or will reassign host functions within Zoom.
    Select recipients. Choices are:
    • Primary On-Call
    • Assignment team
    • Responder list
    • Custom: (Choose from a list menu)
    • Back-up On-Call
    • Assignment team's manager

    Customize your email message by entering whatever text you like. You can choose from the fields listed in the right column to add variables to your message.

    Zoom sends an email to the host and invitees. It contains this message in the Description section of the email. So, you might want to include any relevant information you have in preparation for the meeting.
    Note: The meeting time in the message is in the UTC time zone and not local time.
    Zoom meeting from alert rule

    For Custom recipients, you can add an email address for anyone you think might be interested.

    API/Webhook
    Note: This action requires JSON Payload expertise.
    Enter the URL for your destination site and enter the JSON comment code to POST to that destination. You can choose from the Add fields menu to add variables to your payload.
    Note: The URL must use https:// and not http://.

    Alt text for alert-rules-api-webh-example.png

    JSON is the default POST Payload that is evaluated. If you want to change the payload format or pass alternative headers with the request, you can now define custom key value header pairs, such as specifying a new content type in the Headers tab.

    Test the code prior to saving and receive a STATUS CODE along with the Response Payload. Any status code in the 400–500 range indicates an error. Any lower code indicates that the code passed, however, it could contain other errors in the payload.

    Create an incident

    Choose the incident fields, operators, and values you want to set when an incident is created by this rule. Fields from the alert are copied over to the incident, if they are set by the rule. These filters are for values you want to set on the incident. They take precedence over whatever is on the alert. Incident settings to specify another stakeholder for the incident

    The incident is linked to the current alert. Fields from the alert are copied over to the incident.

    If multiple alerts are grouped, then only once an incident is created as the parent. Duplicates are not created.

    This action runs last, so that any rules that change field values on the alert are propagated to the incident.

    Note: For some examples of different types of actions, see Response rule examples.
  7. Select Save Actions.
    You are returned to the Automation landing page.

    The rule takes effect for any alerts that arrive after it is created. It does not reevaluate existing alerts unless they are closed and reopened.

    Note: As you add rules, remember that the order that they are listed in is the order they are processed. Order can change the outcome. So, be sure to test them out as you create new rules.