A first response policy autosuppresses alerts as a first response for non-significant alerts.
You must have OpsQ View and OpsQ Manage permissions to manage first response and alert escalation policies.
A training file is required to suppress specific alerts or snooze specific alerts. The training file includes examples of alerts to be suppressed. See Alert Management Training File for more information.
Step 1: Policy name, scope, and mode
Define the policy name, scope, and mode.
Go to Setup > Alerts > First Response.
Select a client.
Click Create New or + Add, depending on whether you have any existing policies.
Enter a Name for the policy.
Ensure the Policy Scope is CLIENT.
Ensure you have the correct Client selected.
From the Mode list, select a policy mode.
Policy Mode Description ON The policy drives automated actions on alerts. OFF The policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes. Recommend The policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action. Observed This mode permits you to simulate a policy without affecting alerts.
The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in
Onmode. The observed alert includes a link to the original alert.
Recommend and Observed modes apply to incident actions.
Step 2: Filter criteria
Select the filter criteria for the alerts.
Select Filter Criteria.
Choose from Any or All of the defined conditions to apply a filter for the alerts.
Select one of the following attribute types:
- Native Attributes are the predefined attributes.
- Resource Custom Attributes are user-defined attributes.
Select the required attribute, logical operator, and enter the value.
Not Contains: Filters only the alerts that do not contain the input string provided in the field.
Not Equals: Filters only the alerts that are not equal to the input provided in the field.
Not Contains/Not Equals: If the selected property is not there in the alert, it is considered as matched.
Example: Property value is “ABC”.
Resource “A” belongs to two resource groups - ABCDEF AND XYZ. In this case, there is No Match.
Resource “B” belongs to resource group - PQRS. There is Match.
Resource “C” belongs to no resource group. There is Match.
Click + to add multiple filter conditions.
Step 3: Policy definition
The continuous learning option is only available for client-level policies. To apply first-response actions using machine-learning, ensure Continuous Learning is enabled by default to suppress alerts using historical data. If you do not want machine-learning suppression, disable the toggle button.
Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.
Alert pattern actions
Train the system to suppress alerts that have a common pattern:
- Select Suppress alerts that happen regularly, at around the same time to suppress alerts that happen regularly at around the same time.
- Specify the Seasonality Timeframe.
- Click Save.
Alert attribute actions
Assign the first-response actions or train the system to apply the selected first-response actions on the alerts with specific characteristics:
- Suppress Alerts: To manually suppress alerts, from the Suppress Alerts drop-down, select the required suppress action, and click Save.
- Run Processes: To manually add a process definition, from the Run Processes section, click Add, select the required process definition and click Save.
- Learned Configuration: To train the system to run first-response actions on the alerts. This option applies to both the Suppress Alerts and Run Processes options.
Use a training file or machine learning
Use a training file for machine learning.
Select Learned Configuration.
To add a training file, click Drop the training data file here, or browse to upload a training file.
One client can upload only one training file. Changing the training file affects all the learned policies of the client.
Select the file from your local folder. When the file is loaded, Input and Output columns are displayed.
Verify the Input and Output columns:
Click Continue to Model Training.
Click Train Model. The accuracy of the trained first-response policy is displayed in the Summary section.
The first response policy is created and displays on the First Response Policies page. Click the Number of suppressions to view detailed information.