A first response policy permits you to auto-suppress alerts as a first response for non-significant alerts.

Prerequisites

You must have OpsQ View and OpsQ Manage permissions to manage first response and alert escalation policies.

A training file is required to suppress specific alerts or snooze specific alerts. The training file includes examples of alerts to be suppressed. See Alert Management Training File for more information.

Step 1: Define policy name, scope, and mode

  1. Go to Setup > Alerts > First Response.

  2. Specify Client Select but do not select a client.

  3. Click Create New or + Add, depending on whether you have any existing policies.

    New First Response Policy - Partner
  4. Enter a Name for the policy.

  5. Verify that the Policy Scope is PARTNER.

  6. For Client, choose Include All Clients or Include Clients.

  7. If you selected Include Clients, click Add Clients and select the clients to include.

  8. From the Mode list, select a policy mode.

    Policy ModeDescription
    ONThe policy drives automated actions on alerts.
    OFFThe policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
    RecommendThe policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action.
    ObservedThis mode permits you to simulate a policy without affecting alerts.
    The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
    Recommend and Observed modes apply to incident actions.

Step 2: Select filter criteria

  1. Select Filter Criteria.

    Filter criteria

  2. Choose from Any or All of the defined conditions to apply a filter for the alerts.

  3. Select one of the following attribute types:

    • Native Attributes are the predefined attributes.
    • Resource Custom Attributes are user-defined attributes.

  4. Select the required attribute, logical operator, and enter the value.

    Not Contains: Filters only the alerts that do not contain the input string provided in the field.

    Not Equals: Filters only the alerts that are not equal to the input provided in the field.

    Not Contains/Not Equals: If the selected property is not there in the alert, it is considered as matched.

    Example: Property value is “ABC”.

    Resource “A” belongs to two resource groups - ABCDEF AND XYZ. In this case, there is No Match.
    Resource “B” belongs to resource group - PQRS. There is Match.
    Resource “C” belongs to no resource group. There is Match.

  5. Click + to add multiple filter conditions.

The continuous learning option is only available for client-level policies.

Step 3: Suppress Alerts

  1. Select the first response suppression setting.

  2. Select the Suppress Alerts value:

    • Do Not Suppress
    • Suppress Always
    • Suppress for (minutes or hours)

  3. Click Save.

The First Response Policies page shows the newly created First Response policy. Click Number of suppressions to view more detailed information.

Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.