Event Management: Incident auto-assigned to previous engineer instead of only assignment group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hi Team,
We are observing unexpected assignment behavior when incidents are created from Azure Monitor alerts via Event Management.
🔹 Scenario
Alert Source: Azure Monitor
Alert creates incident via Alert Management Rule + Flow Designer subflow
Assignment group is set correctly
Incident is also auto-assigned to the engineer who handled a previous incident for the same CI
🔹 Expected Behavior
Incident should be assigned only to the assignment group, allowing the team to take ownership.
🔹 Actual Behavior
Incident is created with:
Assignment group → correct
Assigned to → previous engineer (system set at creation)
This gives the impression that the ticket bypassed the group.
🔹 What we verified
✔ Alert Management Rule does NOT set Assigned To
✔ Flow Designer subflow sets only Assignment Group
✔ CI has no owner or assigned user
✔ Alert record does not contain Assigned To
✔ Assignment is set by “System” at creation
🔹 Question
What mechanism in Event Management can cause the incident to inherit the previous engineer?
Can this be due to:
Incident Assignment Rules?
Event Management correlation behavior?
Historical CI routing logic?
What is the recommended approach to ensure incidents are assigned only to the group?
🔹 Environment
ServiceNow Event Management
Azure Monitor integration
Incident created via Alert Management Rule + Flow Designer
🔹 Goal
Prevent auto-assignment to a specific engineer and route incidents to the assignment group only.
what needs to here - please help us - where we need to check -
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
16m ago
hey @nameisnani
Based on your validation:
Alert rule does not set Assigned To
Flow sets only Assignment Group
CI has no owner
Alert record does not contain Assigned To
Field is populated by System at insert
This strongly indicates that the assignment is happening at the platform level during incident creation.
Possible Causes
Incident Assignment Rules
Active assignment rules on the Incident table may contain conditions or script logic that:
Look up previous incidents for the same CI
Copy the last assigned engineer
Apply routing logic beyond just Assignment Group
Assignment rules execute during record insert and can populate Assigned To even if Flow does not.
Before Insert Business Rules
Custom business rules on Incident (Before Insert) may query the most recent incident for the same CI and set assigned_to programmatically.
Predictive Intelligence or Advanced Work Assignment
If enabled, Predictive Intelligence may auto-assign incidents based on historical patterns. This often appears as if the system is inheriting the previous engineer.
Incident Reuse or Correlation
If the alert is reopening or correlating to an existing incident rather than creating a brand-new record, Assigned To may persist from the original incident.
Solution for this case:
Option 1
Update assignment rules to exclude incidents where Source = Event Management (or Contact Type = Alert).
Option 2
Add logic in Flow Designer after incident creation to explicitly clear Assigned To.
Option 3
Create a defensive Before Insert business rule:
If source = Event Management
Then set assigned_to = empty
******************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh
