Hi  @umar5 

Your configuration will work, but it is not considered best practice, especially when you already have many alerts and the list may grow or change over time.

Using multiple OR conditions on the description field is fragile because descriptions are free text and can change with tool updates or minor wording differences.

Recommended best practice in ServiceNow Event Management

1. Avoid filtering by description when possible
   Try to base the alert rule on stable attributes such as source, node, metric name, event type, resource, object, class, or severity. These fields are far less likely to change than description text.
2. Use patterns instead of many OR conditions
   If the alerts share a common keyword or structure, use contains, starts with, or regex rather than listing every description individually.
3. Normalize alerts at ingestion
   A better long term approach is to normalize the alerts when they are ingested, for example by mapping them to a derived field like alert category or signature. Then your alert rule can filter on that normalized field.
4. Split rules only when behavior differs
   Use separate rules only if the alerts require different actions such as different routing, severity, priority, or remediation. If the behavior is the same, keep one rule and improve the filter logic.

Rule of thumb
If the only difference between the alerts is the description, normalize or pattern match.
If the alerts require different handling, create separate rules.

Hope this helps.