Looking to the community to get ideas on how you achieve alert correlation by location. For example: If a site loses network connectivity, we currently get alerts for the network equipment, ESX hosts and all the VMS that are down. This equates to about 15 to 20 alerts some of which are correlated through CMDB grouping which usually boils it down to 9ish alert groupings that the NOC would be creating incidents for. The grouping does not work the same every time in all locations and it still generates a few CMDB groups. Is there a clean way to correlate all the alerts in a single location within a time frame? I was looking at the tag based alert correlation engine as well as creating my own correlation rules but not sure how to get the rules to work off of a CI Location. 

Thanks in advance for sharing ideas.