Is it possible to auto-close an Alert but then also auto-open an Incident using only an Alert Rule?

joelnbtx · ‎02-09-2017

I have a use case where a customer only wants to work on incidents instead of both alerts and incidents. They want the alert to close automatically. The alert rule is already opening incidents by setting the 'Auto open' checkbox with type=Incident. I was able to auto-close the alert by creating an overwrite template in the alert rule and setting the 'alert state' to closed. However, when i close the alert via the template, then the alert rule will not auto-open the incident. So, it seems like I can either auto-close the alert or auto-open an Incident, but i can't do both using the templates.

Have I missed any Alert Rule functionality that would allow this use case?

Tony Branton · ‎02-13-2017

Rather than messing around with script includes, another approach would be to use a Remediation Task that would invoke a workflow. The advantage of this approach is that you can control the order of execution.

Here are the high-level steps:

Create a workflow that uses the em_remediation_task table
Add a workflow Create Task (or Run Script) activity to create an Incident. Although you can use a Task Template in a Create Task activity, you'll likely need to use a script to populate some of the Task fields (e.g. Alert Description -> Incident Short Description)
Add a workflow Set Value activity to change the Alert State field to Closed (use the Alert related fields)
Using the existing Alert Rule, clear the Overwrite alert template field and uncheck the Auto-open checkbox on the Actions tab.
In the Remediation tab, check the Enable remediation checkbox, set Execution to Automatic and and select the Orchestration workflow you created.

Hope this helps with your use case.

View solution in original post

sndangibbard · ‎02-11-2017

Hi Joe!

The Script Include that generates a new Incident (if auto-open is checked for your rule) is: EvtMgmtIncidentHandler

Open the Script Include and find the method submiteTask (line 87)

At the end of this method, just before the final return true statement (line 154) add the line:

alert.state='Closed'

After your Incident has been generated the Alert will now be closed.

NOTE: You should not modify any baseline Script Includes. You should create a duplicate of the relevant Script Include, mark the original as active=false and make any required changes in the duplicate.

Please let me know if this helps!

Dan

joelnbtx · ‎02-13-2017

Thanks for the info about the EvtMgmtIncidentHandler. However, our use case is for a fringe condition. Most of our other internal customers are working from the Alert and Incident layers. We were hoping to be able to address this scenario with standard alert rule processing since we wouldn't want to make a global change just for this outlier.

ellenxiang · ‎01-24-2018

Hi Joe,

I tried to configure alert action rule to close alert by using the Overwrite alert template in which set the State Closed. Actually, after creating an alert, it failed to change to Closed. Do you have any clue why and how to resolve? Thank you. Do you know how to trouble shoot if the alert rule was triggered or not?

Thank you.

Tony Branton · ‎01-24-2018

You can see if an Alert Action Rule has been applied to an Alert by clicking on the History tabbed section in the Alert form and seeing the Work Notes.

I tested closing an Alert with an Alert Action Rule and Alert template and it worked fine (on Kingston). Be sure to set the Order field in the Alert Action Rule to a number (e.g. 50) to ensure it's processed before other Alert Action Rules that may have similar filter conditions.