Alert automation in Service Operations Workspace for ITOM
Alert automation is crucial as organizations deal with increasing number of alerts and complex IT infrastructures. Manual alert handling is slow, error-prone and inefficient, underscoring the need for automated systems. Automation can improve the mean time to resolve alerts, improve service reliability and better scale staff resources.
Alert automations also support both centralized administrator and distributed team roles. This enables qualified teams to self-serve and create their own alert automations. For example, you may consider granting access to site reliability engineers (SREs). Members of teams can manage automations for their own team and their own alerts without impacting other teams.
For users familiar with our classic experience, alert automation offers an easier user interface and better team support for event rules, tag-based clustering definitions and alert management rules. Some advanced features are currently only available to admins in the classic experience. These two experiences use the same backend tables. You can use whichever experience is most convenient, and changes in one will also update the other.
Alert automation types
Currently, Service Operations Workspace ITOM provides the following types of automation.
- Ignore automation: Reduce irrelevant or false-positive alerts, efficiently manage alert fatigue by filtering out noisy notifications, and allow teams to focus on critical issues.
- Enrich automation: Enhance raw alerts with contextual information to make them more informative and actionable. In simple terms, this involves taking the raw events generated by monitoring tools and transforming them into a common and standard format to aid automated grouping and response.
- Group automation: Group multiple related alerts into a single primary alert to reduce alert noise and identify the root cause.
- Respond automation: Respond to alerts automatically by notifying appropriate stakeholders, escalate them as needed or run remediation actions. Determine how and when alerts are escalated based on severity or type. Integrate with third party systems to create cases, notifications or run remediation actions.
Alert automation process flow
You may start by sending alerts or events from monitoring systems to ServiceNow using the Integrations Launchpad. This is where administrators establish connections between ServiceNow and monitoring tools. These integrations enable the collection of monitored data, generating events from third-party sources.
When alerts are received by ServiceNow, alert automations run in the order shown on the page. First, we ignore alerts to reduce noise. Next, we enrich alerts with extra context, then group the alerts using the added context. Finally, we respond to alerts by escalating or running remediations. There can be several automations for each type. Each automation runs based on specific trigger conditions and executes specific actions. Alerts are only automated when they are received; we do not apply automations to past alerts.
In the alert enrichment phase, administrators add or extract necessary fields from alerts to provide essential information for swift resolution. This ensures that alerts contain all relevant details required for effective incident response. Administrators add context to alerts by modifying and normalizing them. This enhances the correlation of alerts, making it easier to identify patterns and potential threats.
The enriched and composed alerts are then grouped based on predefined criteria, consolidating related alerts. This reduces alert fatigue and facilitates efficient remediation. Finally, escalated alerts trigger notifications to stakeholders through various channels, ensuring timely communication and response to critical alerts.
This comprehensive alert automation process can reduce alert noise, improve mean time to resolution (MTTR), enhance service reliability, and boost staff productivity.