Alert automation in Service Operations Workspace for ITOM

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert automation in Service Operations Workspace for ITOM

    Alert automation in Service Operations Workspace for ITOM addresses the challenges of managing an increasing volume of alerts in complex IT environments. Manual alert handling is inefficient and error-prone, so automation improves mean time to resolve (MTTR), service reliability, and optimizes staff resource use. It supports both centralized administrators and distributed teams, enabling qualified users like site reliability engineers (SREs) to create and manage their own alert automations without affecting other teams. The system offers an improved user interface and enhanced team support compared to the classic experience, though some advanced features remain exclusive to admins in the classic interface. Both interfaces share the same backend data, allowing seamless switching and synchronization.

    Show full answer Show less

    Alert Automation Types

    • Ignore automation: Filters out irrelevant or false-positive alerts to reduce noise and alert fatigue, helping teams focus on critical issues.
    • Enrich automation: Adds contextual information to raw alerts, standardizing and normalizing data to improve their informativeness and facilitate automated grouping and response.
    • Group automation: Consolidates multiple related alerts into a single primary alert to reduce noise and identify root causes efficiently.
    • Respond automation: Automates responses by notifying stakeholders, escalating alerts based on severity or type, and triggering remediation actions including integration with third-party systems to create cases or notifications.

    Alert Automation Process Flow

    Alerts and events are ingested into ServiceNow via integrations established through the Integrations Launchpad, which connects ServiceNow with external monitoring tools. Upon receiving alerts, automations execute sequentially:

    1. Ignore: Filters out noisy or irrelevant alerts.
    2. Enrich: Adds necessary context and normalizes alert data to enhance correlation.
    3. Group: Aggregates related alerts into consolidated incidents.
    4. Respond: Escalates alerts, notifies appropriate stakeholders, and triggers remediation workflows.

    Each automation runs based on defined trigger conditions and applies only to newly received alerts. Enrichment ensures alerts contain essential data for quick resolution, while grouping decreases alert fatigue and improves root cause analysis. The response phase ensures timely communication and action to critical alerts.

    Benefits for ServiceNow Customers

    • Significantly reduces alert noise, helping teams concentrate on key issues.
    • Improves MTTR through enriched and correlated alerts enabling faster incident resolution.
    • Enhances service reliability by automating consistent alert handling and escalation.
    • Boosts productivity by allowing distributed teams to self-manage automations tailored to their alerts.
    • Provides flexible use of classic and modern interfaces with synchronized data.

    Alert automation is crucial as organizations deal with increasing number of alerts and complex IT infrastructures. Manual alert handling is slow, error-prone and inefficient, underscoring the need for automated systems. Automation can improve the mean time to resolve alerts, improve service reliability and better scale staff resources.

    Alert automations also support both centralized administrator and distributed team roles. This enables qualified teams to self-serve and create their own alert automations. For example, you may consider granting access to site reliability engineers (SREs). Members of teams can manage automations for their own team and their own alerts without impacting other teams.

    For users familiar with our classic experience, alert automation offers an easier user interface and better team support for event rules, tag-based clustering definitions and alert management rules. Some advanced features are currently only available to admins in the classic experience. These two experiences use the same backend tables. You can use whichever experience is most convenient, and changes in one will also update the other.

    Alert automation types

    Currently, Service Operations Workspace ITOM provides the following types of automation.

    1. Ignore automation: Reduce irrelevant or false-positive alerts, efficiently manage alert fatigue by filtering out noisy notifications, and allow teams to focus on critical issues.
    2. Enrich automation: Enhance raw alerts with contextual information to make them more informative and actionable. In simple terms, this involves taking the raw events generated by monitoring tools and transforming them into a common and standard format to aid automated grouping and response.
    3. Group automation: Group multiple related alerts into a single primary alert to reduce alert noise and identify the root cause.
    4. Respond automation: Respond to alerts automatically by notifying appropriate stakeholders, escalate them as needed or run remediation actions. Determine how and when alerts are escalated based on severity or type. Integrate with third party systems to create cases, notifications or run remediation actions.

    Alert automation process flow

    You may start by sending alerts or events from monitoring systems to ServiceNow using the Integrations Launchpad. This is where administrators establish connections between ServiceNow and monitoring tools. These integrations enable the collection of monitored data, generating events from third-party sources.

    When alerts are received by ServiceNow, alert automations run in the order shown on the page. First, we ignore alerts to reduce noise. Next, we enrich alerts with extra context, then group the alerts using the added context. Finally, we respond to alerts by escalating or running remediations. There can be several automations for each type. Each automation runs based on specific trigger conditions and executes specific actions. Alerts are only automated when they are received; we do not apply automations to past alerts.

    In the alert enrichment phase, administrators add or extract necessary fields from alerts to provide essential information for swift resolution. This ensures that alerts contain all relevant details required for effective incident response. Administrators add context to alerts by modifying and normalizing them. This enhances the correlation of alerts, making it easier to identify patterns and potential threats.

    The enriched and composed alerts are then grouped based on predefined criteria, consolidating related alerts. This reduces alert fatigue and facilitates efficient remediation. Finally, escalated alerts trigger notifications to stakeholders through various channels, ensuring timely communication and response to critical alerts.

    The following diagram illustrates this process flow.
    Figure 1. Alert automation: Reducing noise and improving resolution time
    The diagram illustrates the reduction in alerts

    This comprehensive alert automation process can reduce alert noise, improve mean time to resolution (MTTR), enhance service reliability, and boost staff productivity.