Alert management rules for resolving alerts

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert management rules for resolving alerts

    Alert management rules in Event Management enable automatic, condition-based responses to alerts, such as opening incidents, launching remediation actions, or running subflows. These rules help ServiceNow customers efficiently manage and resolve alerts by automating appropriate actions only when specified conditions are met.

    Show full answer Show less

    Users with the evtmgmtadmin role can create and customize these rules using the alert management rule designer, while users with the evtmgmtoperator role can manually execute the rules. Rules apply only to updated, open alerts and use filters to target relevant alerts and avoid unnecessary executions.

    Key Features

    • Alert Info and Filter Configuration: Define rule names and set filter conditions to specify which alerts the rule applies to, excluding unsupported fields like Priority and Tags.
    • Actions: Automate responses such as launching subflows, remediation actions, applications, URLs, or creating incidents.
    • Remediation: Utilize Orchestration workflows or subflows to perform system tasks like rebooting servers or gathering system information. Subflows are recommended for better performance.
    • Scheduled Jobs: Alert management rules are evaluated every 11 seconds by default using a scheduled job. For large environments, multiple jobs can be configured via Customer Support.
    • Migration: Existing alert action rules from earlier releases can be migrated into alert management rules to enable editing and alignment with the new format.
    • Alert Executions Information: Track and review actions performed by alert management rules directly from the alert record for auditing and troubleshooting.
    • Synchronization with Alert Grouping: Ensures alert management jobs run after alert grouping to prevent duplicate actions on related alerts.
    • Remote Remediation: Supports running commands for remediation on remote Linux and Windows Configuration Items (CIs).

    Practical Use for ServiceNow Customers

    By configuring alert management rules, you can automate the handling of alerts based on precise criteria, reducing manual intervention and response times. This improves operational efficiency and helps maintain system health by triggering workflows or remediation actions only when necessary. You can customize rules to fit your organization's alert management strategy and ensure that only relevant alerts prompt action.

    With migration support, you can upgrade your existing alert action rules to leverage the latest features and management capabilities. The integration with alert grouping minimizes redundant responses, ensuring streamlined and effective alert resolution across your environment.

    Overall, alert management rules empower you to proactively manage alerts, automate incident creation, and execute remediation tasks, enhancing your IT Operations' responsiveness and reliability.

    You can configure Event Management to respond to alerts automatically. An alert management rule determines the required alert response, such as to open an incident, knowledge base article, open a task, launch remediation action.

    Alert management rules provided with the base system as a store application (Alert Rules Management [sn_em_arm]) to help you respond to alerts. You can create filters to specify conditions for the rule so that the remedial action specified in the rule takes effect only when the conditions are met. For example, launch the required subflow or open an incident based on an alert. The alert's execution history is automatically updated to indicate the actions that were invoked.

    Users with the evt_mgmt_admin role can use the alert management rule designer to create and customize alert management rules to act on specified alerts. Define rules with filters to determine which alerts the rule applies to. You can create rules to launch applications, URLs, subflows, remediation actions, or take other actions, such as to open an incident. For more information, see Create an alert management rule.

    Users with the evt_mgmt_operator role can manually run alert management rules.

    Alert management rule flow

    The flow to create and run an alert management rule is:

    Alert Management workflow

    Table 1. Alert management rule components
    Component Description
    Alert Info Configure a name and general information for the rule.
    Alert Filter Specify a filter to determine to which alerts the rule applies. You can specify the related list conditions.
    Note:
    The fields that are not supported for alert filtering are: Overall Event Count, Priority, Priority Group, Priority Breakdown, Tags, and Impacted Services.
    Actions Specify the response to the alert, such as to run a subflow, perform remediation action, launch an application, or launch a URL in a browser.

    How rules are applied to updated alerts

    Alert management rules run on all updated open alerts. Rules don’t run on closed alerts, even if they’ve been updated. The filters determine whether the rule's actions apply to the alert. For example, if a rule's condition indicates that an email message is sent when the alert severity changes to Major, the rule applies to an alert updated by a severity change from Warning to Major.

    Use of filters and other actions

    Filters ensure that the rule is invoked only when the configured condition occurs, and not for every update of the alert. For example, you can configure a rule so that updates that aren’t relevant (such as a Work notes field update) don’t cause the rule to run. As another example, a filter condition can specify that the alert management rule runs only when the alert severity is critical.

    You can perform the following actions:

    • Specify a filter that determines which alerts the rule applies to.
    • In the Related List Conditions section of the form, configure additional conditions, for example, with an Alert > Parent relationship, to filter for any alerts that were received today.
    • Respond to alerts. For example, by using subflows and workflows, create incidents for primary alerts with critical severity, or open a search engine in a browser to search for data according to the description field of the alert.
    • Apply remediation. Remediation is based on Orchestration workflows that can be scripted to perform remediation tasks such as gathering system information or rebooting a server.
      Note:
      For enhanced performance of Event Management - Evaluate Scoped Alert Rules Management scheduled jobs, use subflows instead of workflows.

    Scheduled jobs that check alert management rules

    Alert management rules are checked every 11 seconds by the default Event Management - Evaluate Scoped Alert Rules Management0 scheduled job. The job then executes the required actions. For large-scale environments, you can add more than one job. Please contact Customer Service and Support.
    Note:
    Only new users from Vancouver and up get two scheduled jobs: Event Management - Evaluate Scoped Alert Rules Management0 and Event Management - Evaluate Scoped Alert Rules Management1. Users upgrading from previous family releases remain with a single scheduled job Event Management - Evaluate Scoped Alert Rules Management0.

    Don’t modify the sn_em_arm.alert_management.num_of_jobs property.

    By default, the alert grouping job (Service Analytics group alerts using RCA/Alert Aggregation) and the alert management (Event Management - Evaluate Scoped Alert Rules Management0) jobs run independently of each other. For more information about coordinating the alert response and the automated alert grouping, see Synchronizing alert response with automated alert grouping.

    Migrate existing alert action rules

    Existing alert action rules from an earlier release can be migrated to become alert management rules. You can modify an alert action rule only after migrating it to an alert management rule. For more information, see Migrate an alert action rule to an alert management rule.