Event Management subflows in the base system

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Event Management subflows in the base system

    ServiceNow Event Management provides a set of pre-built subflows that appear in the Remediation Subflows area of Alert Management Rules. These subflows enable automated responses to alerts, such as acknowledging, closing, or creating incidents based on alert data. They help streamline alert handling and improve operational efficiency.

    Show full answer Show less

    Accessing and Using Subflows

    To access these subflows:

    • Navigate to Event Management > Rules > Alert Management Rules and create or edit a rule.
    • Go to the Actions tab and in the Remediation Subflows section, add subflows by searching from the list provided in the base system.

    You can select the appropriate subflow for your alert remediation needs and specify execution criteria within the rule.

    Key Subflows Provided

    • Acknowledge Alert: Marks the alert as acknowledged to indicate attention is required.
    • Attach Knowledge Article (legacy): Attaches a knowledge article to the alert (used in instances upgraded from pre-London releases).
    • Change Alert to Maintenance Mode: Puts the alert into maintenance mode.
    • Close Alert: Closes the alert.
    • Create Incident: Creates an incident using alert data unless the alert is in maintenance or already linked to an incident. Also respects settings to avoid duplicating incidents for secondary alerts.
    • Create Major Incident Candidate / Create Major Incident: Creates major incident candidates or major incidents from alerts, with options to include impact details. These subflows have conditions to prevent creation if an incident exists, the alert is in maintenance, or the alert is secondary in a group.
    • Create Task (legacy): Creates a task using a template or script for legacy instances.
    • Overwrite Alert Template (legacy): Applies an alert template for legacy instances.

    Customization and Automation

    ServiceNow customers can customize these subflows or create their own to tailor alert remediation workflows. Additionally, alert responses can be automated using respond automations in the Service Operations Workspace for a more user-friendly approach.

    Practical Benefits

    • Automates alert handling to reduce manual effort and response time.
    • Ensures consistent incident creation and alert status updates.
    • Supports legacy system migrations by including legacy subflows.
    • Offers flexibility to customize and extend alert remediation processes.

    The subflows provided with the base system appear in the Remediation Subflows area of alert management rules.

    Accessing the subflows

    Navigate to Event Management > Rules > Alert Management Rules and click New. Click the Actions tab. In the Remediation Subflows area, double-click the Insert a new row field.

    Specify subflow

    Click the search icon Search icon to add subflows. The list of subflows that are provided with the base system appears.

    Table 1. Subflows in the base system
    Name Description
    Acknowledge Alert Subflow to mark the alert as being Acknowledged. Acknowledge an alert to show that further attention is required.
    Attach Knowledge Article (legacy) Subflow to attach a knowledge article to the alert.

    This subflow is provided for instances that are migrated from legacy releases (prior to the London release).

    Note:
    Add the Knowledge article column to the Alert Management Rules [em_alert_management_rule] table, and select an article to attach to an alert when the rule executes.
    Change Alert to Maintenance Mode Subflow to mark the alert as being in Maintenance.
    Close Alert Subflow to mark the alert as being Closed.
    Create Incident Subflow to create an incident. Fields from the alert are used to populate the matching fields in the incident that is created.
    Note:
    • If there is an existing incident that is attached to the alert, this subflow is not activated.
    • If the alert is in Maintenance, an incident is not created.
    • The alert management job runs even if the alert grouping job is not complete, if a specified time frame has passed. When this occurs, you can enable the Avoid INTs on secondary alerts rule to prevent incidents from being created for secondary alerts (when the evt_mgmt.avoid_int_enabled property is enabled), since an incident already exists for the primary alert.
    Create Major Incident Candidate Subflow to create a major incident candidate. Fields from the alert populate the matching fields in the major incident candidate that is created. A major incident candidate can be upgraded to become a major incident.
    Note:
    • If there is an existing incident that is attached to the alert, this subflow is not activated.
    • If the alert is in Maintenance, a major incident candidate is not created.
    • If the Role in group is Secondary, the major incident candidate is not created.
    Create Major Incident from Alert Subflow to create a major incident from alert. Fields from the alert are used to populate the matching fields in the major incident that is created.
    Note:
    • If there is an existing incident that is attached to the alert, this subflow is not activated.
    • If the alert is in Maintenance, an incident is not created.
    • If the Role in group is Secondary, the major incident candidate is not created.
    Create Major Incident with Impact Subflow to create a major incident from an alert in which the Impact field is also taken as input. Fields from the alert are used to populate the matching fields in the major incident that is created.
    Note:
    • If there is an existing incident that is attached to the alert, this subflow is not activated.
    • If the alert is in Maintenance, an incident is not created.
    • If the Role in group is Secondary, the major incident candidate is not created.
    Create Major Incident Candidate with Impact Subflow to create a major incident candidate in which the Impact field is also taken as input. Fields from the alert populate the matching fields in the major incident candidate that is created. A major incident candidate can be upgraded to become a major incident.
    Note:
    • If there is an existing incident that is attached to the alert, this subflow is not activated.
    • If the alert is in Maintenance, a major incident candidate is not created.
    • If the Role in group is Secondary, the major incident candidate is not created.
    Create Task (legacy) This subflow uses a task template, if provided, or the EventMgmtCustomIncidentPopulator script for instances migrated from legacy releases (prior to the London release). If configured, apply the task template.
    Note:
    Add the Task template column to the Alert Management Rules [em_alert_management_rule] table, and select a task template and task to apply when the rule executes.
    Overwrite Alert Template (legacy) This subflow applies the alert template.

    This subflow is provided for instances that are migrated from legacy releases (prior to the London release).

    Note:
    Add the Task type column to the Alert Management Rules [em_alert_management_rule] table, and select an alert template to apply when the rule executes.
    1. Select the subflow that you need.
    2. To customize a subflow, see Create a custom subflow for alerts. This topic also describes the input parameters in a subflow.
    3. To specify when the workflow must be executed, double-click the cell under Execution.

      Subflow execution

      .

    To automate alert responses with an easier interface, you can also create a respond automation in Service Operations Workspace. For more information, see Create Respond automation.