Subflows in the base system

Zurich IT Operations Management

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

Event Management subflows in the base system

Release version: Zurich

Updated July 31, 2025

3 minutes to read

Summarize

Summarized using AI

Summary of Event Management subflows in the base system

Event Management in ServiceNow provides a set of predefined subflows that can be incorporated into alert management rules to automate the handling and remediation of alerts. These subflows appear in the Remediation Subflows area of alert management rules and enable customers to streamline alert processing and incident creation based on specific criteria.

Show full answer Show less

Accessing and Using Subflows

Navigate to Event Management > Rules > Alert Management Rules and create or edit a rule.
Under the Actions tab, add subflows in the Remediation Subflows section by inserting a new row and selecting from the base system’s available subflows.
These subflows allow customers to define automated actions that execute when alerts meet specified conditions.

Key Subflows Provided in the Base System

Acknowledge Alert: Marks an alert as acknowledged to indicate further attention is required.
Attach Knowledge Article (legacy): Attaches a knowledge article to alerts for legacy migrated instances.
Change Alert to Maintenance Mode: Sets the alert status to Maintenance.
Close Alert: Closes the alert.
Create Incident: Automatically creates an incident from alert details unless an incident already exists or the alert is in Maintenance mode. It respects grouping logic to avoid duplicate incidents on secondary alerts.
Create Major Incident Candidate: Creates a major incident candidate from an alert, which can be upgraded to a major incident. This does not run if an incident exists, the alert is in Maintenance, or the alert role is secondary.
Create Major Incident from Alert: Creates a major incident using alert data with similar restrictions as above.
Create Major Incident with Impact: Similar to the above but also considers the Impact field from the alert.
Create Major Incident Candidate with Impact: Creates a major incident candidate including Impact data, subject to the same restrictions.
Create Task (legacy): Uses task templates or legacy scripts to create tasks, applicable for migrated instances.
Overwrite Alert Template (legacy): Applies an alert template, intended for legacy migrated instances.

Important Considerations

Legacy subflows are provided primarily for instances migrated from releases prior to London and require additional configuration such as adding columns to the Alert Management Rules table.
Subflows respect alert states like Maintenance mode and existing incidents to prevent redundant actions.
To customize behavior, customers can create their own subflows tailored to their unique remediation requirements.
Execution timing for these subflows can be configured within alert management rules.

Practical Benefits for ServiceNow Customers

By leveraging these base system subflows, customers can automate routine alert handling tasks, reduce manual effort, ensure consistent incident creation, and improve operational responsiveness. The ability to customize or extend these subflows further enables alignment with specific business processes and escalation policies.

The subflows provided with the base system appear in the Remediation Subflows area of alert management rules.

Accessing the subflows

Navigate to Event Management > Rules > Alert Management Rules and click New. Click the Actions tab. In the Remediation Subflows area, double-click the Insert a new row field.

Specify subflow

Click the search icon to add subflows. The list of subflows that are provided with the base system appears.

Table 1. Subflows in the base system
Name	Description
Acknowledge Alert	Subflow to mark the alert as being Acknowledged. Acknowledge an alert to show that further attention is required.
Attach Knowledge Article (legacy)	Subflow to attach a knowledge article to the alert. This subflow is provided for instances that are migrated from legacy releases (prior to the London release). Note: Add the Knowledge article column to the Alert Management Rules [em_alert_management_rule] table, and select an article to attach to an alert when the rule executes.
Change Alert to Maintenance Mode	Subflow to mark the alert as being in Maintenance.
Close Alert	Subflow to mark the alert as being Closed.
Create Incident	Subflow to create an incident. Fields from the alert are used to populate the matching fields in the incident that is created. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, an incident is not created. The alert management job runs even if the alert grouping job is not complete, if a specified time frame has passed. When this occurs, you can enable the Avoid INTs on secondary alerts rule to prevent incidents from being created for secondary alerts (when the evt_mgmt.avoid_int_enabled property is enabled), since an incident already exists for the primary alert.
Create Major Incident Candidate	Subflow to create a major incident candidate. Fields from the alert populate the matching fields in the major incident candidate that is created. A major incident candidate can be upgraded to become a major incident. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, a major incident candidate is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Major Incident from Alert	Subflow to create a major incident from alert. Fields from the alert are used to populate the matching fields in the major incident that is created. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, an incident is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Major Incident with Impact	Subflow to create a major incident from an alert in which the Impact field is also taken as input. Fields from the alert are used to populate the matching fields in the major incident that is created. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, an incident is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Major Incident Candidate with Impact	Subflow to create a major incident candidate in which the Impact field is also taken as input. Fields from the alert populate the matching fields in the major incident candidate that is created. A major incident candidate can be upgraded to become a major incident. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, a major incident candidate is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Task (legacy)	This subflow uses a task template, if provided, or the EventMgmtCustomIncidentPopulator script for instances migrated from legacy releases (prior to the London release). If configured, apply the task template. Note: Add the Task template column to the Alert Management Rules [em_alert_management_rule] table, and select a task template and task to apply when the rule executes.
Overwrite Alert Template (legacy)	This subflow applies the alert template. This subflow is provided for instances that are migrated from legacy releases (prior to the London release). Note: Add the Task type column to the Alert Management Rules [em_alert_management_rule] table, and select an alert template to apply when the rule executes.

Select the subflow that you need.
To customize a subflow, see Create a custom subflow for alerts. This topic also describes the input parameters in a subflow.
To specify when the workflow must be executed, double-click the cell under Execution.
.