Alert automation in Service Operations Workspace for ITOM

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert automation in Service Operations Workspace for ITOM

    Alert automation in Service Operations Workspace for ITOM addresses the challenges of managing a growing volume of alerts and complex IT infrastructures. Manual alert handling is inefficient and prone to errors, whereas automation enhances the speed and accuracy of alert resolution, improves service reliability, and optimizes staff resource allocation. This capability supports both centralized administrators and distributed teams, allowing qualified groups such as site reliability engineers (SREs) to create and manage alert automations independently without affecting other teams.

    Show full answer Show less

    Key Features

    • Multiple Automation Types:
      • Ignore Automation: Filters out irrelevant or false-positive alerts to reduce alert noise and fatigue.
      • Enrich Automation: Adds contextual information to raw alerts, transforming them into a standardized format for better grouping and actionability.
      • Group Automation: Consolidates related alerts into a single primary alert to simplify identification of root causes and reduce noise.
      • Respond Automation: Automatically notifies stakeholders, escalates alerts based on severity or type, and triggers remediation actions, including integration with third-party systems for case creation and notifications.
    • Seamless Integration: Connects with monitoring tools via the Integrations Launchpad to ingest alerts and events efficiently.
    • Flexible User Interface: Offers an improved UI over the classic experience with better team support, while maintaining compatibility with the classic backend tables and features.

    Alert Automation Process

    The automation workflow follows a structured sequence:

    1. Ignore: Filters out noisy alerts upon receipt to prevent alert fatigue.
    2. Enrich: Adds or extracts essential fields to provide context and normalize alert data for better correlation.
    3. Group: Combines enriched alerts based on defined criteria, reducing noise and simplifying root cause analysis.
    4. Respond: Escalates alerts, notifies stakeholders, and triggers remediation or integration actions as appropriate.

    Each automation executes based on specific triggers and actions, applying only to incoming alerts. This process improves mean time to resolution (MTTR), reduces noise, enhances service reliability, and increases productivity.

    Alert automation is crucial as organizations deal with increasing number of alerts and complex IT infrastructures. Manual alert handling is slow, error-prone and inefficient, underscoring the need for automated systems. Automation can improve the mean time to resolve alerts, improve service reliability and better scale staff resources.

    Alert automations also support both centralized administrator and distributed team roles. This enables qualified teams to self-serve and create their own alert automations. For example, you may consider granting access to site reliability engineers (SREs). Members of teams can manage automations for their own team and their own alerts without impacting other teams.

    For users familiar with our classic experience, alert automation offers an easier user interface and better team support for event rules, tag-based clustering definitions and alert management rules. Some advanced features are currently only available to admins in the classic experience. These two experiences use the same backend tables. You can use whichever experience is most convenient, and changes in one will also update the other.

    Alert automation types

    Currently, Service Operations Workspace ITOM provides the following types of automation.

    1. Ignore automation: Reduce irrelevant or false-positive alerts, efficiently manage alert fatigue by filtering out noisy notifications, and allow teams to focus on critical issues.
    2. Enrich automation: Enhance raw alerts with contextual information to make them more informative and actionable. In simple terms, this involves taking the raw events generated by monitoring tools and transforming them into a common and standard format to aid automated grouping and response.
    3. Group automation: Group multiple related alerts into a single primary alert to reduce alert noise and identify the root cause.
    4. Respond automation: Respond to alerts automatically by notifying appropriate stakeholders, escalate them as needed or run remediation actions. Determine how and when alerts are escalated based on severity or type. Integrate with third party systems to create cases, notifications or run remediation actions.

    Alert automation process flow

    You may start by sending alerts or events from monitoring systems to ServiceNow using the Integrations Launchpad. This is where administrators establish connections between ServiceNow and monitoring tools. These integrations enable the collection of monitored data, generating events from third-party sources.

    When alerts are received by ServiceNow, alert automations run in the order shown on the page. First, we ignore alerts to reduce noise. Next, we enrich alerts with extra context, then group the alerts using the added context. Finally, we respond to alerts by escalating or running remediations. There can be several automations for each type. Each automation runs based on specific trigger conditions and executes specific actions. Alerts are only automated when they are received; we do not apply automations to past alerts.

    In the alert enrichment phase, administrators add or extract necessary fields from alerts to provide essential information for swift resolution. This ensures that alerts contain all relevant details required for effective incident response. Administrators add context to alerts by modifying and normalizing them. This enhances the correlation of alerts, making it easier to identify patterns and potential threats.

    The enriched and composed alerts are then grouped based on predefined criteria, consolidating related alerts. This reduces alert fatigue and facilitates efficient remediation. Finally, escalated alerts trigger notifications to stakeholders through various channels, ensuring timely communication and response to critical alerts.

    The following diagram illustrates this process flow.
    Figure 1. Alert automation: Reducing noise and improving resolution time
    The diagram illustrates the reduction in alerts

    This comprehensive alert automation process can reduce alert noise, improve mean time to resolution (MTTR), enhance service reliability, and boost staff productivity.