Alert management rules for resolving alerts

Release version: Australia

Updated March 12, 2026

3 minutes to read

Summarize

Summarized using AI

Summary of Alert management rules for resolving alerts

Alert management rules in ServiceNow Event Management automate responses to alerts by defining specific actions such as opening incidents, launching remediation, or running subflows. These rules help streamline incident resolution and operational efficiency by triggering appropriate responses based on configurable alert conditions.

Show full answer Show less

Users with the evtmgmtadmin role can create and customize these rules using the alert management rule designer, while users with the evtmgmtoperator role can manually execute them. For simpler automation, Service Operations Workspace offers respond automations as an alternative.

Key Features

Alert Filtering: Rules apply only to alerts matching specific filter criteria, avoiding unnecessary executions. Filters can include alert attributes but exclude fields like Priority and Impacted Services.
Action Types: Rules can invoke subflows, remediation actions (via orchestration workflows), open incidents, launch applications or URLs, or perform other custom responses.
Scheduled Evaluation: Alert management rules are evaluated every 11 seconds by a scheduled job. For large environments, multiple jobs can be configured to handle rule processing efficiently.
Alert Execution Tracking: Each alert’s execution history records which actions were performed by the rule, providing transparency and auditability.
Migration Support: Older alert action rules can be migrated to the new alert management rule format, enabling modification and improved functionality.
Synchronization with Alert Grouping: The system ensures alert management jobs run after alert grouping jobs to prevent duplicate actions, such as multiple incident creations.
Remediation on Remote CIs: Supports running commands on remote Linux and Windows Configuration Items to remediate alerts directly.

Key Outcomes

Automated and precise alert handling based on customizable conditions improves incident response speed and accuracy.
Reduces manual intervention by enabling automatic incident creation, remediation, and notifications aligned with alert severity and context.
Provides clear visibility into alert actions performed through execution history linked to each alert.
Allows flexible customization and extension through subflows and orchestration workflows tailored to organizational needs.
Ensures efficient performance even in large-scale environments through scheduled jobs and support for multiple job instances.
Maintains compatibility and upgrade path by supporting migration from legacy alert action rules to the current alert management rule framework.

You can configure Event Management to respond to alerts automatically. An alert management rule determines the required alert response, such as to open an incident, knowledge base article, open a task, launch remediation action.

Alert management rules provided with the base system as a store application (Alert Rules Management [sn_em_arm]) to help you respond to alerts. You can create filters to specify conditions for the rule so that the remedial action specified in the rule takes effect only when the conditions are met. For example, launch the required subflow or open an incident based on an alert. The alert's execution history is automatically updated to indicate the actions that were invoked.

Users with the evt_mgmt_admin role can use the alert management rule designer to create and customize alert management rules to act on specified alerts. Define rules with filters to determine which alerts the rule applies to. You can create rules to launch applications, URLs, subflows, remediation actions, or take other actions, such as to open an incident. For more information, see Create an alert management rule.

Users with the evt_mgmt_operator role can manually run alert management rules.

To automate alert responses with an easier interface, you can also create a respond automation in Service Operations Workspace. For more information, see Create Respond automation.

Alert management rule flow

The flow to create and run an alert management rule is:

Table 1. Alert management rule components
Component	Description
Alert Info	Configure a name and general information for the rule.
Alert Filter	Specify a filter to determine to which alerts the rule applies. You can specify the related list conditions. Note: The fields that are not supported for alert filtering are: Overall Event Count, Priority, Priority Group, Priority Breakdown, Tags, and Impacted Services.
Actions	Specify the response to the alert, such as to run a subflow, perform remediation action, launch an application, or launch a URL in a browser.

How rules are applied to updated alerts

Alert management rules run on all updated open alerts. Rules don’t run on closed alerts, even if they’ve been updated. The filters determine whether the rule's actions apply to the alert. For example, if a rule's condition indicates that an email message is sent when the alert severity changes to Major, the rule applies to an alert updated by a severity change from Warning to Major.

Use of filters and other actions

Filters ensure that the rule is invoked only when the configured condition occurs, and not for every update of the alert. For example, you can configure a rule so that updates that aren’t relevant (such as a Work notes field update) don’t cause the rule to run. As another example, a filter condition can specify that the alert management rule runs only when the alert severity is critical.

You can perform the following actions:

Specify a filter that determines which alerts the rule applies to.
In the Related List Conditions section of the form, configure additional conditions, for example, with an Alert > Parent relationship, to filter for any alerts that were received today.
Respond to alerts. For example, by using subflows and workflows, create incidents for primary alerts with critical severity, or open a search engine in a browser to search for data according to the description field of the alert.
Apply remediation. Remediation is based on Orchestration workflows that can be scripted to perform remediation tasks such as gathering system information or rebooting a server.
Note:
For enhanced performance of Event Management - Evaluate Scoped Alert Rules Management scheduled jobs, use subflows instead of workflows.

Scheduled jobs that check alert management rules

Alert management rules are checked every 11 seconds by the default Event Management - Evaluate Scoped Alert Rules Management0 scheduled job. The job then executes the required actions. For large-scale environments, you can add more than one job. Please contact Customer Service and Support.

Note:

Only new users from Vancouver and up get two scheduled jobs: Event Management - Evaluate Scoped Alert Rules Management0 and Event Management - Evaluate Scoped Alert Rules Management1. Users upgrading from previous family releases remain with a single scheduled job Event Management - Evaluate Scoped Alert Rules Management0.

Don’t modify the sn_em_arm.alert_management.num_of_jobs property.

By default, the alert grouping job (Service Analytics group alerts using RCA/Alert Aggregation) and the alert management (Event Management - Evaluate Scoped Alert Rules Management0) jobs run independently of each other. For more information about coordinating the alert response and the automated alert grouping, see Synchronizing alert response with automated alert grouping.

Migrate existing alert action rules

Existing alert action rules from an earlier release can be migrated to become alert management rules. You can modify an alert action rule only after migrating it to an alert management rule. For more information, see Migrate an alert action rule to an alert management rule.