Alert correlation rule form

  • Release version: Xanadu
  • Updated August 12, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert correlation rule form

    The Alert Correlation Rule form enables ServiceNow customers to configure how alerts are evaluated, correlated, and grouped based on defined criteria. This helps streamline alert management by prioritizing and linking related alerts, reducing noise, and improving incident response efficiency.

    Show full answer Show less

    Key Features

    • Name and Order: Assign a name to each correlation rule and set its evaluation priority. Rules with lower numerical order are processed first, stopping further evaluation upon a match.
    • Active Toggle: Activate or deactivate a rule to control its enforcement without deleting it.
    • Advanced Mode: Use custom scripting to define complex correlation logic beyond standard filter conditions. A sample script is provided as a reference.
    • Primary and Secondary Alert Filters: Define filter conditions to identify the primary (most important) alert and related secondary alerts within a group. These fields are hidden when using Advanced mode.
    • Filter Condition: Specify the alerts to which the rule applies. In Advanced mode, the filter condition is scripted, and by default, filter parameters are case sensitive (configurable).
    • Relationship Type: Define how primary and secondary alerts relate to each other, such as sharing the same Configuration Item (CI) or node, or parent-child relationships within CI relationships. This field is unavailable in Advanced mode.
    • Time Difference: Set a time window (up to 1440 minutes) within which alerts must occur to be considered correlated. Not available in Advanced mode.
    • Custom Script: In Advanced mode, write a script that returns a JSON string specifying primary and secondary alerts to correlate. The script runs against each alert, enabling flexible and precise correlation logic.
    • Relationship Description: When parent-child relationships are used, specify the exact CI relationship description to refine correlation criteria.

    Practical Application for ServiceNow Customers

    By configuring alert correlation rules, customers can ensure alerts are grouped logically based on their relationships and importance, significantly reducing alert noise and prioritizing critical issues. Using the order and activation options, they can manage multiple rules effectively, while advanced scripting allows for tailored logic to meet complex operational requirements. The relationship and time difference settings ensure that correlated alerts are contextually relevant, improving incident management workflows.

    Manage the fields that define how alerts are correlated and grouped.

    Table 1. Alert correlation rule form
    Field Description
    Name Name of the correlation rule.
    Order The evaluation priority for the rule. Rules with lower numerical values are given higher priority. An alert is evaluated against each alert action rule until a match is found.

    For example, if you have two alert correlation rules with priorities 10 and 20, respectively, the rule with priority 10 will be evaluated first. If an alert matches the criteria of the rule with priority 10, no further rules will be checked. If it doesn’t match, the alert will then be evaluated against the rule with priority 20.
    Active Option to activate or deactivate the rule.
    Advanced Option to switch to advanced mode, which lets you use custom scripts to define your own logic. The sample correlation rule, Alert correlation rule SAMPLE, is provided out-of-the-box for reference. You can use the available script as a guide.
    Note:
    The Filter condition specifies which alerts the rule will apply to. Ensure that the same condition is used in the advanced script to identify alerts to be included in the group.
    Description Description of the rule.
    Primary Alert The filter condition to identify the alert that is the primary alert, or most important alert, in a set of related alerts.

    This field does not appear when Advanced is selected.
    Secondary Alert The filter condition to identify the alert that is related to the primary alert, however it is of lesser importance.

    This field does not appear when Advanced is selected.
    Filter The filter condition to identify the alert on which the script is run.

    Filter is available only when Advanced is selected.

    Filter parameters are case sensitive by default. To disable case sensitivity, set the sa_analytics.correlation_case_sensitive parameter to false.
    Relationship Type Specify the type of relationship between the primary and secondary alert:
    • No Relationship: Ignore the relationship when looking for a match.
    • Same CI or Node: Relate both alerts with the same CI. If the CI field is blank, the alerts must have the same Node value.
    • Primary is Parent: Relate the alerts where the primary alert is the parent in a parent-child relationship, as described in the CI Relationship Types table [cmdb_rel_ci].
    • Primary is Child: Relate the alerts where the primary alert is the child in a child-parent relationship, as described in the CI Relationships table [cmdb_rel_ci].

    This field does not appear when the Advanced check box is selected.
    Time Difference in Minutes The minutes between which the primary and secondary event must occur to match this rule. The default value is 60 minutes.
    Note:
    The value for this entry cannot exceed 1440 minutes (one day).

    This field does not appear when Advanced is selected.
    Script Custom script that you can modify to return a JSON string that specifies the primary and secondary alerts.

    Select Advanced to display the script field.

    
(/* The function needs to return a JSON- {correlationType:[correlatedAlerts]}
 for example: if your filter matches the alert, set the alert as the primary alert and set alerts 1, 2 and 3 each as secondary alerts.
 
 You can use both multiple primary alerts and multiple secondary alerts.
 The correlationType can be PRIMARY or SECONDARY, and the alerts ID must be in an array. 
 CurrentAlert is the GlideRecord of the currentAlert on which that rule runs.  
 The system supports only one primary per alert, so: 
   Do not correlate more than one alert under the PRIMARY array. 
   Do not correlate alerts that already have a primary under the SECONDARY array. 
  The system supports open alerts only, so do not correlate alerts that have been closed under either one of the arrays. 
  */
 
 (function findCorrelatedAlerts(currentAlert){
 
       var result = {};   //Insert your code here
       result = {'SECONDARY':['alertID1','alertID2','alertID3']};         
       return JSON.stringify(result);  
 
 })(currentAlert);
    Relationship Description of the CI relationship between primary and secondary, for example, Allocated from::Allocated to or Allocated to::Allocated from.

    This field displays only if either Primary is Parent or Primary is Child is selected for the Relationship Type.

    Relationship

    This field does not appear when Advanced is selected.