Docs » Create and configure incident policies

Create and configure incident policies ๐Ÿ”—

Use incident policies to organize incidents depending on the impacted environmental component, for example, your web application service or checkout service. Begin by creating an incident policy. Then, route alerts to the incident policy. Next, specify which alerts create an incident and how alerts are grouped into incidents. Finally, create incident workflows with escalating steps to determine who is notified to respond when a new incident is triggered.

Create an incident policy ๐Ÿ”—

  1. In Incident Intelligence, select Incident Management.

  2. Select Incident policies > Create incident policy.

  3. Give your incident policy a unique name and a description.

  4. Select Create incident policy.

After you create your incident policy, you are directed to configure which alerts are routed to your incident policy.

Configure the alerts that are routed to your incident policy ๐Ÿ”—

Use alert routing to associate alerts with an incident policy. If an alert matches your alert filter conditions, it is routed to the incident policy. To set up your alert routing for the incident policy, follow these steps:

Note

The rank order of your incident policy also determines where alerts are routed. Alerts are only routed to one incident policy even if they match multiple policies. The incident policy that alerts are routed to is based on your policyโ€™s alert routing conditions and incident policy rank order. See Rank your incident policies to ensure alerts are appropriately routed

  1. In Incident Intelligence, select Incident Management.

  2. Select Incident policies and then the incident policy you want to add alert routing conditions to.

  3. Select the Alert Routing tab to see the list of alerts that are currently routed to the incident policy.

  4. To filter the alerts routed to the incident policy, select Add Filters.
    1. Select a filter field. Use source to route alerts based on a detector name.

    2. Select the = (equal to) or != (not equal to) operator.

    3. Select a filter value.

    4. Select Enter to save your condition.

  5. Repeat these steps for any additional alert routing conditions that you want to set up. By default, multiple conditions are joined by an OR operator. To switch an OR operator to AND, select the OR operator and select AND.

  6. Review the list of alerts that are currently routed to the incident policy to confirm your filter conditions are correct.

  7. Select Save alert routing when you are finished setting up your alert routing conditions.

After you configure which alerts are routed to your incident policy, configure how alerts are grouped into incidents.

Configure how alerts are grouped ๐Ÿ”—

Use alert grouping to manage which alerts create an incident and how alerts are grouped into incidents. Alert grouping is specific to each incident policy and you can customize it to create the workflow that works for you. You can use alert severity to determine if an incident is created and also group alerts by time period. To configure alert grouping, follow these steps:

  1. In Incident Intelligence, select Incident Management.

  2. Select Incident policies and then the incident policy you want to add alert grouping conditions to. Each incident policy can have one alert grouping rule.

  3. On the Alert grouping tab, select the minimum severity level you want to require for an incident to be triggered in the drop-down list next to Trigger an incident when alerts reach severity level.

  4. If you want to group alerts into incidents, select Group alerts from the same time period into incidents, and then select a time period between 10 minutes and 24 hours from the drop-down list next to Create a new incident if there is a pause in alerts for.

  5. Select Save alert grouping.

After you manage which alerts create an incident and how alerts are grouped into incidents, configure incident workflows for your incident policy.

Configure incident workflows for your incident policy ๐Ÿ”—

Use incident workflows to determine who is notified when a new incident is triggered. To create an automatic incident workflow, add escalating steps to notify responders of the incident. To add an incident workflow, follow these steps:

  1. In Incident Intelligence, select Incident Management.

  2. Select Incident policies and then the incident policy where you want to create an incident workflow.

  3. Select the Incident workflows tab.

  4. To add responders, select Configure invite under Immediately.

  5. In the Configure invite window, add responders by name or by schedule. If you donโ€™t have an on-call schedule, see Create and manage on-call schedules.

    Add responder option

    Steps

    Add responders by name

    Enter user names in the Search people field and select the user when they appear.

    Add responders by schedule

    Enter a schedule name in the Search schedules field and select the schedule when it appears. Adding a schedule to a workflow step notifies the user that is on call when that workflow step is triggered.

  6. Repeat these steps until you have all the responders you want to invite to incidents for this step in the workflow.

  7. Select Add responders.

  8. Select Add New Step to add additional escalating steps with additional responders to your incident workflow.

  9. Select an elapsed time period in the drop-down list next to If unacknowledged after.

  10. Select Configure invite to add responders.

  11. Repeat these steps until you have a complete incident workflow for the incident policy.

Rank your incident policies to ensure alerts are appropriately routed ๐Ÿ”—

If you have more than one incident policy, organize them in the order of their importance (top to bottom) to your infrastructure. Alerts are only routed to one incident policy even if they match multiple policies. The incident policy that alerts are routed to is based on your policyโ€™s alert routing conditions and incident policy rank order. To rank your incident policies, go to Incident Management > Incident policies > Incident policy ranking.

Mute notifications using incident policy maintenance ๐Ÿ”—

Use incident policy maintenance to mute notifications while you are making changes to the incident policy.

To put your incident policy in maintenance, select the Actions menu on the incident policy you want to put in maintenance and select Maintenance. The incident policy status will show as Maintenance.

All incidents that are associated with the incident policy that are triggered while the incident policy is in maintenance are created in a muted state. No responders are notified when a muted incident is triggered. Muted incidents donโ€™t show in your incident list by default. To see your muted incidents, select the Incidents tab in Incident Intelligence and add a Status = Muted filter. Muted incidents are read-only and canโ€™t be acknowledged, resolved, or rejected.

Take an incident policy out of maintenance ๐Ÿ”—

To take an incident policy out of maintenance and resume triggering incidents, select the Actions menu on the incident policy you want to take out of maintenance and select Enable. The incident policy status shows as Enabled. This resumes triggering incidents associated with the incident policy.

Next step ๐Ÿ”—

If you are setting up Incident Intelligence for the first time, next you need to create an on-call schedule. See Create and manage on-call schedules.