Alert Strategies¶

When monitors detect anomalies, they automatically create incident records. By associating monitors with alert strategies, you can ensure that relevant alert notifications are sent to designated targets in a timely manner.

The configuration of alert strategies not only provides basic functions such as name, description, time zone, and action permissions, but also supports flexible definition of notification methods from two dimensions: alert levels and notification targets. In addition, you can configure escalation notification functionality for alert strategies to handle emergencies. At the same time, alert strategies allow you to customize the time when notifications are sent to meet the needs of different scenarios.

For continuously occurring incidents or specific alert conditions, you can set up repeat alert rules to control notification frequency flexibly. When sending notifications, you can also choose whether to aggregate notification content, thereby more efficiently and concisely conveying information to recipients.

Start Creating¶

1. Define the name of the current alert strategy;
2. Input the description for this strategy as needed;
3. Select the associated monitors;
4. Choose the notification time zone;
5. Select the alert strategy configured to trigger notifications based on level or based on members;
6. Choose the time range for repeat alerts (previous alert silencing);
7. Choose the alert aggregation mode as needed, determining the final aggregation form of the alert notifications;
8. Add action permissions for the strategy rules as needed;
9. Save to successfully create.

Association¶

On the configuration page, you can click to select monitors, SLOs, and security checks associated with the current alert strategy.

Here, you can quickly create a new monitor to adapt to new scenarios as needed.

Notification Rule Configuration¶

Currently supports two types of notification configurations: based on level and based on members.

The former involves selecting an event level and setting notification targets for that type of anomaly event. If filter conditions are set, the scope of event data under a certain level is further restricted, and notifications are finally sent to the targets.

The latter involves first selecting members or teams, defining the scope of events they need to focus on or take responsibility for, and then delineating the event levels and corresponding notification targets within this data set, achieving strong associations between events and targets.

Notification Configuration Based on Levels¶

Define notification targets for each level.

1. Select event levels.

   • One event level can be selected multiple times;
   • Based on the selected event level, you can link alert aggregation.

2. Select the notification targets for events at this level.

Notification Configuration Based on Members¶

Configure notification rules based on members to achieve precise point-to-point alert notifications. At the same time, in one alert rule, you can configure different notification scopes, levels, and methods for multiple groups of members, and customize notification time ranges for multiple groups of members.

1. Define the name of the notification rule;
2. Select the members and teams that need to be notified;
3. Add filter conditions to achieve label matching;
4. For the filtered event data, you can set corresponding notification targets for different event levels;
5. Enable the custom notification time range configuration as needed.

Adding Filter Conditions¶

Whether configuring notifications by level or by member, adding specific filter conditions can:

• For notifications based on levels, further refine the data scope of specific level events;
• For notifications based on members, limit members or teams to only focus on events that match specific labels.

After adding filters, only events that meet both the level requirements and filter conditions will trigger notifications.

After clicking the filter button, the system will automatically retrieve the fields of the current workspace and set filter conditions in the form of key:value. You can choose the following matching methods: equals, does not equal, wildcard, inverse wildcard, and regular expression matching. Multiple filtering conditions for the same key field have an OR relationship, while filtering conditions for different key fields have an AND relationship.

You can configure filter conditions in the following two ways:

• Directly select fields on the page and set conditions.
• Write regular expressions to implement more complex screening logic, meeting the needs of fine-grained configuration.

Escalation Notifications¶

If a monitor frequently detects anomalies of the same level within a short period, it may indicate a persistent issue. In such cases, other notification targets may be required to resolve these issues, and you can adopt the method of adding escalation notification rules. Thus, when anomalies persist, the system will automatically escalate them to critical notifications and send them to designated receivers to ensure timely attention and handling of the problem.

If a notification rule is configured with two escalation notifications:

• When alerts of the same level continue to occur, the system will check the time intervals to determine whether to send the first escalation notification;
• After sending the first escalation notification, the system will judge whether to send the second escalation notification based on the time interval specified in the second escalation notification configuration.

Custom Notification Time¶

The above-discussed scenarios mainly focus on the immediacy of automatically triggering notifications upon detecting anomalies. However, you can also manually set the specific time for sending notifications as needed.

1. Modify the configuration name as needed;

2. Divide the event periods based on four dimensions: day, week, month, and custom;

   • If you choose custom, upload a CSV file. The system will automatically fill in the dates based on the entries in the file. The date format in the file must be Year/Month/Day & YYYY/MM/DD; the number of dates in the file cannot exceed 365.

3. Limit the time of event generation on the day according to the cycle and send notifications according to the selected time range. For example, if you select 09:00 - 10:00, any abnormal events generated within this hour when the policy takes effect will match this custom configuration;

4. Complete the cycle and time-related configurations, and then select the alert level and notification targets.

Repeat Alerts¶

After setting repeat alert notifications, within a certain time range, event data will continue to be generated, but no more alert notifications will be sent. The generated data records will be stored in the event explorer.

Alert Aggregation¶

No Aggregation: Default configuration; in this mode, alert events will be merged every 20 seconds and sent to the corresponding notification targets;

Rule-Based Aggregation: In this mode, you can choose the following four aggregation rules and send alert notifications based on the aggregation cycle:

Aggregation Rules	Description
All	Generates corresponding alert notifications within the selected aggregation cycle based on the level dimension configured in the alert strategy.
Monitors/Intelligent Inspections/SLOs	Generates corresponding alert notifications based on the unique ID of the monitor, intelligent inspection rules, or SLO, linked with the aggregation cycle.
Detection Dimensions	Generates corresponding alert notifications based on detection dimensions linked with the aggregation cycle, such as host.
Tags	Multi-select; can link global tags with monitors to generate corresponding alert notifications based on the aggregation cycle. If an event has multiple tag values simultaneously, it will match the corresponding alert notification according to the tag order configured on the page, and the relationship between multiple tag values is OR.

Intelligent Aggregation: In this mode, events generated within the aggregation cycle will be grouped by clustering based on the selected title or content, and each group will generate one alert notification.

AI Aggregation: Uses Guance's large model to merge monitoring alerts, reducing redundancy and avoiding a large number of duplicate alerts within a short time.

Aggregation Cycle¶

In the rule-based aggregation and intelligent aggregation modes, you can manually set a time range (1-30 minutes).

Within this time period, newly added events will be aggregated into one alert notification. If the aggregation cycle is exceeded, newly occurred events will be aggregated into the next new alert notification.

Action Permissions¶

After setting the operation permissions for alert strategies, roles, team members, and workspace users in your current workspace will perform corresponding operations on the alert strategies according to assigned permissions. This ensures that different users operate according to their roles and permission levels.

• Not enabling this configuration: Follows the default permissions for "Alert Strategy Configuration Management";
• Enabling this configuration and selecting custom permission objects: Only the creator and objects granted permissions can enable/disable, edit, and delete the rules set for this alert strategy;
• Enabling this configuration but not selecting custom permission objects: Only the creator has the permission to enable/disable, edit, and delete this alert strategy.

Further Reading¶