Introduction › Alert Lifecycle

Alert Lifecycle

All alert data that is collected from connectors initially become events, but the lifecycle of an alert can vary. The following process summarizes the typical lifecycle of a message that is retrieved from a connector data source:

1. Connectors convert all types of messages (informational events, error messages, high-level alarms, and so on) from their domain manager to use USM alert properties.
2. Connectors store each USM alert entity as an event in the Event Store on the connector system.

   Note: A record of each raw event with pre-normalized properties is also retained in the Event Store.

3. Event Management evaluates each event against defined policies. If the event matches policy criteria before the event becomes an alert, one of the following actions could happen:
   • The event could be discarded as part of a filter policy and prevented from becoming an alert.
   • The event could be enriched with additional information as part of an enrichment policy.
   • The event could be manually normalized to USM alert properties as part of a normalization policy.
4. Events with a severity greater than Normal that pass through Event Management processing without being discarded become alerts in the Operations Console that are associated with the affected CI.

   Note: Events with a severity of Informational or Normal are automatically prevented from becoming alerts.

5. Alerts that are associated with a service are evaluated for the service impact. If the alert directly affects the service health, it becomes a root cause alert.
6. Alerts are evaluated against alert queue and escalation policies. If a match occurs, one of the following actions could happen:
   • The alert becomes a part of any alert queue with matching criteria.
   • If the alert matches escalation policy criteria, the associated escalation action occurs.
7. Alerts update based on user actions such as assignment, annotations, acknowledgment, and manual escalation.
8. An alert is cleared when one of the following actions occurs:
   • An operator manually clears the alert in the Operations Console.
   • A corresponding Normal alert occurs on the CI.
9. The alert disappears from the main Operations Console views and remains stored as a cleared alert for historical analysis.