cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
5
Helpful
4
Replies

MARS Red (High) Incidents email alert

andrew
Level 1
Level 1

Hello, is there a way to configure MARS to send an email alert whenever there is a Red (High) Incident?

4 Replies 4

andrew
Level 1
Level 1

FYI for anyone else trying to do this - This is what TAC said:

Currently it's not possible to have MARS send alert for RED incidents for all rules. At the moment you can set an alert to a specific rule, not to any rule with one severity.

This limitation is currently being addressed through enhancement request

CSCse89349 (Receive email notification for All Red Severity Incidents).

Until it is enhanced, here is one possible option that will get you close to what you want:

Create a scheduled report to run every hour.

qry format = "matched incident ranking". make sure "use only firing events is checked". Click on the events column in the query and change "Restrict to Severity" to "RED". Change the time to last 1 hour.

This report should only contain severity red incidents. Of course it's only hourly, but it gets you closer.

I created a rule that will send out an email alert anytime it sees the severity as RED - all other fields left at 'any'. it sends out a link via email every time a high alert event is triggered. i defined the action to email me.

I believe the problem is that this doesn't tie directly to an incident. I think the OP wants 1 notification per red incident.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: