The training file not only defines the alert input patterns but also specifies the outcome actions to be taken when a match is found. These outcome fields are known as output columns.
The output columns vary depending on whether you’re configuring an Alert Escalation or a First Response policy.
Output Columns for Alert Escalation
The following output columns are supported in an Alert Escalation training file. These determine how the incident will be routed and prioritized when an alert matches a defined pattern.
| Output Column | Description |
|---|---|
incident.assigneeGroup.name | Assigns the incident to a specific support group. |
incident.category.name | Sets the incident category. |
incident.subCategory.name | Sets the subcategory of the incident. |
incident.priority | Sets the priority level for the incident. |
incident.cc | Adds specified users or teams to the incident CC list. |
incident.businessImpact.name | Specifies the business impact level. |
incident.urgency.name | Specifies how urgent the incident is. |
incident.knowledgeArticleIds | Links knowledge articles to the incident. |
incident.notifyRoster.uniqueId | Notifies the specified escalation roster. |
These fields influence how the alert is converted into an incident and how it is routed within your organization.
Output Columns for First Response
In a First Response policy, output columns control alert suppression or automated delay actions.
| Output Column | Description |
|---|---|
suppressed | Suppresses the alert from appearing in the active alert console. |
snoozeDuration | Temporarily suppresses the alert for a specified duration (in minutes). |
processIds | Initiates predefined automation processes (by Process ID). |
These fields help reduce alert noise and automate common first-level responses, improving efficiency and reducing manual intervention.