Home
  •  

M365 Services - Incident Message Alert Rule (Informational)

M365SSVC.Service.IncidentMessages.Informational.AlertRule (Rule)

This will raise an alert for new incident messages.

Knowledge Base article:

Summary

Will alert on new Service status messages. 

Resolutions

Additional

The condition detection filters allow the user to determine which types of messages become collected/reported based on Classification and MessageType. The previously processed messages are cached in xml files that may be located in the following locations. Listed in order of liklihood but will depend on your environment:
C:\Windows\Temp\M365SSM\Services\ServiceMessages_<workloadName>.xml
C:\Users\<username>\AppData\Local\Temp\M365SSM\Services\ServiceMessages_<workloadName>.xml

If you wish to re-alert on all known/current messages, simply delete the related .xml file(s). 

Use the corresponding agent task to test the service functionality.

M365 Supplemental - Get Service Incident Data

External

https://MonitoringGuys.com

Overridable Parameters

Name

Description

Default Value

CD_ClassificationRegex

Regex value for which a match will trigger the condition detection.
Options:Advisory, Incident

Incident|Advisory

CD_MessageTypeRegex

Regex value for which a match will trigger the condition detection.
Options: quick, regular

quick|regular

CD_StatusRegex

Regex value for which a match will trigger the condition detection.
Options: quick, regular

^mitigatedExternal$|^mitigated$|^resolvedExternal$|^resolved$|^postIncidentReviewPublished$|^serviceOperational$|^serviceRestored$|^falsePositive$|^confirmed$

EventIDFilter

This can be used to filter which EventIDs get written by the workflow to the Operations Manager and Application event log. This is only relevant when logging is enabled. See 'WriteToEventLog'. Typically this is for customer support engineer use only.

IntervalSeconds

IntervalSeconds for the workflow is designed to be controlled by the target object property under normal circumstances. This override should only be modified for temporary troubleshooting or testing.

PoshLibraryPath

For customer support engineer use only.

ProbeActionTimeoutSeconds

If the workflow module does not exit gracefully by this time limit, the module will be forced to terminate.

180

SyncTime

This can be set to force a workflow to synchronize its Interval to a specific start time. If no SyncTime value is provided to the workflow, the workflow will be initiated at the agent's earliest opportunity after receiving a configuration change or restarting. Typically no SyncTime is preferred. Format is 00:00. Example for 5:36pm: 17:36. Example for 2:15am: 02:15.

WorkflowName

This value gets passed into the datasource script and becomes noted in logged events (if logging is enabled). The value provided for this parameter gets appended to the ProbeAction/WriteAction name used for the datasource. If the datasource is used by more than one workflow an override value for this parameter could break cookdown. This could be used to differentiate/identify a specific instance of the scripted datasource. Typically this is for customer support engineer use only.

WriteToEventLog

This will enable/disable script logging to the Operations Manager event log.

false

Element properties:

TargetM365SSVC.Services.Service
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityInformation
Alert PriorityNormal
RemotableFalse
Alert Message
M365 Services - Incident Message Alert Rule (Informational)

Service: {0}
Status: {1}
Title: {2}
ImpactDescription: {3}
PublishedTime: {4}
PublishedTimeLocal: {5}
Classification: {6}
ID: {7}

{8}

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource M365SSVC.ServiceMessages.DS Default
WA WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="M365SSVC.Service.IncidentMessages.Informational.AlertRule" Target="M365SSVC.Services.Service" Enabled="true" ConfirmDelivery="false" Remotable="false" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="M365SSVC.ServiceMessages.DS">

      <CD_ClassificationRegex>Incident|Advisory</CD_ClassificationRegex>

      <CD_MessageTypeRegex>quick|regular</CD_MessageTypeRegex>

      <CD_StatusRegex>FalsePositive|mitigated|resolved|ServiceOperational|ServiceRestored</CD_StatusRegex>

      <MgmtApiTokenScopeURL>$Target/Host/Property[Type="M365SSVC.Services.Role"]/MgmtApiTokenScopeURL$</MgmtApiTokenScopeURL>

      <MgmtApiTokenURL>$Target/Host/Property[Type="M365SSVC.Services.Role"]/MgmtApiTokenURL$</MgmtApiTokenURL>

      <MgmtApiURL>$Target/Host/Property[Type="M365SSVC.Services.Role"]/MgmtApiURL$</MgmtApiURL>

      <M365_AccountName>$Target/Property[Type="M365SL!M365SL.M365ServiceComponent"]/M365_AccountName$</M365_AccountName>

      <M365_AccountPassword>$Target/Property[Type="M365SL!M365SL.M365ServiceComponent"]/M365_AccountPassword$</M365_AccountPassword>

      <M365_ClientID>$Target/Property[Type="M365SL!M365SL.M365ServiceComponent"]/M365_ClientID$</M365_ClientID>

      <M365_ClientSecret>$Target/Property[Type="M365SL!M365SL.M365ServiceComponent"]/M365_ClientSecret$</M365_ClientSecret>

      <EventIDFilter/>

      <IntervalSeconds>$Target/Property[Type="M365SL!M365SL.M365ServiceComponent"]/IntervalSeconds$</IntervalSeconds>

      <PoshLibraryPath/>

      <ProbeActionTimeoutSeconds>180</ProbeActionTimeoutSeconds>

      <ServiceID>$Target/Property[Type="M365SSVC.Services.Service"]/ID$</ServiceID>

      <ServiceDisplayName>$Target/Property[Type="System!System.Entity"]/DisplayName$</ServiceDisplayName>

      <SyncTime/>

      <TenantName>$Target/Property[Type="M365SL!M365SL.M365ServiceComponent"]/TenantName$</TenantName>

      <TLSVersion>$Target/Host/Host/Property[Type="M365SL!M365SL.WatcherNode"]/TLSVersion$</TLSVersion>

      <WorkflowName/>

      <WriteToEventLog>false</WriteToEventLog>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WA" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="M365SSVC.Service.IncidentMessages.Informational.AlertRule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Property[@Name='Service']$</AlertParameter1>

        <AlertParameter2>$Data/Property[@Name='Status']$</AlertParameter2>

        <AlertParameter3>$Data/Property[@Name='Title']$</AlertParameter3>

        <AlertParameter4>$Data/Property[@Name='ImpactDescription']$</AlertParameter4>

        <AlertParameter5>$Data/Property[@Name='PublishedTime']$</AlertParameter5>

        <AlertParameter6>$Data/Property[@Name='PublishedTimeLocal']$</AlertParameter6>

        <AlertParameter7>$Data/Property[@Name='Classification']$</AlertParameter7>

        <AlertParameter8>$Data/Property[@Name='ID']$</AlertParameter8>

        <AlertParameter9>$Data/Property[@Name='MoreDetails']$</AlertParameter9>

      </AlertParameters>

    </WriteAction>

  </WriteActions>

</Rule>