Office 365 Incidents alerting rule

Microsoft.SystemCenter.O365.Rules.IncidentsAlertingRule (Rule)

Rule is used to process list of Active and Resolved Incidents for the Subscription via Office 365 API and generate or update corresponding Alerts in Operations Manager

Knowledge Base article:

Summary

The rule calls Office 365 Management API to get list of incidents for the Subscription.

Rule generates an Alert targeted to the Subscription in Operation Manager for each Active or Resolved Incident.

Alerts are suppressed using an unique Incident ID. Rule updates Alert payload and context in case if data provided by API for Incident changes.

See the list of Active and Resovled Incidents in Office 365 Admin Center

Element properties:

TargetMicrosoft.SystemCenter.O365.Subscription
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Office 365 Incident
{3} Incident {0}: {1} for {2}

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.SystemCenter.O365.DataSource.EventsAlerts Default
Detection ConditionDetection System.ExpressionFilter Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SystemCenter.O365.Rules.IncidentsAlertingRule" Enabled="true" Target="Microsoft.SystemCenter.O365.Subscription" ConfirmDelivery="true" Remotable="true" Priority="Normal">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.SystemCenter.O365.DataSource.EventsAlerts">
<TimeOut>300</TimeOut>
<IntervalSeconds>900</IntervalSeconds>
<SyncTime/>
</DataSource>
</DataSources>
<ConditionDetection ID="Detection" TypeID="System!System.ExpressionFilter">
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='EventType']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Incident</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</ConditionDetection>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.O365.Incident.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Property[@Name='Title']$</AlertParameter1>
<AlertParameter2>$Data/Property[@Name='IncidentStatus']$</AlertParameter2>
<AlertParameter3>$Data/Property[@Name='ServicesAffected']$</AlertParameter3>
<AlertParameter4>$Data/Property[@Name='IncidentState']$</AlertParameter4>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Property[@Name='IncidentId']$</SuppressionValue>
</Suppression>
<Custom1>$Data/Property[@Name='EventType']$</Custom1>
<Custom2>$Data/Property[@Name='IncidentState']$</Custom2>
<Custom3>$Data/Property[@Name='IncidentStatus']$</Custom3>
<Custom4>$Data/Property[@Name='IncidentId']$</Custom4>
<Custom5>$Data/Property[@Name='Title']$</Custom5>
<Custom6>$Data/Property[@Name='ServicesAffected']$</Custom6>
<Custom7>$Data/Property[@Name='ServiceFeaturesAffected']$</Custom7>
<Custom8>$Data/Property[@Name='View this incident in Office 365 service health dashboard']$</Custom8>
</WriteAction>
</WriteActions>
</Rule>