Home
  •  

Office 365 Incidents alerting rule

Microsoft.SystemCenter.O365.Rules.IncidentsAlertingRule (Rule)

The rule is used to process the list of Active and Resolved Incidents for the Subscription via Office 365 API, and to generate or update corresponding Alerts in the Operations Manager.

Knowledge Base article:

Summary

The rule calls Office 365 Management API to get the list of incidents for the Subscription.

An incident (and the corresponding alert) is considered to be active and displayed in Active Incidents list if any of the affected services has one of the following states:

If all affected services for the incident are in other states, then the incident (and the alert) is considered to be resolved.

The rule generates an Alert targeted to the Subscription in the Operations Manager for each Active or Resolved Incident.

Alerts are suppressed by means of a unique Incident ID. The rule updates Alert payload and context if data provided by API for Incident changes.

Use 'Include Resolved Incidents' and 'Reopen Closed Alerts' to customize the rule behavior.

See the list of Active and Resovled Incidents in Office 365 Admin Center

Element properties:

TargetMicrosoft.SystemCenter.O365.Subscription
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Office 365 Incident
{3} Incident {0}: {1} for {2}

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.SystemCenter.O365.DataSource.EventsAlerts Default
Detection ConditionDetection System.ExpressionFilter Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SystemCenter.O365.Rules.IncidentsAlertingRule" Enabled="true" Target="Microsoft.SystemCenter.O365.Subscription" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.SystemCenter.O365.DataSource.EventsAlerts">

      <TimeOut>300</TimeOut>

      <IntervalSeconds>900</IntervalSeconds>

      <SyncTime/>

      <SubscriptionId>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/SubscriptionId$</SubscriptionId>

      <IncludeResolvedIncidents>true</IncludeResolvedIncidents>

      <ReopenClosedAlerts>false</ReopenClosedAlerts>

      <AuthorityUri>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/AuthorityUri$</AuthorityUri>

      <OfficeResourceUri>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/OfficeResourceUri$</OfficeResourceUri>

      <ManagementServiceUri>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/ManagementServiceUri$</ManagementServiceUri>

      <TenantId>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/TenantId$</TenantId>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Detection" TypeID="System!System.ExpressionFilter">

    <Expression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='EventType']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">Incident</Value>

        </ValueExpression>

      </SimpleExpression>

    </Expression>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.O365.Incident.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Property[@Name='Title']$</AlertParameter1>

        <AlertParameter2>$Data/Property[@Name='IncidentStatus']$</AlertParameter2>

        <AlertParameter3>$Data/Property[@Name='ServicesAffected']$</AlertParameter3>

        <AlertParameter4>$Data/Property[@Name='IncidentState']$</AlertParameter4>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Property[@Name='IncidentId']$</SuppressionValue>

      </Suppression>

      <Custom1>$Data/Property[@Name='EventType']$</Custom1>

      <Custom2>$Data/Property[@Name='IncidentState']$</Custom2>

      <Custom3>$Data/Property[@Name='IncidentStatus']$</Custom3>

      <Custom4>$Data/Property[@Name='IncidentId']$</Custom4>

      <Custom5>$Data/Property[@Name='Title']$</Custom5>

      <Custom6>$Data/Property[@Name='ServicesAffected']$</Custom6>

      <Custom7>$Data/Property[@Name='ServiceFeaturesAffected']$</Custom7>

      <Custom8>$Data/Property[@Name='View this incident in Office 365 service health dashboard']$</Custom8>

    </WriteAction>

  </WriteActions>

</Rule>