The rule is used to process the list of Active and Resolved Incidents for the Subscription via Office 365 API, and to generate or update corresponding Alerts in the Operations Manager.
The rule calls Office 365 Management API to get the list of incidents for the Subscription.
An incident (and the corresponding alert) is considered to be active and displayed in Active Incidents list if any of the affected services has one of the following states:
Information Unavailable
Investigating
Service Interruption
Service Degradation
Restoring Service
Extended Recovery
If all affected services for the incident are in other states, then the incident (and the alert) is considered to be resolved.
The rule generates an Alert targeted to the Subscription in the Operations Manager for each Active or Resolved Incident.
Alerts are suppressed by means of a unique Incident ID. The rule updates Alert payload and context if data provided by API for Incident changes.
Use 'Include Resolved Incidents' and 'Reopen Closed Alerts' to customize the rule behavior.
See the list of Active and Resovled Incidents in Office 365 Admin Center
Target | Microsoft.SystemCenter.O365.Subscription | ||
Category | Alert | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.SystemCenter.O365.DataSource.EventsAlerts | Default |
Detection | ConditionDetection | System.ExpressionFilter | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.SystemCenter.O365.Rules.IncidentsAlertingRule" Enabled="true" Target="Microsoft.SystemCenter.O365.Subscription" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.SystemCenter.O365.DataSource.EventsAlerts">
<TimeOut>300</TimeOut>
<IntervalSeconds>900</IntervalSeconds>
<SyncTime/>
<SubscriptionId>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/SubscriptionId$</SubscriptionId>
<IncludeResolvedIncidents>true</IncludeResolvedIncidents>
<ReopenClosedAlerts>false</ReopenClosedAlerts>
<AuthorityUri>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/AuthorityUri$</AuthorityUri>
<OfficeResourceUri>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/OfficeResourceUri$</OfficeResourceUri>
<ManagementServiceUri>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/ManagementServiceUri$</ManagementServiceUri>
<TenantId>$Target/Property[Type="Microsoft.SystemCenter.O365.Subscription"]/TenantId$</TenantId>
</DataSource>
</DataSources>
<ConditionDetection ID="Detection" TypeID="System!System.ExpressionFilter">
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='EventType']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Incident</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</ConditionDetection>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.O365.Incident.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Property[@Name='Title']$</AlertParameter1>
<AlertParameter2>$Data/Property[@Name='IncidentStatus']$</AlertParameter2>
<AlertParameter3>$Data/Property[@Name='ServicesAffected']$</AlertParameter3>
<AlertParameter4>$Data/Property[@Name='IncidentState']$</AlertParameter4>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Property[@Name='IncidentId']$</SuppressionValue>
</Suppression>
<Custom1>$Data/Property[@Name='EventType']$</Custom1>
<Custom2>$Data/Property[@Name='IncidentState']$</Custom2>
<Custom3>$Data/Property[@Name='IncidentStatus']$</Custom3>
<Custom4>$Data/Property[@Name='IncidentId']$</Custom4>
<Custom5>$Data/Property[@Name='Title']$</Custom5>
<Custom6>$Data/Property[@Name='ServicesAffected']$</Custom6>
<Custom7>$Data/Property[@Name='ServiceFeaturesAffected']$</Custom7>
<Custom8>$Data/Property[@Name='View this incident in Office 365 service health dashboard']$</Custom8>
</WriteAction>
</WriteActions>
</Rule>