Monitor Alert Automation

Alert Automations let you define automated workflows that run when an alert fires in Sysdig Monitor. Automations are linked directly to individual alerts from within the alert configuration — the automation itself does not define which alerts activate it. You can use branching conditions to route notifications to the right channels based on alert properties such as type, severity, or group, helping you reduce noise and focus on what matters.

Automations are scoped by Team. You can only view and manage automations that belong to the team you are currently logged into.

An example workflow:

1. Create an automation with a condition: if severity is High, send a PagerDuty notification to the on-call team.
2. For all other severities (FALSE branch), send an email summary to a monitoring distribution list.
3. Link the automation to one or more alerts from within the Alert Editor.

Create an Automation

To create a new automation:

1. Log in to Sysdig Monitor.

2. Select Alerts from the left navigation bar.

3. Select Automations from the sub-menu.

   The Automations page appears, showing all existing automations with their name, status, last execution time, and last modified date.

4. Select New Automation in the top-right corner.

   The automation editor opens. The Alert Occurrence node at the top of the flow represents the entry point — it is activated when an alert that is linked to this automation fires. Proceed to Configure an Automation.

Integrate Automations with Alerts

Automations are activated by alerts that are explicitly linked to them. To link an alert to an automation, open the alert in the Alert Editor and select the automation from the Automations field in the Notifications section. An alert can be linked to multiple automations, and a single automation can be linked to multiple alerts.

Configure an Automation

You can build automations visually through logic chains of conditions and actions.

Filters

Filters let you limit a condition node to a specific subset of alert events.

The following suggested filters are available:

• Alert Type: The type of alert, such as threshold, prometheus, event, group_outlier, change, or downtime.
• Severity: The alert severity level: high, medium, low, or info.
• Threshold: The name of the alert rule.
• Group: The group the alert belongs to.

In addition to these, you can filter on any of the Labels (50+) available in your environment, including agent tags and Kubernetes labels such as agent.tag.region, kubernetes.namespace.name, and others.

You can combine multiple filters within a single node using AND logic.

Actions

Select the + icon below any node to add an action. The Select an Action modal provides the following options:

Condition

Add a Condition node to branch the automation flow based on alert properties. A condition evaluates to either TRUE or FALSE, and you can attach different subsequent actions to each outcome.

Configure a condition using the same filter options available on the trigger. For example:

• Alert Type in threshold AND Severity in high

Notifications

Send notifications to any of the following channels when the automation runs:

• Slack: Send a message to a configured Slack channel.
• MS Teams: Send a message to a Microsoft Teams channel.
• Email: Send an email to a configured email notification channel.
• Webhook: Send a payload to a configured webhook URL.
• PagerDuty: Trigger or resolve an incident in PagerDuty.
• SNS: Publish a message to an Amazon SNS topic.
• Google Chat: Send a message to a Google Chat space.
• OpsGenie: Create or close an alert in OpsGenie.
• Prometheus Alert Manager: Forward the alert to a Prometheus Alertmanager instance.
• Team Email: Send an email to a Sysdig team’s email address.
• Victor Ops: Send an alert to a VictorOps (Splunk On-Call) channel.

To use any notification action, you must first set up the corresponding notification channel. See Set Up Notification Channels.

Other

• Custom Webhook: Send a customized HTTP request to any endpoint, independent of a pre-configured notification channel.

Enable or Disable an Automation

Use the Enabled toggle in the top-right corner of the editor to activate or deactivate an automation. Disabled automations will not run even when a linked alert fires.

Save an Automation

Select Save in the top-right corner to save your automation. You cannot save an automation with an incomplete configuration, for example, if a notification action has not been linked to a notification channel.

Review Executions

Each time an automation is triggered, Sysdig logs the execution so you can monitor and debug your automation flows.

To review executions:

1. Log in to Sysdig Monitor.

2. Select Alerts > Automations.

3. Select an existing automation.

4. Select the Executions tab.

   The executions log shows the history of all times the automation was triggered, including:

   • Time: The timestamp of the execution.
   • Status: Whether the execution Succeeded or Failed.
   • Failing Nodes: The nodes that failed, if any.

   You can filter the list by All, Succeeded, or Failed.

5. Select an execution to inspect its details.

   The execution detail view shows:

   • Execution Context: The status and result (True or False) of each node, along with the variable values that were evaluated at the time of execution.
   • Configuration: The automation configuration as it was at the time of execution.

   You can also select Download JSON to export the full execution context for further analysis.

   Nodes that executed successfully are highlighted in green in the flow diagram. Failed nodes are highlighted in red.

Delete an Automation

To delete an automation:

1. Log in to Sysdig Monitor.

2. Select Alerts > Automations.

   The Automations page appears.

3. On the right side of an automation listing, select the three-dot menu icon.

4. Select Delete, and confirm the deletion.