Automations

Automations - Create an Automation

To create a new automation:

Log in to Sysdig Monitor.
Select Alerts from the left navigation bar.
Select Automations from the sub-menu.

The Automations page appears, showing all existing automations with their name, status, last execution time, and last modified date.
Select New Automation in the top-right corner.

The automation editor opens. The Alert Occurrence node at the top of the flow represents the entry point — it is activated when an alert that is linked to this automation fires. Proceed to Configure an Automation.

Automations - Integrate Automations with Alerts

Automations are activated by alerts that are explicitly linked to them. To link an alert to an automation, open the alert in the Alert Editor and select the automation from the Automations field in the Notifications section. An alert can be linked to multiple automations, and a single automation can be linked to multiple alerts.

Automations - Configure an Automation

You can build automations visually through logic chains of conditions and actions.

Filters

Filters let you limit a condition node to a specific subset of alert events.

The following suggested filters are available:

Alert Type: The type of alert, such as threshold, prometheus, event, group_outlier, change, or downtime.
Severity: The alert severity level: high, medium, low, or info.
Threshold: The name of the alert rule.
Group: The group the alert belongs to.

In addition to these, you can filter on any of the Labels (50+) available in your environment, including agent tags and Kubernetes labels such as agent.tag.region, kubernetes.namespace.name, and others.

You can combine multiple filters within a single node using AND logic.

Actions

Select the + icon below any node to add an action. The Select an Action modal provides the following options:

Condition

Add a Condition node to branch the automation flow based on alert properties. A condition evaluates to either TRUE or FALSE, and you can attach different subsequent actions to each outcome.

Configure a condition using the same filter options available on the trigger. For example:

Alert Type in threshold AND Severity in high

Notifications

Send notifications to any of the following channels when the automation runs:

Slack: Send a message to a configured Slack channel.
MS Teams: Send a message to a Microsoft Teams channel.
Email: Send an email to a configured email notification channel.
Webhook: Send a payload to a configured webhook URL.
PagerDuty: Trigger or resolve an incident in PagerDuty.
SNS: Publish a message to an Amazon SNS topic.
Google Chat: Send a message to a Google Chat space.
OpsGenie: Create or close an alert in OpsGenie.
Prometheus Alert Manager: Forward the alert to a Prometheus Alertmanager instance.
Team Email: Send an email to a Sysdig team’s email address.
Victor Ops: Send an alert to a VictorOps (Splunk On-Call) channel.

To use any notification action, you must first set up the corresponding notification channel. See Set Up Notification Channels.

Other

Custom Webhook: Send a customized HTTP request to any endpoint, independent of a pre-configured notification channel.

Enable or Disable an Automation

Use the Enabled toggle in the top-right corner of the editor to activate or deactivate an automation. Disabled automations will not run even when a linked alert fires.

Save an Automation

Select Save in the top-right corner to save your automation. You cannot save an automation with an incomplete configuration, for example, if a notification action has not been linked to a notification channel.

Automations - Review Executions

Each time an automation is triggered, Sysdig logs the execution so you can monitor and debug your automation flows.

To review executions:

Log in to Sysdig Monitor.
Select Alerts > Automations.
Select an existing automation.
Select the Executions tab.

The executions log shows the history of all times the automation was triggered, including:
- Time: The timestamp of the execution.
- Status: Whether the execution Succeeded or Failed.
- Failing Nodes: The nodes that failed, if any.
You can filter the list by All, Succeeded, or Failed.
Select an execution to inspect its details.

The execution detail view shows:
- Execution Context: The status and result (True or False) of each node, along with the variable values that were evaluated at the time of execution.
- Configuration: The automation configuration as it was at the time of execution.
You can also select Download JSON to export the full execution context for further analysis.

Nodes that executed successfully are highlighted in green in the flow diagram. Failed nodes are highlighted in red.

Each execution record is a snapshot. If you later modify the automation, previous executions continue to display the automation flow as it was when they ran, so you can debug them against the configuration that was actually in effect at the time.

Automations - Delete an Automation

To delete an automation:

Log in to Sysdig Monitor.
Select Alerts > Automations.

The Automations page appears.
On the right side of an automation listing, select the three-dot menu icon.
Select Delete, and confirm the deletion.

Deleting an automation does not remove it from any alerts it was linked to. You must manually remove the automation from each linked alert in the Alert Editor before you can save further changes to those alerts.