Alert event reports that differ only in severity are used to escalate or de-escalate an existing alert. Unlike duplicate alert event reports that are discarded, and alert event reports that cause a new alert to be raised, a change in severity causes the attributes of an existing alert to change. A client that receives an escalated or de-escalated alert can treat it as either a duplicate or a new event.

For example, when Operations Sentinel Console receives an alert event report that differs only in severity from an alert currently displayed in the Alerts window, Operations Sentinel Console removes the check mark from the Seen and Acknowledged indicators of the alert. If there are no other alerts as severe as this alert, the associated Alerts icon changes color and shape to depict the severity of this alert.

Effect on External Alert Actions

If the alert being escalated or de-escalated matches an action list defined in the currently active alert policy, Operations Sentinel executes any actions in the list that apply to raising the alert. This might be a different action list from the one specified when the alert was originally raised. Any unexecuted actions associated with raising or acknowledging the alert are canceled. Unexecuted actions might be waiting for a busy service or for a delay to expire.

When an alert is escalated or de-escalated, the alert attribute values that do not identify the alert can also change. For example, by changing the value of the TEXT attribute, the displayed alert text changes accordingly. The new TEXT attribute value is also used when an action in the active alert policy is executed. Changing the EXT_ACTION_LIST attribute for an escalated alert can cause the execution of a different action list in the active alert policy.