Alert Rules

Alert rules watch your fleet for conditions you define and trigger actions automatically — sending notifications, creating PSA tickets, running remediation scripts, or escalating to On-Call.

Alert Types

Threshold Alerts

Trigger when a numeric metric crosses a threshold for a sustained duration.

Examples:

• CPU usage > 90% for 5 minutes
• Disk free space < 10 GB
• RAM usage > 95% for 10 minutes
• Network throughput > 500 MB/s

Configuring a threshold alert:

1. Navigate to Alert Rules → New Rule.
2. Set Type to Threshold.
3. Select the Metric (CPU, RAM, Disk Free Space, Network, or a custom metric).
4. Set the Condition (greater than, less than, equals).
5. Enter the Value and Unit.
6. Set the Duration — how long the condition must be sustained before the alert fires (1–60 minutes).

State Change Alerts

Trigger when a service, process, or connectivity state changes.

Examples:

• Windows service wuauserv transitions from Running → Stopped
• Device goes offline (agent heartbeat missed for 5+ minutes)
• Process sql.exe stops running

Configuring a state change alert:

1. Set Type to State Change.
2. Select Target — Service, Process, or Agent Connectivity.
3. Enter the service or process name.
4. Set the Trigger State — which state transition fires the alert (e.g., Running → Stopped).

Event Log Match Alerts (Windows)

Trigger when a Windows Event Log entry matches a pattern.

Examples:

• Event ID 4625 (failed logon) fires more than 10 times in 5 minutes
• Event ID 6008 (unexpected shutdown) appears in the System log
• Any event with Source Disk and Level Error

Configuring an event log alert:

1. Set Type to Event Log Match.
2. Select the Log — System, Application, or Security.
3. Filter by Event ID, Source, Level (Error, Warning, Critical), or any combination.
4. Optionally set a Frequency Threshold — fire only if the event occurs N+ times within a window.

Alert Severity Levels

Severity	Color	Use For
Info	Blue	Informational events, non-urgent
Warning	Yellow	Degraded performance, attention needed
Critical	Red	Service outage, active failure, security event

Alert severity affects dashboard display, PSA ticket priority, and On-Call escalation eligibility.

Alert Actions

Each alert rule can have one or more actions. Actions execute when the alert fires.

Notify

Send a notification by email or SMS to one or more recipients:

• Select Action → Notify.
• Choose notification recipients (individual users or notification groups).
• Customize the notification message template.

Create PSA Ticket

Automatically create a ticket in The One PSA with device context pre-filled:

• Select Action → Create PSA Ticket.
• Choose the Board, Type, and default Priority.
• The ticket body includes device name, OS, current metric value, and alert timestamp.
• Duplicate prevention: if an open ticket already exists for the same alert rule + device, a new ticket is not created.

Run Script

Automatically execute a script on the affected device:

• Select Action → Run Script.
• Choose an approved script from your library.
• Set any required parameters.

Useful for self-healing automations: service stops → alert fires → restart script runs.

Escalate to On-Call

For critical alerts that need human attention outside business hours:

• Select Action → Escalate to On-Call.
• Choose the On-Call schedule to page.
• Set the Delay — how long to wait before escalating (e.g., 5 minutes after the alert fires).

Only available for critical severity alerts.

Alert Suppression Windows

Suppress alerts during planned maintenance to avoid alert storms:

1. Navigate to Devices and select the target device or group.
2. Click Maintenance Mode.
3. Set the start and end time.
4. During the maintenance window, all alert rules for that device are suppressed.

You can also suppress a specific alert rule globally:

1. Open the rule in Alert Rules.
2. Click Suppress → Until and set a datetime or duration.

Alert Grouping

Prevent alert storms when many devices fail simultaneously:

1. Open or create an alert rule.
2. Enable Group Alerts.
3. Set the Grouping Window — e.g., 10 minutes.
4. Set the Max Individual Alerts — e.g., 3.
5. After 3 individual alerts, subsequent triggers within the window are grouped into a single summary alert.

Summary alerts show the count of affected devices and can be expanded to see the full list.

Default Alert Rule Templates

The following rules are pre-configured when you first enable RMM:

Rule	Default Threshold	Severity
High CPU	> 90% for 5 min	Warning
High RAM	> 95% for 5 min	Warning
Low Disk Space	< 5 GB free	Critical
Device Offline	Heartbeat missed > 10 min	Critical
Critical Patch Missing	Severity = Critical + unpatched > 7 days	Warning

Edit or delete default rules under Alert Rules. They can be restored from the template library at any time.