Create New Incident Policy Rule

1. Create a new incident policy rule.

   1. In Strata Cloud Manager, select IncidentsPrisma SD-WANSettings.
   2. Select an incident policy set and click + Add Rule.
   3. Enter a name for the new incident policy rule with a (optional) description and (optional) tags.
   4. Specify the order for the execution of the rule.

      If an order number is not specified, the rule won't be executed.
   5. To disable the rule, select the check box.
   6. Click Next to set the matching criteria.
2. Configure the Match Criteria.

   1. Select a Resource Type from the available options and click Done.

      The incident policy rule is applied to all incident codes that are associated with the selected resources.
   2. (Optional) Select Resource Type from the drop-down and click Submit.

      Filter the resources by the resource ID or name. When no resources are selected, the rule applies to all the resources associated with the selected resource type.
   3. (Optional) Select Specific Resources from the drop-down that are related to the Resource Type selected.
   4. (Optional) Select Sub-Type from the drop-down.

      These sub-types are related to the selected Resource Type.
   5. (Optional) Select Event Codes and click Done.

      Filter incident codes based on Category. The following categories are available to filter incidents: Application, AAA (Auth), Device, Network, Policy, and Spoke HA Groups.

      Select All Incidents to suppress all the incidents available based on your chosen category and All Alerts to suppress all the available alerts.
   6. Click Next to configure a schedule.
3. Configure a Schedule.

   1. Select Yes or No to apply this rule using a schedule.

      Set the Start Date and End Date in the format, MM/DD/YYYY HH/mm.
   2. Click Next to configure the actions.
4. Configure Actions.

   1. Select Yes to suppress the rule or No to unsuppress the rule.

      Default option leads to the default behavior of the system generated incident.
   2. Select the priority for the rule from the range, Priority 1 (P1), through Priority 5 (P5) from the drop-down.

      The priority of the incident can be changed to align with your business requirements. For example, a P2 incident can be raised in priority to P1 in order to notify about the incident.
   3. Configure dampening parameters for event suppression.

      1. Select Yes to suppress the rule or No to unsuppress the rule under Suppress.
         The Default option leads to the default behavior of the system generated incident.
      2. Enter a Duration and Unit for the dampening interval.
         This can range from 5 minutes to 7 days.
         A Yes for Suppress ensures that the incident is suppressed till the end of the dampening interval. The incident will be unsuppressed after the dampening interval is over, if the incident has not cleared at the end of the dampening interval.
         The dampening interval applies only to incidents and not to alerts.
5. Configure the Escalation Rules.

   1. Configure the Standing Rule by specifying the Standing Time Threshold value in minutes, hours, or days as the unit and specify if a priority change is required, if the incident persists beyond the defined interval.

      The Priority for the standing rule can be selected from the range, Priority 1 (P1) through Priority 5 (P5), from the drop-down.
   2. Configure the Flap Rule by specifying the Flap Rate in the range (2-512) and the Flap Duration value in minutes, hours, or days as the unit.

      When the matched resource flaps beyond a rate, within the defined interval, then a new system generated incident, Flap Rate Exceeded, is generated that notifies the change.
6. Click Save & Exit.