Set up Cases

What you need

• A Coralogix account with permission to manage alerts and integrations
• At least one alert definition configured
• A notification destination — an incident management, on-call, or collaboration tool where Case notifications can be received (for example, Slack, PagerDuty, ServiceNow, email, or a generic HTTPS endpoint)

Step 1: Define which alerts create Cases

1. Select Settings, then Cases.
2. Under Case filtering rules, select one of the following:
   • All alerts: Creates a Case for every alert that triggers
   • Custom rules: Creates Cases only when alerts match specific attributes. Select + Add condition and define criteria such as priority or entity labels. All conditions must match.
   • No cases: Disables Case creation entirely
3. Add routing labels to each alert definition that should create routable Cases. Without routing labels, the router cannot match the alert to a routing rule.
   • Open the alert definition and add labels in the format routing.<key>: <value> (for example, routing.team: sre, routing.service: checkout).
   • These labels determine which router and routing rules apply when a Case is created from the alert.

Step 2: Configure timing and noise reduction

In Case Settings, configure how the system handles alert timing:

Suppression window

Set a delay before a Case is created using Delay notifications for. If the alert resolves during this delay, no Case is created. Avoid Cases from momentary spikes.

Post-resolution cooldown

Set a suppression period after a Case is resolved using Post-closure suppression window. Prevent the same alert from immediately opening a new Case.

Inactivity resolution timer

Automatically resolve a Case when no meaningful updates (status or priority changes) occur for a configured period. Disabled by default.

• Default: one day
• Range: one hour to one week

Step 3: Route Case notifications through Notification Center

Cases are a supported entity type in Notification Center. Route Case lifecycle events to external destinations such as Slack, PagerDuty, email, or generic HTTPS endpoints.

Notification Center uses dedicated Cases routing rules, separate from alert routing rules. This separation allows teams to manage incident lifecycle notifications independently from monitoring alert notifications. For full details, see Manage routing rules for Cases and alerts.

Create a connector

1. Select Integrations, then Notification Center, then Connectors.
2. Select + New connector.
3. Select the destination type (Slack, PagerDuty, email, or Generic HTTPS).
4. Enter the required configuration fields (URL, authentication key, channel).
5. Select Test connector to verify connectivity.

Use a preset

A preset defines the message template for Case notifications.

Coralogix creates a default system preset automatically the first time you create a connector for a destination type. The system preset includes Case metadata such as state, status, priority, and assignee. Use the default preset to get started — it covers most notification needs without customization.

To create a custom preset:

1. Select Notification Center, then Presets.
2. Open the Cases entity type tab.
3. Select the destination type, then Create new preset.
4. Edit the message template. Use the _context variable to include dynamic Case metadata (state, status, priority, assignee).
5. Save the preset.

Create a router and Case routing rules

1. Select Notification Center, then Routers, then + New router.
2. In Name, enter a router name.
3. In Routing labels, select the ownership attributes used to match Cases — environment, service, and team. These are the same attributes used in Infra Explorer Ownership Tags, so labels already defined on your infrastructure carry through to notification routing.
4. (Optional) Configure a Fallback connector to receive notifications when no routing rule matches.
5. Select Create router.

After creating the router, add a Case routing rule:

1. Open the router and select the Cases tab.
2. Select + New rule.
3. In Name, enter a descriptive name (for example, Case lifecycle - PagerDuty).
4. In Notification triggers, define which Case lifecycle events generate notifications:
   • By default, Notify for all trigger types is enabled
   • Disable it to select specific triggers: Activated, Acknowledged, Resolved, Closed, Priority changed, or Assignee changed
5. Toggle Condition to add filtering logic based on Case attributes. Use conditions to route notifications based on priority, labels, service, or other Case metadata. For example, route only P1 Cases to PagerDuty or filter by a specific team label.
6. In Destinations, select a Connector and a Preset pair.
7. (Optional) Select + Add destination to send notifications to additional connectors.
8. Select Create routing rule.

For the full walkthrough, see Route Case notifications.

Supported Case notification triggers

Example: Route all Case lifecycle events

1. Create a router with the label team:sre.
2. Add a routing rule for the Activated trigger with PagerDuty as the destination. Responders receive an immediate page when impact is confirmed.
3. Add a routing rule for the Acknowledged trigger with Slack as the destination. The team channel is notified when someone takes ownership.
4. Add a routing rule for the Priority changed trigger with PagerDuty as the destination. Responders are alerted when the severity escalates or de-escalates.
5. Add a routing rule for the Assignee changed trigger with Slack as the destination. The team sees who is now responsible.
6. Add a routing rule for the Resolved trigger with Slack as the destination. The team channel receives a resolution update.
7. Add a routing rule for the Closed trigger with Slack as the destination. Stakeholders are notified when follow-ups are complete.

This approach ensures responders receive immediate pages for critical lifecycle changes while the broader team stays informed through Slack as the Case progresses.

Step 4 (optional): Connect Cases to ServiceNow

Integrate Cases bi-directionally with ServiceNow to automatically create, update, and synchronize ServiceNow Incidents from Coralogix Cases.

Install the Coralogix ServiceNow app

1. In the ServiceNow Store, find and install the Coralogix app (no cost).
2. A ServiceNow administrator must approve the installation.
3. After installation, access the Coralogix application from the ServiceNow navigation bar.

Configure Case policies

Case policies define how data moves between Coralogix and ServiceNow:

Inbound policies (Coralogix to ServiceNow)

Map Case data to ServiceNow record fields. Define which Case attributes populate which Incident fields.

Outbound policies (ServiceNow to Coralogix)

Sync state changes back to Coralogix. Actions taken in ServiceNow (acknowledge, resolve, close) update the corresponding Coralogix Case.

How the sync works

1. Case lifecycle events flow through Notification Center to a Case notifications table in ServiceNow.
2. The Case object (synchronization layer) determines whether to create or update a ServiceNow record.
3. Updates are applied to the target table (Incident by default).
4. If outbound policies are enabled, changes in ServiceNow flow back to Coralogix.

For full setup instructions, see Cases ServiceNow Integration.

Verify your setup

1. Trigger a test alert that matches your Case filtering rules.
2. Confirm a Case appears in Alerts > Cases.
3. If Notification Center is configured, verify the notification arrives at your destination (Slack, PagerDuty, email).
4. If ServiceNow is configured, confirm a corresponding Incident is created in ServiceNow.
5. Resolve the Case and verify downstream systems update accordingly.

Find out more

• Create a router: Full walkthrough for creating routers and Case routing rules
• Define routing rules: Understand the difference between Case and alert routing rules
• Working with Cases: Use the Cases home screen, drilldown tabs (Alert, Triage, Activity), and details panel
• Cases vs Incidents: Understand when to use Cases instead of Incidents
• Cases ServiceNow Integration: Full bi-directional sync setup and Case policy configuration