Note

Cases are in beta. Features may change, and some functionality may be limited.

## What you need

- A Coralogix account with permission to manage alerts and integrations
- At least one alert definition configured
- A notification destination — an incident management, on-call, or collaboration tool where Case notifications can be received (for example, Slack, PagerDuty, ServiceNow, email, or a generic HTTPS endpoint)

## Step 1: Define which alerts create Cases

1. Select **Settings**, then **Cases**.
1. Under **Case filtering rules**, select one of the following:
   - **All alerts**: Creates a Case for every alert that triggers
   - **Custom rules**: Creates Cases only when alerts match specific attributes. Select **+ Add condition** and define criteria such as priority or entity labels. All conditions must match.
   - **No cases**: Disables Case creation entirely
1. Add **routing labels** to each alert definition that should create routable Cases. Without routing labels, the router cannot match the alert to a routing rule.
   - Open the alert definition and add labels in the format `routing.<key>: <value>` (for example, `routing.team: sre`, `routing.service: checkout`).
   - These labels determine which router and routing rules apply when a Case is created from the alert.

Note

Changes to Case settings apply only to new Cases. Existing Cases are not affected.

## Step 2: Configure timing and noise reduction

In **Case Settings**, configure how the system handles alert timing:

**Suppression window**

Set a delay before a Case is created using **Delay notifications for**. If the alert resolves during this delay, no Case is created. Avoid Cases from momentary spikes.

**Post-resolution cooldown**

Set a suppression period after a Case is resolved using **Post-closure suppression window**. Prevent the same alert from immediately opening a new Case.

**Inactivity resolution timer**

Automatically resolve a Case when no meaningful updates (status or priority changes) occur for a configured period. Disabled by default.

- Default: one day
- Range: one hour to one week

## Step 3: Route Case notifications through Notification Center

Cases are a supported entity type in Notification Center. Route Case lifecycle events to external destinations such as Slack, PagerDuty, email, or generic HTTPS endpoints.

Notification Center uses dedicated **Cases** routing rules, separate from alert routing rules. This separation allows teams to manage incident lifecycle notifications independently from monitoring alert notifications. For full details, see [Manage routing rules for Cases and alerts](https://coralogix.com/docs/user-guides/notification-center/routing/define-routing-rule/index.md).

### Create a connector

1. Select **Integrations**, then **Notification Center**, then **Connectors**.
1. Select **+ New connector**.
1. Select the destination type (Slack, PagerDuty, email, or Generic HTTPS).
1. Enter the required configuration fields (URL, authentication key, channel).
1. Select **Test connector** to verify connectivity.

### Use a preset

A preset defines the message template for Case notifications.

Coralogix creates a **default system preset** automatically the first time you create a connector for a destination type. The system preset includes Case metadata such as state, status, priority, and assignee. Use the default preset to get started — it covers most notification needs without customization.

Note

Creating a custom preset is an advanced step. Start with the default system preset and customize later if needed.

To create a custom preset:

1. Select **Notification Center**, then **Presets**.
1. Open the **Cases** entity type tab.
1. Select the destination type, then **Create new preset**.
1. Edit the message template. Use the `_context` variable to include dynamic Case metadata (state, status, priority, assignee).
1. Save the preset.

### Create a router and Case routing rules

1. Select **Notification Center**, then **Routers**, then **+ New router**.
1. In **Name**, enter a router name.
1. In **Routing labels**, select the ownership attributes used to match Cases — **environment**, **service**, and **team**. These are the same attributes used in [Infra Explorer Ownership Tags](https://coralogix.com/docs/user-guides/infrastructure/infrastructure-explorer/ownership/index.md), so labels already defined on your infrastructure carry through to notification routing.
1. (Optional) Configure a **Fallback connector** to receive notifications when no routing rule matches.
1. Select **Create router**.

After creating the router, add a Case routing rule:

1. Open the router and select the **Cases** tab.
1. Select **+ New rule**.
1. In **Name**, enter a descriptive name (for example, `Case lifecycle - PagerDuty`).
1. In **Notification triggers**, define which Case lifecycle events generate notifications:
   - By default, **Notify for all trigger types** is enabled
   - Disable it to select specific triggers: **Activated**, **Acknowledged**, **Resolved**, **Closed**, **Priority changed**, or **Assignee changed**
1. Toggle **Condition** to add filtering logic based on Case attributes. Use conditions to route notifications based on priority, labels, service, or other Case metadata. For example, route only P1 Cases to PagerDuty or filter by a specific team label.
1. In **Destinations**, select a **Connector** and a **Preset** pair.
1. (Optional) Select **+ Add destination** to send notifications to additional connectors.
1. Select **Create routing rule**.

For the full walkthrough, see [Route Case notifications](https://coralogix.com/docs/user-guides/notification-center/routing/create-router/index.md).

### Supported Case notification triggers

| Trigger          | When it fires                                              |
| ---------------- | ---------------------------------------------------------- |
| Activated        | Impact is confirmed and the Case becomes active            |
| Acknowledged     | Someone takes ownership of the Case                        |
| Resolved         | Underlying indicators are healthy and the Case is resolved |
| Closed           | Follow-ups are complete and the Case is fully finished     |
| Priority changed | The Case priority level is updated                         |
| Assignee changed | The Case is assigned or reassigned                         |

### Example: route all Case lifecycle events

1. Create a router with the label `team:sre`.
1. Add a routing rule for the **Activated** trigger with PagerDuty as the destination. Responders receive an immediate page when impact is confirmed.
1. Add a routing rule for the **Acknowledged** trigger with Slack as the destination. The team channel is notified when someone takes ownership.
1. Add a routing rule for the **Priority changed** trigger with PagerDuty as the destination. Responders are alerted when the severity escalates or de-escalates.
1. Add a routing rule for the **Assignee changed** trigger with Slack as the destination. The team sees who is now responsible.
1. Add a routing rule for the **Resolved** trigger with Slack as the destination. The team channel receives a resolution update.
1. Add a routing rule for the **Closed** trigger with Slack as the destination. Stakeholders are notified when follow-ups are complete.

This approach ensures responders receive immediate pages for critical lifecycle changes while the broader team stays informed through Slack as the Case progresses.

## Step 4 (optional): Connect Cases to ServiceNow

Integrate Cases bi-directionally with ServiceNow to automatically create, update, and synchronize ServiceNow Incidents from Coralogix Cases.

### Install the Coralogix ServiceNow app

1. In the ServiceNow Store, find and install the **Coralogix** app (no cost).
1. A ServiceNow administrator must approve the installation.
1. After installation, access the Coralogix application from the ServiceNow navigation bar.

### Configure Case policies

Case policies define how data moves between Coralogix and ServiceNow:

**Inbound policies** (Coralogix to ServiceNow)

Map Case data to ServiceNow record fields. Define which Case attributes populate which Incident fields.

**Outbound policies** (ServiceNow to Coralogix)

Sync state changes back to Coralogix. Actions taken in ServiceNow (acknowledge, resolve, close) update the corresponding Coralogix Case.

### How the sync works

1. Case lifecycle events flow through Notification Center to a **Case notifications table** in ServiceNow.
1. The **Case object** (synchronization layer) determines whether to create or update a ServiceNow record.
1. Updates are applied to the target table (Incident by default).
1. If outbound policies are enabled, changes in ServiceNow flow back to Coralogix.

For full setup instructions, see [Cases ServiceNow Integration](https://coralogix.com/docs/user-guides/cases/sn-integration/index.md).

## Verify your setup

1. Trigger a test alert that matches your Case filtering rules.
1. Confirm a Case appears in **Alerts**, then **Cases**.
1. If Notification Center is configured, verify the notification arrives at your destination (Slack, PagerDuty, email).
1. If ServiceNow is configured, confirm a corresponding Incident is created in ServiceNow.
1. Resolve the Case and verify downstream systems update accordingly.

## Find out more

- [Create a router](https://coralogix.com/docs/user-guides/notification-center/routing/create-router/index.md): Full walkthrough for creating routers and Case routing rules
- [Define routing rules](https://coralogix.com/docs/user-guides/notification-center/routing/define-routing-rule/index.md): Understand the difference between Case and alert routing rules
- [Working with Cases](https://coralogix.com/docs/user-guides/cases/working-with-cases/index.md): Use the Cases home screen, drilldown tabs (Alert, Triage, Activity), and details panel
- [Cases vs Incidents](https://coralogix.com/docs/user-guides/cases/cases-incidents/index.md): Understand when to use Cases instead of Incidents
- [Cases ServiceNow Integration](https://coralogix.com/docs/user-guides/cases/sn-integration/index.md): Full bi-directional sync setup and Case policy configuration

## Related resources

[Alert Routing Labels](https://coralogix.com/docs/user-guides/notification-center/routing/labels-to-alerts/) [Connectors](https://coralogix.com/docs/user-guides/notification-center/connectors/) [Ownership](https://coralogix.com/docs/user-guides/infrastructure/infrastructure-explorer/ownership/) [Configuring an Alert Definition](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/)

## Next steps

View, filter, prioritize, and investigate triggered Cases in [Working with Cases](https://coralogix.com/docs/user-guides/cases/working-with-cases/index.md).