My goal is to be notified by email every time a given alarm, that is or was before in the Critical severity, drops to Normal. Is there any way to do this with a correlation rule?
The quick approach to set the rule as shown below does not do what we need because in this case, the rule would be triggered as soon as the alarm clears, regardless of having been before in the Critical state. Example: An alarm goes to Major, then drops to Warning and later on, drops to Normal -> in this case I don't want to be notified because this alarm never reached the Critical level.
Would adding another filter line with 'Alarm Type' = 'Dropped from Critical', in combination with the one you already defined, solve your issue?
When you say: "An alarm that is or was in Critical state, drops to Normal", do you mean you also want to be notified in case an alarm which was Critical at any point in its life cycle, drops to Normal? That will probably not be possible to achieve without adding code through an Automation script.
In case you only want to catch alarms for which the state was Critical right before dropping to Normal, I suppose the above should work?
Thanks for your comment Ruben.
Indeed I want to be notified “in case an alarm which was Critical at any point in its life cycle, drops to Normal”.
Unfortunately we cannot guarantee the alarm will always drop directly to Normal from Critical, in that case the solution would be easy as you well noted.