Action Group
  • 10 Apr 2024
  • 5 Minutes to read
  • Dark
  • PDF

Action Group

  • Dark
  • PDF

Article summary


Action Groups are an automation feature that can be assigned to a monitoring check. They fire when that check generates an alarm.

Typically, action groups are used to determine who receives alert notifications when Netreo detects a problem. They also provide a way to tell Netreo what actions it should take automatically (if any) in response to that problem.


Action groups are assigned to the Netreo checks monitoring your devices and applications. When a check fails and an incident is created, any action groups assigned to the failing check tell the incident who should be alerted, when, and how—as well as what actions Netreo should take. Non-alert actions that Netreo can be instructed to take include such things as rebooting a device or restarting a service or server, generating a service ticket using an external alerting API such as ServiceNow or OpsGenie, or broadcasting a message across your network using an SNMP trap.

The structure of action groups is somewhat complex, given their function. Action groups consists of three basic components:

  1. The action group itself.
  2. One or more actions contained within that action group.
  3. One or more methods contained within each action.

Basically, action groups are groups of actions. And, actions are groups of methods.


Action Group

(See also, Create an Action Group)

An action group is essentially a container for actions.

You may add any number of action groups to a check or to the host alert contact list of a device.

An action group has three attributes that give it functionality within Netreo.

  • It is assignable to any Netreo monitoring check. An action group may also be chosen as a host alert contact for a device.
  • It has a name. Action groups are chosen by their name, so each action group must be given a unique name.
  • It has a configurable access level. In addition to being used automatically by incidents, action groups may also send alerts and perform actions when used manually by a user. The access level determines what users may use an action group manually.

Action groups that have their access level set to any option other than None will allow any user with the corresponding or higher access level to run the action group from within an incident that is using it. Setting the access level to None prevents the action group from being used manually under any circumstances.


(See also, Add an Action to an Action Group)

An action is nothing more than a container for methods. It has no attributes other than a name, and is purely for organizational purposes.

You may add any number of actions to an action group.


(See also, Add a Method to an Action)

A method is the executable component of an action group. It is the part that sends alert notifications, or communicates commands to your managed devices or external APIs. Without at least one method, your actions and action groups can do nothing.

There are many methods to choose from, but they all do basically the same thing—send a message to someone or something outside of Netreo.

The specifics of a given method may vary, but they all share the following two attributes.

  • Method type - This determines what function the method performs. Method types are explained further down.
  • Notify hours - This is a preconfigured time frame, outside of which the method will not execute. Commonly used to ensure that a given method only (or never) executes during (or after) business hours.

You may add any number of methods to an action, in any combination. This allows you to create a variety of multifunctional action groups that can be used for different purposes.

Method Types
The following method types are available.

  • Email
    Sends an alert notification about an incident to a specified email address.
  • SMS (via email)
    Sends an alert notification about an incident to a mobile device using the specified SMS email address.
  • Mobile Notification
    Sends an alert notification about an incident to the Netreo mobile application using Netreo Cloud Services. These cloud-based alert notifications are sent from Netreo's cloud servers and are useful if your email systems are down along with your network. (This method is automatically added to all new actions by default, but can be removed, if desired.)
  • SNMP Trap
    Broadcasts an SNMP trap about an incident to devices configured to receive traps from Netreo.
  • Webhook
    Sends commands to an external API such as a ticketing or alternative alerting system. Webhooks are limited to a maximum of 3 retries for each execution of a method (including manual execution). There is no delay between each retry. Any delays between retries is caused by server latency.
  • Active Response Webhook
    An active response version of Webhook.
  • Active Response Windows
    Sends PowerShell commands to Windows devices.
  • Active Response SSH
    Sends SSH commands to non-Windows devices.

Commands incompatible with the device to which they are sent will simply be ignored by that device. Additionally, the methods in an action group are only run against the host device to which the failing check is assigned. This makes it safe to add multiple different command-based methods to a single action group that may then be assigned to a variety of devices.

Method Execution and Active Response
Most method types send their message repeatedly on a schedule until the incident running them has been acknowledged, at which point they stop. If that incident is unacknowledged, they will start running again. (The schedule on which methods are run is configured in the check to which their action group is assigned.)

However, this is not the case with active response methods. Active response methods execute only once, when an incident is first created and first uses an action group. They will never automatically execute again for the same incident. Although, they can be manually executed again by a user with an appropriate access level.

Skipped Methods

Some methods may fail to execute when their action group is run. There are typically three reasons for this:

  1. The method's NOTIFY HOURS configuration setting has restricted the time at which that method may execute.
  2. It is an active response method (which only run when an incident is first opened).
  3. The method is trying to run a command against a host for which that command is not applicable.

Best Practices

Command Methods

Due to limitations in Netreo, only simple commands should be sent (restart, etc.). If you wish to run complex commands, it’s better to write a script on the target device and then simply call the script through the appropriate command method.

When using PowerShell commands to restart Windows services or servers, it is imperative to make use of maintenance windows when conducting upgrades or during planned outages, otherwise Netreo will attempt to restart the services or systems when they appear to go down.

Netreo Incident Macros

When using the webhook, SNMP trap and command methods, you may also include any of the built-in Netreo incident macros to access a wide variety of information about the associated incident or device.

Was this article helpful?