Many teams make the mistake of enabling every available alert at once, only to overwhelm technicians with noise, flood the PSA with low-value tickets, and lose trust in the alerting system entirely.
Building a clean alert baseline helps your team take a controlled, operationally mature approach to alerting. Instead of routing everything directly into production workflows on day one, Liongard allows you to start small, validate which alerts actually matter, tune rules over time, and gradually operationalize alerts across your environments.
This approach helps MSPs create a scalable alerting strategy built around real operational value, not alert volume. The result is cleaner workflows, more actionable alerts, improved technician trust, and a stronger foundation for automation as your environments grow.
What to have in place before enabling Actionable Alerts
Requirement | Details |
Inspectors Running | Target systems must have successful Inspector runs to generate Data Prints feeding Metrics. |
PSA / Email / Teams Integrations | Map PSA statuses & priorities (Admin → Integrations → PSA → Ticketing). Configure Email (plain text or HTML). Connect Microsoft Teams & channels if used. |
Environment → PSA Mapping | Each Environment must be mapped to its PSA company/account before applying templates. |
Roles & Permissions | "Web Admin" for silencing rules; standard alert managers can silence individual alerts. |
RoarExclude Group (Optional) | Create Security Group RoarExclude to suppress user-related alerts for supported metrics. |
How Actionable Alerts support controlled rollout
Actionable Alerts turn Liongard data into real, trackable work for your team.
Instead of manually checking dashboards or digging through environments to identify issues, Liongard continuously monitors for changes and routes alerts to the appropriate destination — whether that’s your PSA, Microsoft Teams, email, or Liongard itself.
Alerts can automatically open, update, close, and reopen based on changes detected in the source system, helping reduce manual oversight and duplicate work.
Templates also allow alerts to be routed by operational function. Security alerts can route to a SOC board, operational issues to the service desk, and lower-priority hygiene alerts to separate queues to help reduce unnecessary PSA noise.
Actionable Alerts also support Change Detection, showing before-and-after diffs between inspection runs to improve troubleshooting, root-cause analysis, and audit visibility.
Recommended baseline rollout strategy
Step 1 — Start with “Liongard Only” routing
Before routing alerts into your PSA, begin by sending alerts only into Liongard itself.
This creates a safe testing and validation layer where your team can:
Review alert quality
Identify noisy or redundant rules
Tune thresholds and logic
Understand alert behavior across environments
This helps prevent unnecessary ticket volume from reaching production workflows too early.
Create a baseline template
Go to:
Admin → Actionable Alerts → Templates → New Template
Or clone an existing template.
Configure:
Applies To: Liongard Only
Status: Active
Optional: Auto-Apply and Order priority
Assign the template to target environments under:
Admin → Actionable Alerts → Environments
If using PSA routing later, confirm each Environment already has a valid PSA mapping.
Step 2 — Start small with high-value alerts
Avoid enabling every alert immediately. Instead, begin with a smaller set of operationally important alerts across core systems.
Suggested starting categories
Active Directory
New Global Admin Account
MFA Disabled
Password Never Expires
Stale Accounts
Microsoft 365
External Mail Forwarding Created
Admin Accounts Without MFA
Risky Sign-In Detected
Conditional Access Disabled
Workstations / Servers
EDR or Antivirus Missing
BitLocker Disabled
Local Admin Accounts Detected
Critical Patch Issues
Firewalls
New Firewall Rule Added
VPN Configuration Changed
WAN / NAT Rule Modified
As a best practice, many MSPs begin with approximately 10–20 high-priority alerts before expanding further.
Step 3 — Review, validate, and tune alerts
As alerts begin triggering under “Liongard Only” routing, review each alert carefully.
Questions to ask:
Is this alert operationally valuable?
Is another tool already handling this issue?
Is the threshold too sensitive?
Should exclusions or scope be refined?
Common actions during baseline tuning
Keep the alert enabled: If the alert consistently identifies operationally meaningful issues.
Disable noisy or redundant alerts: If the alert creates unnecessary operational noise or duplicates existing workflows.
Clone and tune alerts
Instead of modifying defaults directly, clone rules and adjust:
Thresholds
“Days since” logic
Scope limitations
Account or device exclusions
To clone a rule:
Go to Actionable Alerts → Rules
Locate the alert rule
Click the Clone icon
Rename and adjust the logic
Save the new rule
Disable the original rule in the template if replacing it
The goal is to build an alert baseline your technicians trust and consistently respond to.
Step 4 — Promote validated alerts into PSA workflows
Once alerts have been validated and tuned, move only the high-confidence alerts into PSA routing and automation workflows.
Many MSPs maintain:
A baseline/testing template
A separate production template for PSA routing
Create a production template
Clone the baseline template and update:
Routing destinations
PSA board/queue mappings
Escalation workflows
Recommended routing examples:
Security → Security Incident Board
Cloud & M365 → Cloud Services Queue
Network → Infrastructure Board
Endpoint → Service Desk / NOC
If an alert has not been operationally validated, it should not yet be routed into the PSA.
Example phased rollout approach
Phase 1 — Discovery & Baseline Creation
Weeks 1–2:
Deploy baseline template
Enable 10–20 critical alerts
Route to Liongard Only
Begin reviewing triggered alerts
Phase 2 — Tuning & Adjustments
Weeks 3–6:
Clone and tune rules
Disable noisy or duplicate alerts
Add additional alerts gradually
Align alerts with SOPs and workflows
Phase 3 — Operationalization
Weeks 7–12:
Promote validated alerts into PSA workflows
Build automation rules
Integrate alert reporting into operational reviews or QBRs
Apply mature templates across similar environments
Reducing alert noise and duplicate tickets
Actionable Alerts work best when routing, exclusions, and silencing rules are planned intentionally.
Otherwise, it’s easy to create:
Duplicate tickets
Overlapping workflows
Alert fatigue
Technician distrust in alert quality
Use template order to control routing
If the same rule exists across multiple templates, Liongard can route alerts differently depending on template configuration.
If destinations differ, multiple notifications may intentionally occur.
If the destination type is the same but boards or queues differ, Liongard prioritizes the template with the lowest order number to help prevent duplicate ticket creation.
Use RoarExclude for known exceptions
RoarExclude allows teams to suppress alerts for specific accounts without disabling the rule entirely.
This is especially useful for:
Service accounts
Shared admin accounts
Lab environments
Known exception users
Create a security group named:
RoarExclude
Then add accounts that should be excluded from supported user-related alerts.
Silence alerts when appropriate
Liongard also supports temporary silencing of rules or individual alerts.
This can help:
Reduce temporary operational noise
Prevent duplicate workflows during remediation
Pause alerts during maintenance windows
Once unsilenced, normal alert behavior resumes automatically.
Role-based alert ownership
As alerting maturity increases, many MSPs separate ownership by operational function instead of routing everything into a single shared queue.
Common ownership examples
Alert Type | Recommended Team |
Security Alerts | SOC / Security Team |
Microsoft 365 & Identity Alerts | Cloud Team |
Endpoint Alerts | NOC / Desktop Support |
Firewall Alerts | Network Team |
Separate templates and routing workflows help ensure alerts reach the teams best equipped to respond quickly and consistently.
Real MSP outcome example
One MSP initially enabled more than 180 alerts across their environments, which quickly overwhelmed technicians and flooded the PSA with low-value tickets.
After shifting to a baseline-first strategy:
Alerts were reduced from 182 to 37 meaningful rules
PSA ticket noise dropped by 78%
Technician engagement with alerts improved significantly
Operational workflows became more standardized
Customers experienced faster response times and improved visibility into configuration issues
The partner later expanded this baseline strategy across additional client environments.
Operational outcomes & benefits
A properly tuned alerting strategy helps MSPs:
Reduce PSA noise and duplicate tickets
Improve technician trust in alerts
Increase operational consistency
Respond to issues faster
Improve visibility into configuration drift
Build scalable alerting templates across environments
Create cleaner workflows for automation and escalation
Supporting compliance and audit workflows
Actionable Alerts also provide documented visibility into operational changes across environments.
Environment timelines, alert comments, and Change Detection diffs can support:
Change control reviews
Administrative oversight
Compliance reporting
Audit preparation
Security investigations
This can help support operational and compliance conversations across frameworks such as CIS v8, HIPAA, SOC 2, and NIST.
Actionable Alert resources
Resource | Purpose |
A starter set of pre-built alert rules bundled into a template. Good for first-time setup to see alert behavior in action before customizing. | |
Step-by-step instructions on creating templates, assigning destinations (PSA, Email, Teams), and applying them to Environments. | |
Guide for building your own rules from Metrics, using operators and thresholds tailored to client or service desk needs. | |
How to interpret triggered alerts, including ticket details, thresholds, and recommended remediation steps. | |
Conceptual overview of how rules, templates, and environments interact (Inspectors -> Metrics -> Rules -> Alerts). | |
Troubleshooting and best practices for common setup issues, noise control, and alert lifecycle management. | |
Crosswalk document showing how pre-built alert rules align with CIS v8 controls, helping MSPs link Liongard to compliance frameworks. |