When too many alerts reach the PSA without proper tuning, technicians stop trusting the queue. Duplicate notifications, low-priority issues, and overlapping tool alerts quickly create noise that slows response times and causes important issues to get overlooked.
Liongard helps reduce alert fatigue by allowing teams to validate alerts before routing them into production workflows, separate alerts by operational function, and control how alerts are routed across service desks, SOC teams, and operational queues.
By building intentional alert baselines and refining rules over time, MSPs can dramatically reduce unnecessary ticket volume while ensuring the alerts that remain are actionable, operationally relevant, and aligned with how their teams actually work.
How to use Liongard Actionable Alerts to route, manage, and automate issues across client environments
Actionable Alerts turn Liongard data into real, trackable work for your team. Instead of manually checking dashboards or digging through environments to spot issues, Liongard continuously monitors for changes and routes alerts to the right place — whether that’s your PSA, email, Microsoft Teams, or Liongard itself.
One of the biggest advantages is that these are alerts that open and close themselves. If an issue is fixed in the source system, Liongard automatically closes the related alert or ticket on the next inspection cycle.
If the issue returns, the alert can reopen automatically, helping your team track ongoing problems without creating duplicate work.
You can also route alerts by business logic. Security alerts can go to a SOC board, operational issues can route to the service desk, and lower-priority hygiene alerts can stay separate from high-priority security events to reduce noise and keep queues manageable.
Actionable Alerts also include Change Detection, which shows exactly what changed between inspection runs with before-and-after diffs. That gives your team clearer troubleshooting, better root-cause analysis, and a stronger audit trail.
What to have in place before enabling Action Alerts
Requirement | Details |
Inspectors Running | Target systems must have successful Inspector runs to generate Data Prints feeding Metrics. |
PSA / Email / Teams Integrations | Map PSA statuses & priorities (Admin -> Integrations -> PSA -> Ticketing). Configure Email (plain text or HTML). Connect Microsoft Teams & channels if used. |
Environment -> PSA Mapping | Each Environment must be mapped to its PSA company/account before applying templates. |
Roles & Permissions | "Web Admin" for silencing rules; standard alert managers can silence individual alerts. |
RoarExclude Group (Optional) | Create Security Group RoarExclude to suppress user-related Alerts(4 metrics supported; metrics below). |
How Actionable Alerts work
Every time an Inspector runs, Liongard checks the latest environment data against the alert rules and thresholds you’ve configured.
If a rule matches, Liongard creates or updates an alert based on the template applied to that environment. The template determines where the alert goes, whether that’s HaloPSA, email, Microsoft Teams, or Liongard itself.
For example, if Liongard detects repeated failed login attempts against an Active Directory account, it can automatically create a “Brute Force Attempt” ticket for your team to review.
Once the issue is resolved in the source system, Liongard automatically closes the alert during the next inspection cycle. If the issue returns later, Liongard can reopen the same alert automatically instead of creating duplicate tickets.
Templates also control routing behavior. You can send security alerts to one board, operational issues somewhere else, and lower-priority hygiene alerts to another queue entirely to keep noise under control.
How to build and roll out Actionable Alerts
Step 1 — Create or clone a template
Go to Admin -> Actionable Alerts -> Templates -> New Template (or clone).
Set Applies To: Liongard Only, Liongard & PSA, Liongard & Email, Liongard & Teams.
Choose Destination: PSA board/queue, target email(s), Teams channels; confirm PSA status/priority mapping.
Pick Email Format (Plain Text or HTML) if using email.
Set Status — Active, optional Auto-Apply, and Order (priority).
Enable rules (toggle individually or bulk Turn On).
Step 2 — Apply template(s) to environments
Admin -> Actionable Alerts -> Environments -> [bulk select] -> Apply Template(s).
Ensure PSA mapping shows a green check for each Environment (if using PSA).
Step 3 — Review & work Alerts
View Dashboard -> Total Open Alerts or Environments -> Total Alerts.
Work from PSA/email/Teams as preferred; Liongard auto-updates and manages closure/reopen automatically (see integration behavior and setup).
Tip: Switching a template from "Liongard Only" to "Liongard & PSA/Email" pushes previously triggered alerts to the new destination on the next inspection run.
How to reduce alert noise and avoid duplicate tickets
Actionable Alerts work best when routing, exclusions, and silencing rules are planned intentionally. Otherwise, it’s easy to create duplicate tickets, overlapping workflows, or alerts your team ignores.
Here are some tips.
Use Template Order to control routing
If the same rule exists in multiple templates, Liongard can route the alert differently depending on how those templates are configured.
If the destinations are different, both alerts can fire. For example, you might intentionally send a security alert to a SOC board while also notifying another team by email.
If the destination type is the same but the boards or queues are different, Liongard uses the template with the lowest order number to prevent duplicate tickets. Lower numbers take priority over higher numbers.
Use RoarExclude for known exceptions
RoarExclude lets you suppress alerts for specific user accounts without disabling the rule entirely. This is useful for lab accounts, service accounts, admin accounts, or other identities your team expects to behave differently.
RoarExclude only works with certain user and Active Directory metrics, including stale passwords, active user counts, privileged account monitoring, and related user-based alerts. Review the supported metrics list before building exclusions.
To use it, create a security group named RoarExclude.
Then add the accounts you want excluded from supported alerts.
Silence rules or alerts when needed
Liongard also lets you silence rules or individual alerts when you need to temporarily quiet the noise.
You can silence a rule for specific systems before alerts trigger. If needed, you can also map a PSA silence status while the rule is suppressed.
You can also silence an alert after it has already triggered. The alert status changes to “silenced,” and Liongard stops updating it until it is unsilenced.
Once unsilenced, normal alert behavior resumes. You can also force an Inspector run immediately after unsilencing if you want Liongard to reevaluate the condition right away.
How Change Detection alerts behave
Change Detection alerts show exactly what changed between inspection runs. Instead of simply telling your team that something changed, Liongard includes before-and-after diffs directly in the alert through RoarBot comments.
These alerts stay tied to the same lifecycle behavior as other Actionable Alerts. If additional changes happen before the original alert is closed, Liongard appends the new changes to the existing alert instead of creating duplicate tickets.
To fully reset the lifecycle, close the alert in the system where your team is managing it, whether that’s your PSA or Liongard itself.
Best practices for managing Actionable Alerts
Separate templates by function. Security alerts, service desk issues, and licensing or hygiene tasks should not all route to the same place.
Start with Liongard’s Example Template, then refine rules and routing over time based on what your team actually wants to see.
Use RoarExclude for legitimate exception accounts that would otherwise create unnecessary user-level alerts.
Map PSA statuses to match your actual workflow so alert states stay clear and consistent across systems.
Use Change Detection for high-risk changes like privileged group membership, mailbox forwarding rules, and firewall changes.
Before disabling a rule, make sure any related tickets or alerts have already been resolved or closed to avoid stale alerts remaining open in your PSA or Liongard.
Common setup mistakes that can create duplicate or missing alerts
If PSA mappings are missing or incorrect, alerts may not land on the board or queue your team expects. Confirm environment mappings before applying templates at scale.
If Template Order is not configured carefully, the same alert can route to multiple destinations or create duplicate tickets across boards and queues.
Be careful when disabling rules that still have open alerts tied to them. The alerts may disappear from Liongard while related tickets are still active in your PSA.
Change Detection alerts also stay attached to the same ticket until that ticket is closed. If additional changes happen before closure, Liongard appends the new diffs to the existing alert instead of creating a new ticket.
If your team wants each change tracked separately, close the previous alert before the next change occurs.
Using Actionable Alerts for audits and compliance reviews
Actionable Alerts create a documented history of what changed, when it changed, and how your team responded.
Environment timelines, alert comments, and Change Detection diffs give your team a clear record of configuration changes, privileged account activity, stale passwords, forwarding rule changes, and other operational events.
Closed alerts also provide evidence that issues were identified, reviewed, and resolved over time.
This can support compliance and audit conversations around continuous monitoring, change control, account management, and administrative oversight across frameworks like CIS v8, HIPAA, SOC 2, and NIST.
Turn Liongard alerts into real operational workflows
Actionable Alerts help your team catch issues faster, route them to the right people automatically, and maintain a clear history of what changed and how it was resolved. The result is less noise, faster response times, and better visibility across your client environments.
Actionable Alert resources
Resource | Purpose |
A starter set of pre-built alert rules bundled into a template. Good for first-time setup to see alert behavior in action before customizing. | |
Step-by-step instructions on creating templates, assigning destinations (PSA, Email, Teams), and applying them to Environments. | |
Guide for building your own rules from Metrics, using operators and thresholds tailored to client or service desk needs. | |
How to interpret triggered alerts, including ticket details, thresholds, and recommended remediation steps. | |
Conceptual overview of how rules, templates, and environments interact (Inspectors -> Metrics -> Rules -> Alerts). | |
Troubleshooting and best practices for common setup issues, noise control, and alert lifecycle management. | |
Crosswalk document showing how pre-built alert rules align with CIS v8 controls, helping MSPs link Liongard to compliance frameworks. |