< Back
Aggregate alerts and notifications
If things go wrong, many events may be sent to marbot, resulting in similar alerts. To avoid a flood of alerts, marbot groups similar events into one alert (deduplication). marbot will keep you updated about the number of events aggregated into one alert.
By default, alerts are grouped for seven days and notifications for one minute. If you close an alert, the aggregation starts again as well.
Sample Alert
Alert aggregation in Slack:
Configuration
You can configure the window size for both alerts and notifications. Send a message in a channel mentioning @marbot:
@marbot Configure this endpoint!
What is a similar event?
The answer depends heavily on the source, as the following table shows.
| Source | Definition of similar |
|---|---|
| Amazon CloudWatch Alarm | Account ID, region, name, and state must match |
| Amazon DevOps Guru Notification | Account ID, region, message type, and insight ID must match |
| Amazon ElastiCache Notification | Event type and cache ID must match |
| Amazon EventBridge | Depends on the type. See table below. |
| Amazon Inspector Notification | Account ID, region, event type, and template name must match |
| Amazon Linux AMI Update Notification | Version must match |
| Amazon S3 Event Notifications | Bucket name, object key, and event name must match |
| Amazon Simple Email Service (SES) Event | Event type and source must match |
| Amazon Simple Email Service (SES) Notification | Notification type and source must match |
| AWS Auto Scaling Notification | Account ID, region, name, and event type must match |
| AWS Backup Notification | Account ID, region, and backup job ID must match |
| AWS Budget Notification | Budget type and budget name must match |
| AWS CodePipeline Approval | Region and pipeline name must match |
| AWS CodeStar Notification | Account ID, region, source, and detail type must match |
| AWS Elastic Beanstalk Notification | Event type, application name, and environment name must match |
| AWS IoT Device Defender Audit Event | Account ID, region, and task ID must match |
| AWS IoT Device Defender Violation Event | Account ID, region, violation event type, and security profile name must match |
| AWS Price List Notification | Operation and offer code must match |
| AWS RDS Event | Event ID and source ID must match |
| AWS Trusted Advisor Weekly Update | Account ID must match |
| AWS Systems Manager Notification | Account ID, region, and document name must match |
| Bitbucket | Event type, repository name, (pull request id) must match |
| bucketAV - Antivirus for Amazon S3 | Scan status and bucket name must match |
| UptimeRobot | Alert type and monitor URL must match |
| Generic | Keys must match (or value if only one key is present) |
EventBridge
The following table shows how marbot aggregates events received via Amazon EventBridge.
| Source | Type | Definition of similar (for aggregation and mute) |
|---|---|---|
| * | AWS API Call via CloudTrail | Account ID, region, and event name must match |
| aws.acm | ACM Certificate Approaching Expiration | Account ID, region, and certificate ID must match |
| aws.appflow | AppFlow End Flow Run Report | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Event Flow Deactivated | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Event Flow Report | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Scheduled Flow Deactivated | Account ID, region, and flow name must match |
| aws.appflow | AppFlow Start Flow Run Report | Account ID, region, and flow name must match |
| aws.application-autoscaling | Application Auto Scaling Scaling Activity State Change | Account ID, region, and resource ID must match |
| aws.athena | Athena Query State Change | Account ID, region, and workgroup name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Cancelled | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Checkpoint Reached | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Failed | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Started | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Auto Scaling Instance Refresh Succeeded | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Launch Successful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Launch Unsuccessful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Terminate Successful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance Terminate Unsuccessful | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance-launch Lifecycle Action | Account ID, region, and ASG name must match |
| aws.autoscaling | EC2 Instance-terminate Lifecycle Action | Account ID, region, and ASG name must match |
| aws.backup | Backup Job State Change | Account ID, region, and backup job ID must match |
| aws.backup | Backup Plan State Change | Account ID, region, and backup plan ID must match |
| aws.backup | Backup Vault State Change | Account ID, region, and backup vault name must match |
| aws.backup | Copy Job State Change | Account ID, region, and copy job ID must match |
| aws.backup | Recovery Point State Change | Account ID, region, and recovery point ID must match |
| aws.backup | Region Settings State Change | Account ID and region must match |
| aws.backup | Restore Job State Change | Account ID, region, and restore job ID must match |
| aws.batch | Batch Job State Change | Account ID, region, and job name must match |
| aws.cloudwatch | CloudWatch Alarm State Change | Account ID, region, name, and state must match |
| aws.codebuild | CodeBuild Build Phase Change | Account ID, region, and project name must match |
| aws.codebuild | CodeBuild Build State Change | Account ID, region, and project name must match |
| aws.codecommit | CodeCommit Approval Rule Template Change | Account ID, region, and approval rule template name must match |
| aws.codecommit | CodeCommit Comment on Commit | Account ID, region, repository name, and commit ID must match |
| aws.codecommit | CodeCommit Comment on Pull Request | Account ID, region, repository name, and pull request ID must match |
| aws.codecommit | CodeCommit Pull Request State Change | Account ID, region, repository name, and pull request ID must match |
| aws.codecommit | CodeCommit Repository State Change | Account ID, region, and repository name must match |
| aws.codedeploy | CodeDeploy Deployment State-change Notification | Account ID, region, application, and deployment group must match |
| aws.codedeploy | CodeDeploy Instance State-change Notification | Account ID, region, application, and deployment group must match |
| aws.codepipeline | CodePipeline Action Execution State Change | Account ID, region, pipeline, stage, and action must match |
| aws.codepipeline | CodePipeline Pipeline Execution State Change | Account ID, region, and pipeline must match |
| aws.codepipeline | CodePipeline Stage Execution State Change | Account ID, region, pipeline, and stage must match |
| aws.dlm | DLM Policy State Change | Account ID, region, and policy ID must match |
| aws.dms | DMS Replication Instance Class State Change | Account ID, region, instance ID must match |
| aws.dms | DMS Replication Instance Failover State | Account ID, region, instance ID must match |
| aws.dms | DMS Replication Instance Multi-AZ State Change | Account ID, region, instance ID must match |
| aws.dms | DMS Replication Instance Patch State | Account ID, region, instance ID must match |
| aws.dms | DMS Replication Instance State Change | Account ID, region, instance ID must match |
| aws.dms | DMS Replication Task State Change | Account ID, region, task ID must match |
| aws.ec2 | EBS Multi-Volume Snapshots Completion Status | Account ID, region, and snapshot ID must match |
| aws.ec2 | EBS Snapshot Notification | Account ID, region, and snapshot ID must match |
| aws.ec2 | EBS Volume Notification | Account ID, region, and volume ID must match |
| aws.ec2 | EC2 Instance Rebalance Recommendation | Account ID and region must match |
| aws.ec2 | EC2 Instance State-change Notification | Account ID, region, and instance ID must match |
| aws.ec2 | EC2 Spot Instance Interruption Warning | Account ID and region must match |
| aws.ec2fleet | EC2 Fleet Error | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet Information | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet Instance Change | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet Spot Instance Request Change | Account ID, region, and fleet ID must match |
| aws.ec2fleet | EC2 Fleet State Change | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Error | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Information | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Instance Change | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet Spot Instance Request Change | Account ID, region, and fleet ID must match |
| aws.ec2spotfleet | EC2 Spot Fleet State Change | Account ID, region, and fleet ID must match |
| aws.ecr | ECR Image Action | Account ID, region, and repository name must match |
| aws.ecr | ECR Image Scan | Account ID, region, and repository name must match |
| aws.ecs | ECS Container Instance State Change | Account ID, region, and container instance ID must match |
| aws.ecs | ECS Service Action | Account ID, region, and service name must match |
| aws.ecs | ECS Task State Change | Account ID, region, and task definition must match |
| aws.elasticbeanstalk | Elastic Beanstalk resource status change | Account ID, region, application name, and environment name must match |
| aws.elasticbeanstalk | Health status change | Account ID, region, application name, and environment name must match |
| aws.elasticbeanstalk | Managed update status change | Account ID, region, application name, and environment name must match |
| aws.elasticbeanstalk | Other resource status change | Account ID, region, application name, and environment name must match |
| aws.emr | EMR Auto Scaling Policy State Change | Account ID, region, and cluster ID must match |
| aws.emr | EMR Cluster State Change | Account ID, region, and cluster ID must match |
| aws.emr | EMR Instance Group State Change | Account ID, region, and cluster ID must match |
| aws.emr | EMR Step Status Change | Account ID, region, and cluster ID must match |
| aws.es | Amazon OpenSearch Service Notification | Account ID, region, and domain must match |
| aws.es | Amazon ES Service Software Update Notification | Account ID, region, and domain must match |
| aws.events | Scheduled Event | Account ID, region, and rule name must match |
| aws.glue | Glue Data Catalog Table State Change | Account ID, region, and table name must match |
| aws.glue | Glue Job State Change | Account ID, region, and job name must match |
| aws.guardduty | GuardDuty Finding | Account ID, region, and affected resource ID must match |
| aws.guardduty | GuardDuty Runtime Protection Unhealthy | Account ID, region, and affected resource ID must match |
| aws.health | AWS Health Abuse Event | (Account ID), region, and event type category must match |
| aws.health | AWS Health Event | (Account ID), region, and event type category must match |
| aws.inspector2 | Inspector2 Finding | Account ID, region, and resource type must match |
| aws.iotanalytics | IoT Analytics Dataset Lifecycle Notification | Account ID, region, and dataset name must match |
| aws.kms | KMS CMK Deletion | Account ID, region, and key ID must match |
| aws.kms | KMS CMK Rotation | Account ID, region, and key ID must match |
| aws.kms | KMS Imported Key Material Expiration | Account ID, region, and key ID must match |
| aws.macie | Macie Findin | Account ID, region, and category must match |
| aws.mediaconvert | MediaConvert Job State Change | Account ID, region, and queue name must match |
| aws.opsworks | OpsWorks Alert | Account ID, region, and stack ID must match |
| aws.opsworks | OpsWorks Command State Change | Account ID, region, and command ID must match |
| aws.opsworks | OpsWorks Deployment State Change | Account ID, region, and deployment ID must match |
| aws.opsworks | OpsWorks Instance State Change | Account ID, region, and stack ID must match |
| aws.rds | RDS DB Instance Event | Account ID, region, and instance ID must match |
| aws.rds | RDS DB Snapshot Event | Account ID, region, and snapshot ID must match |
| aws.s3 | Object Access Tier Changed | Account ID, region, and bucket name must match |
| aws.s3 | Object ACL Updated | Account ID, region, and bucket name must match |
| aws.s3 | Object Created | Account ID, region, and bucket name must match |
| aws.s3 | Object Deleted | Account ID, region, and bucket name must match |
| aws.s3 | Object Restore Completed | Account ID, region, and bucket name must match |
| aws.s3 | Object Restore Expired | Account ID, region, and bucket name must match |
| aws.s3 | Object Restore Initiated | Account ID, region, and bucket name must match |
| aws.s3 | Object Storage Class Changed | Account ID, region, and bucket name must match |
| aws.s3 | Object Tags Added | Account ID, region, and bucket name must match |
| aws.s3 | Object Tags Deleted | Account ID, region, and bucket name must match |
| aws.securityhub | Security Hub Findings - Custom Action | Account ID, region, and product must match |
| aws.securityhub | Security Hub Findings - Imported | Account ID, region, and product must match |
| aws.securityhub | Security Hub Insight Results | Account ID, region, and insight must match |
| aws.signin | AWS Console Sign In via CloudTrail | Account ID, region, and identity must match |
| aws.ssm | Configuration Compliance State Change | Account ID, region, and patch baseline ID must match |
| aws.ssm | EC2 Command Invocation Status-change Notification | Account ID, region, and document name must match |
| aws.ssm | EC2 Command Status-change Notification | Account ID, region, and document name must match |
| aws.ssm | EC2 State Manager Association State Change | Account ID, region, and document name must match |
| aws.ssm | EC2 State Manager Instance Association State Change | Account ID, region, and document name must match |
| aws.ssm | Maintenance Window Execution State-change Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window State-change Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window Target Registration Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window Task Execution State-change Notification | Account ID, region, and window ID must match |
| aws.ssm | Maintenance Window Task Target Invocation State-change Notification | Account ID, region, and window ID must match |
| aws.states | Step Functions Execution Status Change | Account ID, region, state machine, and status must match |
| aws.trustedadvisor | Trusted Advisor Check Item Refresh Notification | Account ID and region must match |
| aws.workspaces | WorkSpaces Access | Account ID, region, and workspace ID must match |
| aws.xray | AWS X-Ray Insight Update | Account ID, region, and group name must match |
In all other cases (including now AWS events), source, event type, account ID, and region must match.
Chatbot for AWS Monitoring
Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.
Add to Slack
Add to Teams