Hello,

You may be able to use normal alert routing. 

Does the new activity recommend a destination queue? If so, what are the routing priorities for the two queues? Is the routing priority for the suppression queue higher or lower than the routing priority for the destination queue?

If your alerting event or scenario fired event recommends a queue and that queue has a higher routing priority than the suppression queue, the alert will get routed to the higher priority queue automatically.

Hi @_austin_ ,

Thanks for the response.

Let's say there is an activity that has been routed to the correct queue, and after an investigator review this alert, he decides to suppress the activity for 1 month. when he does that, the alert score is decreasing to 0 and is routed to the suppression queue. (Until here, it's working fine)

After a month, the alert is getting back to its initial score, which is ok, but we need it to return to the initial queue.

my configuration is:

1. In the domain, there is an option for Suppressed event queue configured to a new queue called "HR_Close_S_q".

2. When the scenario fired-events are generated they are routed to a queue: "HR_Close_q" with a priority of 26.

3. when a user suppressed a fire event, the alert score is updated to 0 and the alert itself is routed to the "HR_Close_S_q" queue (which has a priority of 29)

4. after sometime configuration, the fire event is restored, and the score of the event returns to the initial score, but the alert is not routed back to the relevant queue ("HR_Close_q")