AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

AAP Automation Orchestrator: Configuring Multi-Source Alert Triggers

By Luca Berton · Published 2024-01-01 · Category: troubleshooting

Learn how AAP Automation Orchestrator ingests multi-source alerts and hands them to an Event-Driven Ansible rulebook to trigger deterministic remediation.

Red Hat's Automation Orchestrator, previewed at Red Hat Tech Day Netherlands 2026 in Bunnik and slated to arrive in Q3 2026, reframes Ansible Automation Platform (AAP) as a unified canvas for AI-driven IT operations. It stitches together task-based automation, event-based automation, and agentic reasoning on top of the upstream Temporal durable-execution engine — and it does so under one governing principle stated plainly at the event: "AI isn't improvising against production infrastructure, it's acting through AAP." Every recommendation an AI agent makes still has to pass through the same deterministic, auditable execution path that Ansible has always used.

That pipeline breaks down into five steps: alerts arrive from multiple sources, an Event-Driven Ansible (EDA) rulebook picks them up, an AI agent analyzes and recommends a fix, a human approves it, and AAP executes the remediation at scale. This article focuses on the foundation of that pipeline — Steps 1 and 2 — where raw signals from disparate monitoring and ITSM tools become a single, trustworthy trigger into your automation.

Step 1: Alerts From Multiple Sources on One Canvas

The first design goal of Automation Orchestrator is consolidation. Instead of every monitoring tool, agent, and playbook maintaining its own notification path, alerts land on a single orchestration canvas where they can be correlated, prioritized, and routed consistently. In the Tech Day demo, this was illustrated with a real-world CVE remediation scenario: CVE-2024-6387 ("regresshion"), a critical race condition in OpenSSH's sshd that can lead to unauthenticated remote code execution.

Two independent systems fed alerts into the same orchestrator:

  • IBM Instana, an observability platform, which detected anomalous behavior and fired a webhook.
  • ServiceNow, which raised a corresponding CMDB/ITSM signal via its own webhook.
Both sources POST to the same kind of endpoint — an EDA webhook listener — despite having completely different payload shapes, authentication models, and operational purposes. That's the point of Step 1: normalize the entry point even when the alert sources stay heterogeneous.
Alert sourceRole in the demoDelivery mechanism
IBM InstanaDetects the anomaly / vulnerability signalWebhook → EDA endpoint (Step 2 trigger)
ServiceNowRaises the ITSM ticket and CMDB contextWebhook → EDA endpoint (Step 3 trigger)
Splunk (via MCP)Queried by the AI agent for correlation, not a webhook sourceMCP tool calls: Query, Alert Search, Saved Search
ServiceNow CMDB (via MCP)Queried by the AI agent to map hosts to inventoryMCP tool call: CMDB Lookup
Notice the distinction: Instana and ServiceNow push alerts as webhook triggers, while Splunk and the ServiceNow CMDB are pulled by the AI agent later in the pipeline (Step 3) through MCP (Model Context Protocol) tools. Multi-source alerting isn't just "many webhooks" — it's a mix of push-based triggers and pull-based context enrichment, all converging on the same governed workflow.

See also: AAP Automation Orchestrator: Automated Remediation Execution Explained

Step 2: The EDA Rulebook Trigger

Once a webhook lands, Event-Driven Ansible is what turns an arbitrary HTTP POST into a deterministic automation action. Each webhook source is registered against an EDA webhook endpoint with an auto-generated API key, so Instana and ServiceNow authenticate independently even though they route to the same rulebook logic. This is the layer that keeps Step 1's chaos from leaking into the rest of the pipeline: no matter how noisy or varied the upstream alert is, EDA evaluates it against explicit conditions and only fires the actions you've defined.

A simplified rulebook for the regresshion scenario looks like this:

---
- name: Handle critical OpenSSH CVE alerts from multiple sources
  hosts: all
  sources:
    - ansible.eda.webhook:
        host: 0.0.0.0
        port: 5000
        token: "{{ eda_webhook_token }}"

  rules:
    - name: Instana anomaly alert for regresshion CVE
      condition: >
        event.payload.source == "instana" and
        event.payload.cve_id == "CVE-2024-6387" and
        event.payload.severity == "critical"
      action:
        run_job_template:
          name: "cve-2024-6387-triage"
          organization: "IT Operations"
          job_args:
            extra_vars:
              cve_id: "{{ event.payload.cve_id }}"
              detected_hosts: "{{ event.payload.affected_hosts }}"
              alert_source: instana

    - name: ServiceNow ticket confirms same CVE
      condition: >
        event.payload.source == "servicenow" and
        event.payload.cve_id == "CVE-2024-6387"
      action:
        run_job_template:
          name: "cve-2024-6387-triage"
          organization: "IT Operations"
          job_args:
            extra_vars:
              cve_id: "{{ event.payload.cve_id }}"
              itsm_ticket: "{{ event.payload.ticket_number }}"
              alert_source: servicenow

A few things matter operationally here:

  • One condition per source, one shared job template. Both rules resolve to the same cve-2024-6387-triage job template so that, regardless of which system alerted first, the downstream AI-analysis step (Step 3) receives a consistent payload shape.
  • The rulebook is deterministic, not probabilistic. This is the boundary the Tech Day team was emphatic about: EDA's job is pattern-matching against explicit conditions, not inference. The AI only enters the picture after EDA has already decided a valid, known trigger fired.
  • Tokens per source. Each webhook source carries its own auto-generated API key, so you can revoke or rotate Instana's credential without touching ServiceNow's, and you get source-level audit trails in the EDA controller logs.
  • Extra vars carry provenance. Passing alert_source and the raw identifiers (ticket_number, affected_hosts) forward means the job template — and eventually the AI agent — always knows which system originated the trigger, which matters when the same job template can be reached from either path.
In the live demo this combination of Instana- and ServiceNow-sourced triggers, both resolving to the same triage job template, is what kicked off the full 8-step workflow that ultimately patched 12 hosts across production, staging, and development in three rolling batches of four, with zero downtime. Steps 1 and 2 only took a fraction of a second of the total run — alert ingestion measured at roughly 0 seconds and the rulebook match feeding straight into ticket creation at 1.2 seconds — but they're what made every later step trustworthy: the AI agent, the human reviewer, and the remediation job template were all working from a single, deterministically-triggered event rather than a raw, unvalidated webhook payload.

Designing Your Own Multi-Source Triggers

When you build this pattern for your own environment, a few practical rules carry over directly from the demo:

  1. Give every alert source its own webhook credential. Don't share API keys across Splunk, Instana, ServiceNow, or any other tool posting into EDA — rotate and audit independently.
  2. Normalize on job template, not on payload. Different sources will never agree on field names; let your rulebook conditions do the translation and converge on one job template per remediation type.
  3. Pass provenance forward. Always include the originating source and any ticket/incident identifiers in extra_vars so downstream AI analysis and human approval steps have full context.
  4. Keep the rulebook boring on purpose. Step 2 should be simple, explicit, and auditable — save the reasoning for Step 3 and the judgment for Step 4.

Key Takeaways

  • Automation Orchestrator's Step 1 consolidates alerts from push-based webhooks (Instana, ServiceNow) and pull-based MCP context sources (Splunk, ServiceNow CMDB) onto a single canvas.
  • Step 2's EDA rulebook is the deterministic gatekeeper: it evaluates explicit conditions on incoming webhook events and only then triggers a known job template.
  • Each webhook source should carry its own auto-generated API key for independent authentication and auditability.
  • Multiple alert sources can and should resolve to the same job template, with extra_vars preserving which system triggered the run.
  • This foundation — fast, deterministic, and fully logged — is what let the Tech Day demo hand off safely to AI analysis and human approval in the subsequent steps, ultimately remediating CVE-2024-6387 across 12 hosts with zero downtime.

Category: troubleshooting

Browse all Ansible tutorials · AnsiblePilot Home