Third-Party Alert Ingestion

Vendor alerts ingested into your system.

Common third-party alert sources

Vendor and platform alerts deserve a first-class ingestion path. They are leading indicators that your customer-facing SLOs are about to slip.

• AWS Health. AWS-side events affecting your account; the only signal for region-wide control-plane issues.
• Vendor status pages. Datadog, GitHub, Stripe, Twilio publish webhooks; subscribe rather than scraping HTML.
• SaaS dependencies. Auth0, Okta, Snowflake; outages here look like internal failures until you correlate.
• Third-party APIs. Synthetic checks against the APIs you call let you alert before the customer notices.

Normalisation

Vendor alerts use a hundred different schemas. Translate them into your event format on ingest or you will spend on-call time deciphering payloads.

• Severity mapping. Translate vendor 'high' to your sev 2 or sev 3; document the table in the runbook.
• Service tagging. Attach the internal service that depends on the vendor; routes to the right on-call.
• Aggressive filtering. Vendor status pages report regions and components you do not use; drop them at ingest.
• Schema versioning. Vendors change their webhook shape; pin a parser version per source so a silent change does not break ingestion.

Dedupe with internal alerts

A vendor outage will fire your downstream alerts. Without correlation the on-call gets paged five times for the same root cause.

• Group by cause. Vendor degraded plus your alerts firing collapse into one incident with the vendor as root cause.
• Single page. One page with multiple contributing signals beats five pages for the same incident.
• Manual override. When grouping is wrong, the operator splits incidents; trust automation but verify.
• Time-window correlation. Vendor alerts within 5 minutes of internal alerts on the same service auto-link.

Operating ingestion

Treat vendor alert ingestion as a product surface, not a one-off integration. Review what fired, what was actionable, and what to drop.

• Per-vendor dashboard. One page per critical vendor showing recent alerts and current status; on-call's first stop.
• Monthly review. Which vendor alerts fired? Which were actionable? Tune subscriptions and severity mappings.
• Annual review. Which vendors are critical enough to justify premium status integration or a dedicated TAM?
• Vendor SLA tracking. Alert volumes and outage duration feed the next contract negotiation; do not lose the data.