From kaseya-datto-rmm
Manages Datto RMM monitoring alerts: viewing, resolving, priorities, and 25+ context types including antivirus_ctx, eventlog_ctx, perf_disk_usage_ctx, ransomware_ctx.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin datto-rmmThis skill uses the workspace's default tool permissions.
Alerts are the primary notification mechanism in Datto RMM. They're generated by monitors when conditions are met - disk space low, service stopped, CPU high, etc. Each alert contains context-specific data based on the monitor type. This skill covers alert handling, the 25+ context types, and resolution workflows.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Guides agent creation for Claude Code plugins with file templates, frontmatter specs (name, description, model), triggering examples, system prompts, and best practices.
Alerts are the primary notification mechanism in Datto RMM. They're generated by monitors when conditions are met - disk space low, service stopped, CPU high, etc. Each alert contains context-specific data based on the monitor type. This skill covers alert handling, the 25+ context types, and resolution workflows.
Every alert has:
@class discriminator| Priority | Value | Description | Typical Response |
|---|---|---|---|
| Critical | Critical | Severe impact, immediate action | 15 minutes |
| High | High | Significant issue | 1 hour |
| Moderate | Moderate | Notable but manageable | 4 hours |
| Low | Low | Minor issue | 8 hours |
| Information | Information | Informational only | Best effort |
| State | Description |
|---|---|
open | Active, requires attention |
resolved | Closed, issue addressed |
interface Alert {
// Identifiers
alertUid: string; // Unique alert ID
alertSourceInfo: AlertSource; // Source of the alert
// Device Info
deviceUid: string; // Device that generated alert
hostname: string; // Device hostname
// Classification
alertType: string; // "Monitor", "Device Offline", etc.
priority: AlertPriority; // Critical, High, Moderate, Low, Information
alertMessage: string; // Human-readable message
// Context (varies by @class)
alertContext: AlertContext; // Type-specific data
// Timestamps (Unix milliseconds)
timestamp: number; // When alert was raised
resolvedAt?: number; // When resolved (if resolved)
// Resolution
resolved: boolean;
resolvedBy?: string; // Who resolved it
resolution?: string; // Resolution notes
}
type AlertPriority = 'Critical' | 'High' | 'Moderate' | 'Low' | 'Information';
Datto RMM has 25+ alert context types, identified by the @class field. Each type has specific fields relevant to that monitor.
Antivirus status and detection alerts.
interface AntivirusContext {
"@class": "antivirus_ctx";
avProduct: string; // "Windows Defender", "Webroot", etc.
avStatus: string; // "Enabled", "Disabled", "Out of Date"
avDefinitionDate: number; // Last definition update (Unix ms)
threatName?: string; // Name of detected threat
threatPath?: string; // File path of threat
scanType?: string; // "Full", "Quick", "Real-time"
lastScan?: number; // Last scan timestamp
}
Example Alert:
{
"alertMessage": "Antivirus definitions out of date",
"alertContext": {
"@class": "antivirus_ctx",
"avProduct": "Windows Defender",
"avStatus": "Out of Date",
"avDefinitionDate": 1707100000000
}
}
Component script execution results.
interface ComponentScriptContext {
"@class": "comp_script_ctx";
componentName: string; // Script/component name
exitCode: number; // Process exit code
stdout: string; // Standard output
stderr: string; // Standard error
executionTime: number; // Duration in milliseconds
variables?: Record<string, string>; // Input variables
}
Example Alert:
{
"alertMessage": "Component 'Backup Check' failed with exit code 1",
"alertContext": {
"@class": "comp_script_ctx",
"componentName": "Backup Check",
"exitCode": 1,
"stdout": "Checking backup status...",
"stderr": "ERROR: No backup found in last 24 hours"
}
}
SNMP monitoring alerts.
interface CustomSNMPContext {
"@class": "custom_snmp_ctx";
oid: string; // SNMP OID
value: string | number; // Current value
threshold: number; // Configured threshold
comparison: string; // "gt", "lt", "eq", etc.
snmpVersion: string; // "v1", "v2c", "v3"
}
ESXi disk health monitoring.
interface DiskHealthContext {
"@class": "disk_health_ctx";
diskName: string; // Disk identifier
status: string; // "Healthy", "Warning", "Critical"
capacity: number; // Total capacity (bytes)
smartStatus?: string; // S.M.A.R.T. status
temperature?: number; // Disk temperature (Celsius)
}
Windows Event Log monitoring.
interface EventLogContext {
"@class": "eventlog_ctx";
logName: string; // "Application", "System", "Security"
source: string; // Event source
eventId: number; // Event ID
eventType: string; // "Error", "Warning", "Information"
message: string; // Event message
timestamp: number; // Event timestamp
user?: string; // Associated user
computer?: string; // Computer name
}
Example Alert:
{
"alertMessage": "Event Log: BSOD detected",
"alertContext": {
"@class": "eventlog_ctx",
"logName": "System",
"source": "BugCheck",
"eventId": 1001,
"eventType": "Error",
"message": "The computer has rebooted from a bugcheck."
}
}
ESXi fan status monitoring.
interface FanContext {
"@class": "fan_ctx";
fanName: string; // Fan identifier
status: string; // "OK", "Warning", "Critical"
rpm: number; // Current RPM
minRpm?: number; // Minimum threshold
}
File/folder size monitoring.
interface FileSystemObjectContext {
"@class": "fs_object_ctx";
path: string; // File or folder path
size: number; // Current size (bytes)
threshold: number; // Size threshold (bytes)
comparison: string; // "gt", "lt"
isDirectory: boolean; // true for folders
fileCount?: number; // Number of files (for directories)
}
Device online/offline status changes.
interface OnlineOfflineContext {
"@class": "online_offline_status_ctx";
status: string; // "offline", "online"
lastSeen: number; // Last check-in (Unix ms)
offlineDuration: number; // Minutes offline
previousStatus: string; // Status before change
}
Example Alert:
{
"alertMessage": "Device went offline",
"alertContext": {
"@class": "online_offline_status_ctx",
"status": "offline",
"lastSeen": 1707991200000,
"offlineDuration": 45,
"previousStatus": "online"
}
}
Windows patch/update status.
interface PatchContext {
"@class": "patch_ctx";
patchCount: number; // Total pending patches
criticalCount: number; // Critical patches pending
importantCount: number; // Important patches pending
optionalCount: number; // Optional patches pending
lastScan: number; // Last patch scan (Unix ms)
rebootRequired: boolean; // Needs restart
failedPatches?: string[]; // KB numbers that failed
}
Disk usage/space monitoring.
interface DiskUsageContext {
"@class": "perf_disk_usage_ctx";
drive: string; // "C:", "D:", etc.
usagePercent: number; // Current usage percentage
threshold: number; // Alert threshold percentage
totalSpace: number; // Total space (bytes)
freeSpace: number; // Free space (bytes)
usedSpace: number; // Used space (bytes)
}
Example Alert:
{
"alertMessage": "Disk C: is 95% full",
"alertContext": {
"@class": "perf_disk_usage_ctx",
"drive": "C:",
"usagePercent": 95,
"threshold": 90,
"totalSpace": 500000000000,
"freeSpace": 25000000000,
"usedSpace": 475000000000
}
}
Windows Performance Counter monitoring.
interface PerformanceMonitorContext {
"@class": "perf_mon_ctx";
counter: string; // Full counter path
instance: string; // Counter instance
value: number; // Current value
threshold: number; // Alert threshold
comparison: string; // "gt", "lt", "eq"
}
CPU/Memory usage monitoring.
interface ResourceUsageContext {
"@class": "perf_resource_usage_ctx";
resource: string; // "CPU", "Memory"
usagePercent: number; // Current usage percentage
threshold: number; // Alert threshold
duration: number; // Duration over threshold (seconds)
processName?: string; // Top consuming process
processUsage?: number; // Process usage percentage
}
Example Alert:
{
"alertMessage": "CPU usage above 90% for 15 minutes",
"alertContext": {
"@class": "perf_resource_usage_ctx",
"resource": "CPU",
"usagePercent": 94,
"threshold": 90,
"duration": 900,
"processName": "sqlservr.exe",
"processUsage": 78
}
}
Network ping monitoring.
interface PingContext {
"@class": "ping_ctx";
host: string; // Target hostname/IP
latency: number; // Response time (ms)
packetLoss: number; // Packet loss percentage
threshold: number; // Latency threshold (ms)
status: string; // "reachable", "unreachable"
}
Individual process resource monitoring.
interface ProcessResourceContext {
"@class": "process_resource_usage_ctx";
processName: string; // Process name
pid: number; // Process ID
cpuUsage: number; // CPU percentage
memoryUsage: number; // Memory usage (bytes)
memoryPercent: number; // Memory percentage
threshold: number; // Alert threshold
}
Process running/stopped monitoring.
interface ProcessStatusContext {
"@class": "process_status_ctx";
processName: string; // Process name
status: string; // "running", "stopped"
expectedStatus: string; // "running", "stopped"
pid?: number; // Process ID (if running)
path?: string; // Executable path
}
ESXi power supply monitoring.
interface PSUContext {
"@class": "psu_ctx";
psuName: string; // PSU identifier
status: string; // "OK", "Failed", "Degraded"
wattage?: number; // Current wattage
}
Ransomware detection alerts.
interface RansomwareContext {
"@class": "ransomware_ctx";
detectionType: string; // "Behavioral", "Signature", "Honeypot"
path: string; // Affected path
action: string; // "Blocked", "Quarantined", "Detected"
processName?: string; // Suspicious process
fileCount?: number; // Number of affected files
extensions?: string[]; // Affected file extensions
}
Example Alert:
{
"alertMessage": "Potential ransomware activity detected",
"alertContext": {
"@class": "ransomware_ctx",
"detectionType": "Behavioral",
"path": "C:\\Users\\John\\Documents",
"action": "Blocked",
"processName": "suspicious.exe",
"fileCount": 15,
"extensions": [".encrypted", ".locked"]
}
}
Webroot/security management status.
interface SecurityManagementContext {
"@class": "sec_management_ctx";
product: string; // "Webroot", etc.
status: string; // "Active", "Inactive", "Expired"
threatCount: number; // Number of threats detected
lastScan: number; // Last scan timestamp
licenseExpiry?: number; // License expiration
}
Windows Service resource monitoring.
interface ServiceResourceContext {
"@class": "srvc_resource_usage_ctx";
serviceName: string; // Service name
displayName: string; // Service display name
cpuUsage: number; // CPU percentage
memoryUsage: number; // Memory (bytes)
threshold: number; // Alert threshold
}
Windows Service status monitoring.
interface ServiceStatusContext {
"@class": "srvc_status_ctx";
serviceName: string; // Service name
displayName: string; // Service display name
status: string; // "Running", "Stopped", "Paused"
expectedStatus: string; // Expected status
startType: string; // "Automatic", "Manual", "Disabled"
recoveryAction?: string; // Configured recovery action
}
Example Alert:
{
"alertMessage": "Service 'SQL Server' is stopped",
"alertContext": {
"@class": "srvc_status_ctx",
"serviceName": "MSSQLSERVER",
"displayName": "SQL Server (MSSQLSERVER)",
"status": "Stopped",
"expectedStatus": "Running",
"startType": "Automatic"
}
}
Software installation/removal monitoring.
interface SoftwareActionContext {
"@class": "sw_action_ctx";
action: string; // "Installed", "Uninstalled", "Updated"
softwareName: string; // Application name
version: string; // Software version
previousVersion?: string; // Previous version (for updates)
publisher?: string; // Software publisher
installDate: number; // Action timestamp
}
ESXi temperature monitoring.
interface TemperatureContext {
"@class": "temperature_ctx";
sensorName: string; // Sensor identifier
temperature: number; // Current temp (Celsius)
threshold: number; // Alert threshold
status: string; // "Normal", "Warning", "Critical"
}
WMI query monitoring.
interface WMIContext {
"@class": "wmi_ctx";
query: string; // WMI query executed
namespace: string; // WMI namespace
property: string; // Property monitored
value: string | number; // Current value
threshold?: string | number; // Threshold (if applicable)
}
GET /api/v2/alerts/open
Authorization: Bearer {token}
GET /api/v2/site/{siteUid}/alerts/open
Authorization: Bearer {token}
GET /api/v2/device/{deviceUid}/alerts/open
Authorization: Bearer {token}
GET /api/v2/alerts/resolved?max=250
Authorization: Bearer {token}
GET /api/v2/alerts/open?since=1707991200000
Authorization: Bearer {token}
POST /api/v2/alert/{alertUid}/resolve
Authorization: Bearer {token}
Content-Type: application/json
{
"resolution": "Cleared disk space by removing temp files"
}
Note: Muting alerts (PUT to /alert/{alertUid}/mute) is deprecated. Use resolve instead.
async function triageAlerts(client) {
const alerts = await client.request('/api/v2/alerts/open');
const triaged = {
critical: [],
high: [],
moderate: [],
low: [],
information: []
};
alerts.alerts.forEach(alert => {
const bucket = alert.priority.toLowerCase();
if (triaged[bucket]) {
triaged[bucket].push(alert);
}
});
return triaged;
}
function getAlertRecommendation(alert) {
const ctx = alert.alertContext;
switch (ctx['@class']) {
case 'perf_disk_usage_ctx':
return {
severity: ctx.usagePercent >= 95 ? 'critical' : 'warning',
action: 'Clear disk space or expand volume',
steps: [
'Run Disk Cleanup utility',
'Clear temp files',
'Check for large log files',
'Consider expanding disk'
]
};
case 'srvc_status_ctx':
return {
severity: 'high',
action: `Start the ${ctx.displayName} service`,
steps: [
`Run: net start "${ctx.serviceName}"`,
'Check Event Log for failure reason',
'Verify service account credentials',
'Check dependencies'
]
};
case 'ransomware_ctx':
return {
severity: 'critical',
action: 'IMMEDIATE: Isolate device and investigate',
steps: [
'Disconnect from network immediately',
'Do NOT restart the device',
'Contact security team',
'Preserve evidence',
'Check for lateral movement'
]
};
case 'online_offline_status_ctx':
return {
severity: ctx.offlineDuration > 60 ? 'high' : 'moderate',
action: 'Verify device connectivity',
steps: [
'Ping device from network',
'Check physical connectivity',
'Verify no scheduled maintenance',
'Contact on-site user if available'
]
};
default:
return {
severity: 'moderate',
action: 'Review alert details',
steps: ['Investigate alert context', 'Check device status']
};
}
}
async function resolveAlertsBatch(client, alertUids, resolution) {
const results = [];
for (const alertUid of alertUids) {
try {
await client.request(`/api/v2/alert/${alertUid}/resolve`, {
method: 'POST',
body: JSON.stringify({ resolution })
});
results.push({ alertUid, success: true });
} catch (error) {
results.push({ alertUid, success: false, error: error.message });
}
// Respect rate limits
await sleep(100);
}
return results;
}
async function generateAlertSummary(client, options = {}) {
const { siteUid, deviceUid } = options;
let url = '/api/v2/alerts/open';
if (siteUid) url = `/api/v2/site/${siteUid}/alerts/open`;
if (deviceUid) url = `/api/v2/device/${deviceUid}/alerts/open`;
const response = await client.request(url);
const alerts = response.alerts || [];
// Group by type
const byType = {};
alerts.forEach(alert => {
const type = alert.alertContext?.['@class'] || 'unknown';
if (!byType[type]) byType[type] = [];
byType[type].push(alert);
});
// Group by priority
const byPriority = {
Critical: 0,
High: 0,
Moderate: 0,
Low: 0,
Information: 0
};
alerts.forEach(alert => {
if (byPriority[alert.priority] !== undefined) {
byPriority[alert.priority]++;
}
});
return {
totalOpen: alerts.length,
byPriority,
byType: Object.entries(byType).map(([type, items]) => ({
type,
count: items.length
})),
oldestAlert: alerts.length > 0
? Math.min(...alerts.map(a => a.timestamp))
: null
};
}
| Error | Status | Cause | Resolution |
|---|---|---|---|
| Alert not found | 404 | Invalid alertUid | Verify alert exists |
| Already resolved | 400 | Alert already closed | Check alert state first |
| Permission denied | 403 | API restrictions | Check API permissions |
async function safeResolveAlert(client, alertUid, resolution) {
try {
await client.request(`/api/v2/alert/${alertUid}/resolve`, {
method: 'POST',
body: JSON.stringify({ resolution })
});
return { success: true };
} catch (error) {
if (error.status === 404) {
return { success: false, reason: 'Alert not found - may already be resolved' };
}
if (error.status === 400) {
return { success: false, reason: 'Alert already resolved' };
}
throw error;
}
}
| Context Type | Typical Priority | Notes |
|---|---|---|
ransomware_ctx | Critical | Always immediate action |
online_offline_status_ctx (server) | High | Business impact |
perf_disk_usage_ctx (>95%) | High | Data loss risk |
srvc_status_ctx (critical service) | High | Service impact |
antivirus_ctx (threat detected) | High | Security risk |
perf_resource_usage_ctx | Moderate | Performance impact |
patch_ctx (critical patches) | Moderate | Security debt |
eventlog_ctx | Varies | Based on event severity |
sw_action_ctx | Low | Informational |