In testing of these alerts and policies on a test JVM, I have found that if you have the Trigger set to Severity Change you get an alert both when it goes into a critical state, also when it returns to normal. I don’t know if this is a bug or if I am just not understanding the process properly.
But, of the email alerts I get in testing where I have enabled most of the variables in my channel so I can try to see as much as possible, the Severity is marked as information. I don’t understand why when my policy clearly shows the filter Severity to be critical, do I get an alert where it shows the severity was information.
Release : SAAS
This is by design. If you have the Trigger set for "Severity Change", you will get a notification for both when it goes above a severity level and when it goes back down below that severity level. So a notification that it breached the major/critical threshold and another one that it returned back to normal (when it does so).