Is there a way to create incident after event is generated 3 times?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2019 01:25 PM
i have a requirement from customer to create an incident after 3 events. e.g for windows machine someone tries to login and fails which triggers event to ServiceNow but if login fails 3 times then only create incident out of it.
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2019 03:54 PM
In London they added the Overall Event Count to the alert that you could trigger off of (but be careful as it doesn't cause an update to the alert when it's iterated). You could use a scheduled job to do the work though. Outside of that if you aren't in london then you will need to have a business rule that will calculate the amount of events linked to the alert on update and then if it's greater then 3 and there is no task already then call the script include to create the incident. Hope this helps :).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2019 06:00 AM
Instead of going the scheduled job route, couldn't you use an update to the 'Last Event Time' as part of a Business Rule trigger? Looking at some Alerts in my instance, I can see that matches the time of the last related event.
Steve
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-29-2019 06:12 AM
Yeah so I was actually just talking to GP on linkedin messanger and it appears this one off use case I was seeing in Dev doesn't happen much in the wild as almost always something changes. I'm trying to find a working example of what I was talking about in my UAT environment and I couldn't find one but I most definitely saw it in Dev. Either way you should be okay going GP route for this.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-28-2019 05:00 PM
If for your use case it is fine to also have the alert created after 3 events and then create the incident when the alert is created you could use thresholds in the event rules.
Otherwise you can create a flow with flow designer that triggers on "Overall Event Count"
And the flow would trigger on your login security alerts when count is greater than 2 or something like this:
Then create the incident:
And finally update the alert with the newly created task:
In London and Madrid, this flow designer based flow triggers on the alert update as described above.
I hope this helps,
Gp