Is there a way to create incident after event is generated 3 times?

poojashah27
Giga Guru

‎03-28-2019 01:25 PM

i have a requirement from customer to create an incident after 3 events. e.g for windows machine someone tries to login and fails which triggers event to ServiceNow but if login fails 3 times then only create incident out of it.

Labels:
0 Helpfuls
  • 2,206 Views
8 REPLIES 8

robertgeen
Tera Guru

‎03-28-2019 03:54 PM

In London they added the Overall Event Count to the alert that you could trigger off of (but be careful as it doesn't cause an update to the alert when it's iterated). You could use a scheduled job to do the work though. Outside of that if you aren't in london then you will need to have a business rule that will calculate the amount of events linked to the alert on update and then if it's greater then 3 and there is no task already then call the script include to create the incident. Hope this helps :).

0 Helpfuls

stevemacamway
Giga Expert
In response to robertgeen

‎03-29-2019 06:00 AM

Instead of going the scheduled job route, couldn't you use an update to the 'Last Event Time' as part of a Business Rule trigger? Looking at some Alerts in my instance, I can see that matches the time of the last related event.

Steve

0 Helpfuls

robertgeen
Tera Guru
In response to stevemacamway

‎03-29-2019 06:12 AM

Yeah so I was actually just talking to GP on linkedin messanger and it appears this one off use case I was seeing in Dev doesn't happen much in the wild as almost always something changes. I'm trying to find a working example of what I was talking about in my UAT environment and I couldn't find one but I most definitely saw it in Dev. Either way you should be okay going GP route for this.

0 Helpfuls

Gianpaolo Pagan
ServiceNow Employee
ServiceNow Employee

‎03-28-2019 05:00 PM

If for your use case it is fine to also have the alert created after 3 events and then create the incident when the alert is created you could use thresholds in the event rules.

 

Otherwise you can create a flow with flow designer that triggers on "Overall Event Count" find_real_file.png

 

And the flow would trigger on your login security alerts when count is greater than 2 or something like this:

find_real_file.png

 

Then create the incident:

find_real_file.png

 

And finally update the alert with the newly created task:

find_real_file.png

 

In London and Madrid, this flow designer based flow triggers on the alert update as described above.

I hope this helps,

Gp

 

Preview file
35 KB
Preview file
211 KB
Preview file
225 KB
Preview file
230 KB