Business Rule to Avoid Duplicate Incidents?

jstoneiii · ‎07-31-2014

We send our Anti-Virus alerts to Service-Now for automatic Incident Creations. We are now using a Cloud based product with is much more aggressive with reporting so alerts are now sent in real time. The problem is that the product is so aggressive that we may receive the same alerts with-in minutes of each other.

I would like Service-Now to not create an Incident if another Incident is open for the same Caller which has the same Business Service, Category and Subcategory and if the ticket is not Resolved or Open. I've tried via Inbound Actions (with the help of several others) but that does not sound like a good solution.

To get a good idea of what I want I have posted my Inbound Action which is creating the Incidents. (Don't know if it useful in this case or not.) As you can see, I lookup the user name based off of the PC Name that is in the Alert to Call up the Caller ID and create a ticket for the user.

But I am stumped on how to eliminate duplicate tickets.

Any assistance would be appreciated!

Would a Business Rule be a better option? I would like to keep the below Inbound Action but have a Business Rule to not create a duplicate Incident.

Condition: email.subject.toLowerCase().indexOf("[fireamp subscription] [quarantine failure]") == 0 &&email.body_text.toLowerCase().indexOf("quarantine failure") > -1

Script:

//Look up user using their PC name:

var grCI = new GlideRecord('cmdb_ci');
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));
grCI.query();
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());
if(grCI.next()) {
gs.log('Found caller from CI');
current.caller_id = grCI.assigned_to.sys_id;
caller = grCI.assigned_to.sys_id;
current.u_computer_name = grCI.sys_id;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;
current.location = grCI.location;
}else{

gs.log('CI Not Found ');
var sid = new GlideRecord('sys_user');
sid.get('email', email.from);
current.caller_id = sid;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;
}
current.u_business_service.setDisplayValue('FireAmp');
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";
current.state = 1;
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert();

function grabContent(str, startCon, endCon) {
var startLen = startCon.length;
var s = str.indexOf(startCon);
var e = str.indexOf(endCon);
var scrape = str.substring(s+startLen, e);
return scrape;
}

event.state="stop_processing";

jstoneiii · ‎08-04-2014

Thanks Peter!

That definitely helped as I can map to the Business Service now.

I'm having a tough time pulling up the caller though. No matter who the caller is (as determine by my script to create the caller based on asset assignment) it fails to update the Incident because it's only matching the Business Service Field.

My field in the incident form is incident.caller_id and it is pulling from the sysy_user field.

Any ideas on what I am doing wrong? The User label's sysy ID is 72663d990a0a3c7401f5483edad7087

grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^caller_id=72663d990a0a3c7401f5483edad70874^business_service=4fab5f11508181006bb24baec3e373ad');

jstoneiii · ‎08-04-2014

The below works for me.

I just need to be able to pull in the Computer Name or Caller-ID and eliminate the date range.

As you can see from below I have a field named u_computer_name on the Incident form.

I just can't seem to query it and compare it though.

The below stops anything with a subcategory of infected.

Any help is appreciated.

Thanks!

//Check for Current Open Incident and Update

var grInc = new GlideRecord('incident');
var grEmail = new GlideRecord('sys_email');
var incUpdated = false;
grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^caller_id=SYS_ID_OF_USER^subcategory=infected');
grEmail.query();
if(grEmail.getRowCount != 0){
while(grEmail.next() && incUpdated != true){
grInc.get(grEmail.instance);
if(grInc.active == true && grInc.state < 6){ //is the existing incident active and not in closed or resolved state
incUpdated = true;
grInc.work_notes = '\nFrom: ' + email.from + '\nTo: ' + email.to + '\nSubject: ' + email.subject + '\n\n' + email.body_text;
grInc.update();

}

if(incUpdated == false){ // If existing incident not found create new
//Look up user using their PC name:

var grCI = new GlideRecord('cmdb_ci');
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));
grCI.query();
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());
if(grCI.next()) {
gs.log('Found caller from CI');
current.caller_id = grCI.assigned_to.sys_id;
caller = grCI.assigned_to.sys_id;
current.u_computer_name = grCI.sys_id;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;
current.location = grCI.location;
}else{

gs.log('CI Not Found ');
var sid = new GlideRecord('sys_user');
sid.get('email', email.from);
current.caller_id = sid;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;
}
current.u_business_service.setDisplayValue('FireAmp');
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";
current.state = 1;
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert(); }

function grabContent(str, startCon, endCon) {
var startLen = startCon.length;
var s = str.indexOf(startCon);
var e = str.indexOf(endCon);
var scrape = str.substring(s+startLen, e);
return scrape;
}

event.state="stop_processing";

PeterWiles · ‎08-05-2014

In the second part when you are looking for the user PC details, can you not do this first?

So:

Get email details.

Check computer name and get assigned user

Do look-up against the incidents table to look for your criteria:

If found update

if NOT found, create new.

But for virus alerts. I assume this is against the CI and not the user so maybe you just need to look up the category/subcategory/CI fields and leave off everything else? Though this would depend on your process.

Pete

jstoneiii · ‎08-05-2014

Right Pete,I need to Quey off of Subcategory and the CI. On our Incideent form there is a field called Computer Name which essentially replaces the field called Configuration Item. So check for Incident open under those two criteria.

Any advice is appreciated!!!!

PeterWiles · ‎08-05-2014

Hope the below makes sense. I have not put in the full code snippets but you should be able to copy and paste the call logging parts from your code.

//Get user/CI details

var grCI = new GlideRecord('cmdb_ci');

grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));

grCI.query();

gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());

if(grCI.next()) {

gs.log("Found CI');

//Do lookup on incident table for any outstanding calls

var grInc = new GlideRecord('incident');

grIInc.addQuery("subcategory", "Infected");

grlInc.addQuery("cmdb_ci", grCI.sys_id);

grlInc.addQuery("active" true); //Probably need to change this to your active states.

grlInc.query();

if(grlnc.next())

{

//Call found so update call with details from the email.

}

else

{

//No call found so log call against the CI and assigned user

}

else

{

gs.log("CI not found so log a generic call");

}