How to auto-generate Incident tickets for specific AWS Findings in ServiceNow

J_19 · ‎06-14-2022

This is my first post to this forum and I'm not a developer...more of a sort-of super-user trying to help solve a problem.

We have implemented the AWS Connecter so that AWS Findings are automatically sent to ServiceNow as Findings. We would like to be able to auto-generate an Incident ticket only for certain/specific Findings...those where Product Name = GuardDuty. Most of what I've read has suggested using an after-insert business rule for this type of thing.

I've seen that the SN "Findings" page has a "Create Incident" button, but we would prefer the tickets to auto-generate. I think I found the UI Action "Create Incident" on the "Finding" table and the associated Script Include "IncidentRepo", but what I've read in the forum is that one can't execute a UI Action from a business rule. The general suggested solution seems to be along the lines of "The safest way to do it would be to create a new After Insert/Update Business Rule and copy/paste the code from the UI Action into the BR".

I've created an after-Insert business rule on the Finding table to trigger when the Product Name in the Finding starts with "GuardDuty"

I accessed the "Create Incident" UI Action on the "Finding" table

And copied over the code to the "Advanced" tab of the business rule….code below.

I didn't keep any of the conditions because I didn't want these to possibly preclude an Incident ticket from being generated for every GuardDuty insert into the Finding table; nor did I include the code for the screen message.

I then tried to add additional code to retrieve the newly created incident ticket to update a couple of our custom fields.

No incident ticket is being generated and, not being a developer, I admit I'm pretty lost. Can anyone help please?

(function executeRule(current, previous /*null when async*/) {

var finding = current;
var incident = new IncidentRepo().insertOrUpdateFromFinding(finding);

// Update custom fields on the newly created incident ticket

var incident_ticket = new GlideRecord('incident');
incident_ticket.addQuery('number', finding.awsincident);
incident_ticket.query(); //Execute the query

if (incident_ticket.next() ) {
incident_ticket.setValue('assignment_group', "d6720ecedb0f93004d9e74608c96199e");
incident_ticket.setValue('u_enviroment', "Production");
incident_ticket.update();
}

})(current, previous);

Ron Legters · ‎06-15-2022

Hi J -

I don't have experience with AWS Connector, so I'm waiting to be approved to install it on a dev instance so I give more specific advice, but a couple things I'd start with:

Add a log statement or message right at the top to see if your Business Rule is even getting triggered:

(function executeRule(current, previous /*null when async*/) {

gs.info('The BR is firing') /or something
var finding = current;

Also, I don't think you need to do a GlideRecord query to get the incident record. The code in the UI action looks like the 'IncidentRepo()' script include returns a glide record, so you should be able to use:

incident.assignment_group='d6720ecedb0f93004d9e74608c96199e';
incident.u_environment='Production';
incident.update();

I just got approved for that install, so I'll install it and dig into that Script Include to see if I can give you some more specific advice.

J_19 · ‎06-16-2022

Hi Ron!

Thanks so much for your response!

I did as you suggested and added a log message to the business rule and found it in the Transaction logs, so this does confirm that the business rule is being triggered.

Janet

J_19 · ‎06-17-2022

Ron,

I think I've figured it out.

The logs were showing "IncidentRepo" as undefined.

I was creating the business rule in the Application scope of "Global".

All of the AWS Findings are in the Application scope "AWS Service Management Connector".

In my settings, "Developer" option, I changed the Application from "Global" to "AWS Service Management Connector", then when I re-created the business rule, it did it in that scope.

Then when I ran the business rule, it worked.

And you were right about not needing a GlideRecord for the additional updates to the Incident table.

Thanks for your help!

Janet

Ron Legters · ‎06-17-2022

You're very welcome. Glad you figured it out!