Automatic closure of child security incidents / group security incidents
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2024 01:58 AM
Hi,
We are looking into a solution to automatically close the child security incidents when the parent security incident is already closed. We would be expecting that the child security incidents will also be closed, but currently this is not the case.
How have others done this? We have a lot of similar security incidents which we would like to group.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2024 04:00 AM
Hi,
Create After Update Business Rule on Parent Security Incident Table
Condition: State -- Chnages To -- Closed
var gr = new GlideRecord('<child security table backend name>');
gr.addQuery('<field backend name>', current.sys_id); // Replace field backend name with the field where parent incident number is mentioned
gr.query();
while(gr.next()) {
gr.state = '<value for closed state>'; // Enter backend value given for the Closed state option
gr.update();
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2024 09:59 AM - edited 04-04-2024 10:00 AM
Hi Lana,
Do you want to run a script automatically to check the security incidents on a daily basis and close them if thier parent incident is already closed? Then you need to place a scheduled job to run a script which should (preferably) execute during the non-business hours. The script should be something similar to below -
var grIncident = new GlideRecord('incident');
grIncident.addEncodedQuery('sys_class_name=incident^parent_incident!=NULL^active=true^parent_incident.state=7');
grIncident.query();
while(grIncident.next()){
grIncident.setValue('state', '7');
grIncident.setValue('close_code', 'Solution provided');
grIncident.setValue('close_notes', 'Solution provided');
grIncident.setValue('active', 'false');
grIncident.update();
}
Or, do you want to check the state of the child security incidents and close them automatically whenever a parent security incident is closed? Then configure a Before BR or Async BR on update with a condition of 'State Changes to Closed/Resolved' and add the following code -
var grIncident = new GlideRecord('incident');
grIncident.addEncodedQuery('sys_class_name=incident^parent_incident='+current.sys_id+'^active=true');
grIncident.query();
while(grIncident.next()){
grIncident.setValue('state', '7');
grIncident.setValue('close_code', 'Solution provided');
grIncident.setValue('close_notes', 'Solution provided');
grIncident.setValue('active', 'false');
grIncident.update();
}
If my response solves your issue, please mark it as helpful/accepted solution.
Best Regards,
Harish

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2024 10:26 AM - edited 04-04-2024 10:28 AM
Hey there - sounds like we might have a disconnect.
Baseline in SecOps SIR - there is a Business Rule named "Close child security incidents", on the <sn_si_incident> table
- When using the "Parent Security Incident" field - this will forcefully Close Child Security Incidents, when their Parent Security Incident is Closed
Can you verify that you have that Business Rule, and it is Active / not modified or customized?
You should also see on the Child Security Incidents, this worknote when the Parent Security Incident is Closed...
If the Child Security Incident, has any open Response Tasks -> it will also set the State to Cancelled on those SITs (Response Tasks).