Automatic closure of child security incidents / group security incidents

Lana3 · ‎04-04-2024

Hi,

We are looking into a solution to automatically close the child security incidents when the parent security incident is already closed. We would be expecting that the child security incidents will also be closed, but currently this is not the case.

How have others done this? We have a lot of similar security incidents which we would like to group.

Onkar Pandav · ‎04-04-2024

Hi,

Create After Update Business Rule on Parent Security Incident Table

Condition: State -- Chnages To -- Closed

var gr = new GlideRecord('<child security table backend name>');
gr.addQuery('<field backend name>', current.sys_id); // Replace field backend name with the field where parent incident number is mentioned
gr.query();
while(gr.next()) {
	gr.state = '<value for closed state>'; // Enter backend value given for the Closed state option
	gr.update();
}

Harish_K07 · ‎04-04-2024

Hi Lana,

Do you want to run a script automatically to check the security incidents on a daily basis and close them if thier parent incident is already closed? Then you need to place a scheduled job to run a script which should (preferably) execute during the non-business hours. The script should be something similar to below -

var grIncident = new GlideRecord('incident');
grIncident.addEncodedQuery('sys_class_name=incident^parent_incident!=NULL^active=true^parent_incident.state=7');
grIncident.query();

while(grIncident.next()){
	grIncident.setValue('state', '7');
	grIncident.setValue('close_code', 'Solution provided');
	grIncident.setValue('close_notes', 'Solution provided');
	grIncident.setValue('active', 'false');
	grIncident.update();
}

Or, do you want to check the state of the child security incidents and close them automatically whenever a parent security incident is closed? Then configure a Before BR or Async BR on update with a condition of 'State Changes to Closed/Resolved' and add the following code -

var grIncident = new GlideRecord('incident');
grIncident.addEncodedQuery('sys_class_name=incident^parent_incident='+current.sys_id+'^active=true');
grIncident.query();

while(grIncident.next()){
	grIncident.setValue('state', '7');
	grIncident.setValue('close_code', 'Solution provided');
	grIncident.setValue('close_notes', 'Solution provided');
	grIncident.setValue('active', 'false');
	grIncident.update();
}

If my response solves your issue, please mark it as helpful/accepted solution.

Best Regards,

Harish

andy_ojha · ‎04-04-2024

Hey there - sounds like we might have a disconnect.

Baseline in SecOps SIR - there is a Business Rule named "Close child security incidents", on the <sn_si_incident> table

When using the "Parent Security Incident" field - this will forcefully Close Child Security Incidents, when their Parent Security Incident is Closed

Can you verify that you have that Business Rule, and it is Active / not modified or customized?

You should also see on the Child Security Incidents, this worknote when the Parent Security Incident is Closed...

If the Child Security Incident, has any open Response Tasks -> it will also set the State to Cancelled on those SITs (Response Tasks).