How to create an SLA in Security incident response application for 24 hours Response SLA timeline
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2025 02:12 PM
Hello Community,
I’ve received a customer requirement to implement a 24-hour SLA timer for response and reporting purposes. The SLA should start when an analyst begins working on a specific security incident by creating a Response task and either assigning it to themselves or to an assignment group with an assigned user.
The requirement is that the analyst must report the status of the security incident to a third party before 75% of each 24-hour cycle is reached. Once the 24 hours are complete, the SLA timer should automatically restart, continuing to remind (via alert notifications) the analyst to send the report before the 75% mark.
This cycle should repeat until the security incident moves to the Review or Closed state.
Do I require to create a schedule job to restart the 24 hours SLA?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2025 11:25 PM
Why are you using the SLA functionality for this? Why not create a simple flow that handles the entire thing?
Trigger it on the creation of the response task and then use 'do the following until'. The 'until' condition is the state moving to review or closed and the 'do the following' is 'wait for 17 hours -> send notification -> wait for 7 hours' (17 hours to give an hour to respond).
You can still run the SLA timer for reporting purposes (although, reporting on a restarting SLA record doesn't really make sense), but the flow can take care of your reminders.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
