- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-17-2020 11:59 AM
I have created two SLAs setup for Low and Medium Severity. I have an inbound email action to manually set the Severity to 3-Low if the Subject has Low and an email action to set the Medium email subject Severity to 2-Medium. The Security incident that is created from the Medium email has the Severity set to 2-Medium and only the Medium SLA is applied. However when the Security Incident is created for the Low email, the Severity is set to 3-Low but both Medium and Low SLA are applied.If I change the SLA start condition to look at the Subject the correct SLAs are applied; Low only gets the Low SLA and Medium only gets the Medium SLA. I have tried to disable all the Security Incident Calculators Group > Severity and also disabled the Calculate Severity Business rule. Where else would the Severity be manipulated to cause both Low and Medium SLAs to be applied to the Low Security Incident?
Solved! Go to Solution.
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-18-2020 02:50 PM
Kyles - can you try this?
Set all your field value in the script block itself (specifically the Severity field value setting) before the current.insert() code line. (I suspect, the field action takes place after the script execution).
Let me know whether it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-17-2020 12:07 PM
It sounds like when your Security Incident is getting inserted, the default value of Severity is saved (which is 2-Medium) and that fires the SLA. Try to adjust your SLA definition to handle this scenario.
And how/when are you setting the severity for the security incidents?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-17-2020 12:20 PM
I set the Severity with the Inbound Email Actions. If 2-Medium is the default, it would make sense that the Medium SLA is always applied to both Incidents, but when i check the Severity on the Low incident, it is set to 3-Low. Would that indicate the SLA is applied before the Severity Field is updated by the Inbound Email Action? I am using the Field Action settings not running a script for the field update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-18-2020 01:12 AM
Hi,
Can you show the Conditions?
Thanks,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-17-2020 01:16 PM
Are you using the OOB inbound email actions or ones that you created?
Do you have separate inbound email actions for the different severity levels? If so, why and have you considered combining them with conditions in the script?
What are the "When to run" conditions for new and forwarded actions?
