I am trying to setup SLAs for Security Incidents based on Severity but i am getting multiple SLAs applied

kyles · ‎06-17-2020

I have created two SLAs setup for Low and Medium Severity. I have an inbound email action to manually set the Severity to 3-Low if the Subject has Low and an email action to set the Medium email subject Severity to 2-Medium. The Security incident that is created from the Medium email has the Severity set to 2-Medium and only the Medium SLA is applied. However when the Security Incident is created for the Low email, the Severity is set to 3-Low but both Medium and Low SLA are applied.If I change the SLA start condition to look at the Subject the correct SLAs are applied; Low only gets the Low SLA and Medium only gets the Medium SLA. I have tried to disable all the Security Incident Calculators Group > Severity and also disabled the Calculate Severity Business rule. Where else would the Severity be manipulated to cause both Low and Medium SLAs to be applied to the Low Security Incident?

Balaji Jagannat · ‎06-18-2020

Kyles - can you try this?

Set all your field value in the script block itself (specifically the Severity field value setting) before the current.insert() code line. (I suspect, the field action takes place after the script execution).

Let me know whether it helps.

View solution in original post

kyles · ‎06-19-2020

Balaji,

That seemed to do the trick. I moved all the field values into the script box and that seemed to fix the issue. The SLAs are now being applied only to the appropriate Incidents.

Thank you

Vinay34 · ‎11-30-2020

Hey Team,

1. I see Inbound Email Action is creating a incident with provided Actions upon receiving an email. How does the SLA definition and Inbound Email Actions are related in this conversation?

2. When I created new Action to update severity, I see two incidents created- one with default and other with newly created Action. Can we eliminate this duplication by any means other than deactivating the Create Incident Action?