Scheduled script for setting state of Security Incidents from Review to Closed after 3 days

modonnell · 3 weeks ago

Hello - trying to make a scheduled job to run a script that will go through all of the Security Incidents currently in the Review state that hasn't been updated in 3 days, and set the state to Closed. The Security Incidents will already have all the required fields when setting it to Review.

The below script I made is not doing anything when i hit the Execute Now button, any ideas what I am doing wrong here? First time trying to write a script in SN. Thank you.

try {

var grSSR = new GlideRecord('sn_si_incident');

grSSR.addQuery("active", "true");

grSSR.addQuery("state", "100"); // review

var threeDaysAgo = new GlideDateTime();

threeDaysAgo.addDaysUTC(-3);

grSSR.addQuery('sys_updated_on', '<', threeDaysAgo);

grSSR.setLimit(1); // <- this is "( 1 )" without spaces here, keeps changing to icon.

grSSR.query();

while (grSSR.next()) {

grSSR.state = 3; // closed

grSSR.closed_at = new GlideDateTime();

grSSR.closed_by = grSSR.assigned_to; // Set Closed By field to the current assigned to.

grSSR.update();

}

} catch (e) {

gs.error(e.message);

}

Bhimashankar H · 3 weeks ago

Hi @modonnell

First of all, ensure you have the record in review state and has not been update for last 3 days.

Use below script and check the potential records that will update

(function() {
  try {
    // Compute threshold: 3 calendar days ago (UTC)
    var threeDaysAgo = new GlideDateTime();
    threeDaysAgo.addDaysUTC(-3);

    // Validate state values for SIR
    // Common mapping (verify in your instance):
    // Review (e.g., 100), Closed (e.g., 3). Change to match sn_si_incident dictionary.
    var STATE_REVIEW = '100';
    var STATE_CLOSED = '3';

    // Query reviews older than 3 days and still active
    var gr = new GlideRecord('sn_si_incident');
    gr.addActiveQuery();
    gr.addQuery('state', STATE_REVIEW);
    gr.addQuery('sys_updated_on', '<', threeDaysAgo);
    gr.query();

    var matched = 0, closed = 0;
    while (gr.next()) {
      matched++;

      // Populate mandatory closure fields for SIR (adjust to your dictionary)
      // If Close code/notes are required, set them before closing.
      if (!gr.getValue('close_code')) gr.setValue('close_code', 'Resolved'); // adjust valid choice
      if (!gr.getValue('close_notes')) gr.setValue('close_notes', 'Auto-closed after 3 days in Review state.');

      // Set Closed At/By if business logic expects them
      gr.setValue('closed_at', new GlideDateTime());
      // If you want the assignee to be the closer; otherwise use a dedicated integration user
      gr.setValue('closed_by', gr.getValue('assigned_to') || gs.getUserID());

      // Close the record
      gr.setValue('state', STATE_CLOSED);
      gr.setValue('active', false);

      var sysId = gr.getUniqueValue();
      var res = gr.update();
      if (res) {
        closed++;
        gs.info('Closed SIR: ' + gr.getDisplayValue('number') + ' (' + sysId + ')');
      } else {
        gs.warn('Update failed for SIR: ' + gr.getDisplayValue('number') + ' (' + sysId + ')');
      }
    }
    gs.info('Security Incidents matched: ' + matched + ', closed: ' + closed);
  } catch (e) {
    gs.error('SIR auto-close error: ' + e.message);
  }
})();

You also need to set the value for close code and close notes.

Try this this script in background for only one record and it will show all the info messages.

Thanks,
Bhimashankar H

-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!

Bhimashankar H · 3 weeks ago

HI @modonnell ,

I hope you saw my reply.

If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. It will help future readers as well having similar kind of questions and close the thread.

Thanks,
Bhimashankar H