Set Security Incident Severity from the Severity from the Service Now Alert

kyles · ‎06-24-2020

I am utilizing an Alert Management Rule (copied the OOB 'create a security incident for critical alerts' and adjusted the Alert filter) to create Security Incidents. We use the Severity from the Security Incident to trigger our SLA definitions. How do i copy the Severity setting from the Alert (em_alert) table so it reflects in the Security Incident? It always seems to go to the Default Severity of 2-Medium. The subflows applied to the Alert Management rule are 'Acknowledge Alert' and 'Create Task (legacy)'.

kyles · ‎06-24-2020

Balaji -

1. I tested to match a calculator with a 'Contains' condition and manually set the Severity and that worked but I don't feel this would scale very well.

2. I found the Business Rule 'Calculate Severity' and actually disabled it, it didn't seem to change the outcome to preserve the Alert Severity. Would I need to write a script to handle the setting of Severity? Would It be possible to get the Severity from the Alert table record?

3. the OOB 'create Security Incident from alert' was an Alert Management rule. I tried to use a subflow and action to set the Severity Field. I had an 'Action' added to the 'Create task (legacy)' subflow that took the input.severity = output.severity. I ran the Workflow designer test against this Action and the output.severity was what ever was set for the input, but still didn't set the Incident Severity correctly. As for Field Mapping, I tried to use this for a single field. Alert (em_alert) table 'resource' to Security Incident (sn_si_incident) mapped to 'u_resource' ( I created a custom field in the form) but it didn't have anything on the Security Incident resource field when the Incident was created.

Ashutosh Munot1 · ‎06-25-2020

Hi Kyles,

What was the priority on alert and what was set on SIR?

You need to consider calculators and i recommend not to ignore those. Because they make use of well defined attributes. What i will suggest is to write a BR on SIR table which will run after insert and adter Calculate Severity BR which will look at your alert attached to this SIR and just set the Severity.

This way you apply this logic to only the SIR originating from Alert and not to other areas of SIR.

Thanks,
Ashutosh

Balaji Jagannat · ‎06-25-2020

Can you provide screenshot of your flow/subflow? I believe, you can still achieve it with the flow itself and probably there could be some logic issue within the flow that blocks it from setting the correct values.

kyles · ‎06-25-2020

Ashutosh,

Thank you for the suggestions on the Business Rule. I went back to enabling everything to get back to a clean slate. I created a Business Rule but had to have its order lower than the Calculate Severity. I also have it at 'begin' as when it was set to 'after' the Severity was still at '2-Medium' instead of '3-Low'. I figure I will have to build out either several rules or create a script to handle the various implementations I need.

There are several fields in the Alert form I would like added into the Security Incident, is the best way to use Field Mapping? Do you know if there is any documentation on what order things fire in? like Alert Management Rule, then Business Rule, then Severity Calculator, then Field Mapping, and so on.

I appreciate all the assistance already given from everyone,

Kyle

Ashutosh Munot1 · ‎06-26-2020

HI,

There is a process and yes order in which this are executed:

1) Alert Management rule

2) Before BR

3) Field Mapping

4) BR triggers calculation of Severity calculation.

I would suggest go with field mapping but then with the custom field or have a after insert BR on SIR which will go to Alert and bring the Severity and update the Severity.

Thanks,
Ashutosh