Set Security Incident Severity from the Severity from the Service Now Alert

kyles
Kilo Contributor

‎06-24-2020 11:30 AM

I am utilizing an Alert Management Rule (copied the OOB 'create a security incident for critical alerts' and adjusted the Alert filter) to create Security Incidents. We use the Severity from the Security Incident to trigger our SLA definitions. How do i copy the Severity setting from the Alert (em_alert) table so it reflects in the Security Incident? It always seems to go to the Default Severity of 2-Medium. The subflows applied to the Alert Management rule are 'Acknowledge Alert' and 'Create Task (legacy)'.

Labels:
0 Helpfuls
  • 2,703 Views
29 REPLIES 29

kyles
Kilo Contributor

‎06-25-2020 03:11 PM

The subflow i am using is the Create Task (legacy) and added an action.

find_real_file.png

The Action 'Copy Values (Based On The Alert)' is a copy of the 'Create Values (Cased On The Alert' which is OOB not custom. The only thing I added was a line at the end of the script - 

outputs.severity = inputs.severity;

When I run a test on this Action within the Flow Designer, the outputs severity matches the input.severity.

Preview file
130 KB
0 Helpfuls

kyles
Kilo Contributor

‎06-26-2020 07:37 AM

I thought of a different idea to try. The sole purpose of this was to get the SLA definitions associated to the appropriate Severity of the Alerts. I am attempting to use Field Mapping from the Alert (EM_Alert) Severity field to a Custom field - Alert Severity I created on the Security Incident table (sn_si_incident). This way I can set the SLA to this field and let all the ServiceNow functionality built in to stay default. 

The problem is the field mapping doesn't seem to be working properly. Do I keep this POST open or start a separate one?

Thanks again everyone for your time on this.

 

0 Helpfuls

Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to kyles

‎06-26-2020 07:56 AM

HI,

Can you show the field mapping you used?


Thanks,
Ashutosh

0 Helpfuls

kyles
Kilo Contributor

‎06-26-2020 08:10 AM

This is the field mapping I created. Does it need to be a referenced table to each other or by indicating the source table and destination table it can function.

find_real_file.png

Does the field mapping trigger automatically or does it need something else to fire it?

 

Preview file
47 KB
0 Helpfuls

Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to kyles

‎06-26-2020 10:39 AM

HI,

Yes they trigger automatically.

The value on SIR for Severity is different and on alert table is different so there will be an issue again. 

In SIR we have High, medium and low and on Alert its different. I think you need to use value transform to get this work.


Thanks,
Ashutosh

0 Helpfuls