Set Security Incident Severity from the Severity from the Service Now Alert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2020 11:30 AM
I am utilizing an Alert Management Rule (copied the OOB 'create a security incident for critical alerts' and adjusted the Alert filter) to create Security Incidents. We use the Severity from the Security Incident to trigger our SLA definitions. How do i copy the Severity setting from the Alert (em_alert) table so it reflects in the Security Incident? It always seems to go to the Default Severity of 2-Medium. The subflows applied to the Alert Management rule are 'Acknowledge Alert' and 'Create Task (legacy)'.
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-26-2020 11:27 AM
I discovered that the Severity fields on each table are different (after i already built it on the SIR Table). I created the custom Field 'Alert Severity' (u_alert_severity) on the Security Incident form and copied the Severity from the Alert Table so that i have the Choices 0-6 instead of 1-3 from the SIR Form. Could this be so difficult because it is in the Security Incident Response App and the Alert is in the Event Management App? I just seems like it doesn't want to work between the individual tables. I would try the most generic field (string) just to make sure it would work from Alert to Security Incident.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-26-2020 11:51 AM
Hi,
I think the Cross Scope setting is already in place.
Let me test this as well for you.
Thanks,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-26-2020 11:53 AM
HI,
I see that there is not cross scope setting from Alert management to SIR.
As i said i will try this.
Thanks,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-26-2020 03:55 PM
Hi Kyle - If you are using Field Mapping for this overall requirement (Alert to SIR), then leverage the OOB "Field Value Transform," feature. Define the conversion rule (like Search value =1 then Replacement value = 2). You need not create a custom field for this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-28-2020 07:27 PM
Balaji,
I am not too familiar with the 'Field Value Transform', so i looked at the documentation and it appears to apply to one table. So when the Alert is set to a Severity of Minor and becomes a Security Incident, the Default Value of 2-Medium is what is set in the Security Incident. If it is the default setting the SIR Severity then i don't really know what the Alert severity was to apply the field transform. It doesn't give me an option to select the em_alert table Severity and transform to the sn_si_incident severity.
I found a video where someone used the Scripts - Background under System Definition. It only runs under the 'global' application but i tried to change the value of a string field in the sn_si_incident table. I received an error that indicated I was not allowed to write to that table. I tried to configure the Application Cross-scope access to allow from SIR to Event Management but it didn't seem to work.
Kyle
