Welcome to Community Week 2025! Join us to learn, connect, and be recognized as we celebrate the spirit of Community and the power of AI. Get the details  

PA Threshold Notification - Create an INC

Go to solution
Ivan39
Tera Contributor

‎05-21-2024 11:24 AM

I have a PA dashboard that tracks number of security incidents created per day. I set Threshold where if over 3000 security incidents are created, send a notification. We want to generate an INC after the threshold is breached and assign it to our team. Any suggestions I can do to generate an INC? Possibly using Email Notification Script?

0 Helpfuls
  • 922 Views
1 ACCEPTED SOLUTION

Go to solution
James Chun
Kilo Patron

‎05-21-2024 01:49 PM

Hi @Ivan39,

 

It looks like the notification is triggered by an event - pa.job.threshold.notification

You should be able to write a Script Action to trigger some script when the event is fired.

Of course, you would want to add some condition that the Script Action is triggered only for a specific threshold.

 

Cheers

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
James Chun
Kilo Patron

‎05-21-2024 01:49 PM

Hi @Ivan39,

 

It looks like the notification is triggered by an event - pa.job.threshold.notification

You should be able to write a Script Action to trigger some script when the event is fired.

Of course, you would want to add some condition that the Script Action is triggered only for a specific threshold.

 

Cheers

0 Helpfuls

Go to solution
Ivan39
Tera Contributor
In response to James Chun

‎05-24-2024 01:33 PM

Thank you for your response. I think Script Action should do the job. Do I create this condition like this?

 

(function executeRule(current, previous /*null when async*/ ) {
    // Check if the PA threshold is breached
    var threshold_name = current.getValue('b3cd51ea1b4b7d102f72646fbd2bcb2b');
    if (Number(threshold_name) >= 100) {
        // Create a new incident
        gs.info('Condition is met for PA Threshold of # of SIRs');
        var incident = new GlideRecord('incident');
        incident.initialize();
        incident.short_description = 'Number of Security Incidents Breached the Limit of 100';
        incident.description = 'The PA threshold of ' + '100' + ' was breached.';
        incident.assignment_group.setDisplayValue('SIRT');
        incident.insert(); // Insert the new incident record
    }
})(current, previous);
0 Helpfuls

Go to solution
James Chun
Kilo Patron
In response to Ivan39

‎05-24-2024 02:14 PM

I have not tested this but it looks like the current object refers to a Threshold [pa_thresholds] record.

And my guess is that pa.job.threshold.notification event will be triggered when a score surpasses a threshold, so you can use a script something like the following;

(function createIncidentThrehold(){
	//Check if the event was triggered from the threshold record we want
	if( current.getUniqueValue() == 'use your [pa_thresholds] sys_id') 
	{
		//create incident;
	}
})();

 

This is just an example, you can use different conditions such as using the value of the Indicator and Condition.

JamesChun_0-1716585183861.png

Also, you may want to consider checking if there is an active Incident from the event before creating another one.

 

Cheers

0 Helpfuls