PA Threshold Notification - Create an INC

Go to solution
Ivan39
Tera Contributor

‎05-21-2024 11:24 AM

I have a PA dashboard that tracks number of security incidents created per day. I set Threshold where if over 3000 security incidents are created, send a notification. We want to generate an INC after the threshold is breached and assign it to our team. Any suggestions I can do to generate an INC? Possibly using Email Notification Script?

0 Helpfuls
  • 793 Views
1 ACCEPTED SOLUTION

Go to solution
James Chun
Kilo Patron

‎05-21-2024 01:49 PM

Hi @Ivan39,

 

It looks like the notification is triggered by an event - pa.job.threshold.notification

You should be able to write a Script Action to trigger some script when the event is fired.

Of course, you would want to add some condition that the Script Action is triggered only for a specific threshold.

 

Cheers

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
James Chun
Kilo Patron

‎05-21-2024 01:49 PM

Hi @Ivan39,

 

It looks like the notification is triggered by an event - pa.job.threshold.notification

You should be able to write a Script Action to trigger some script when the event is fired.

Of course, you would want to add some condition that the Script Action is triggered only for a specific threshold.

 

Cheers

0 Helpfuls

Go to solution
Ivan39
Tera Contributor
In response to James Chun

‎05-24-2024 01:33 PM

Thank you for your response. I think Script Action should do the job. Do I create this condition like this?

 

(function executeRule(current, previous /*null when async*/ ) {
    // Check if the PA threshold is breached
    var threshold_name = current.getValue('b3cd51ea1b4b7d102f72646fbd2bcb2b');
    if (Number(threshold_name) >= 100) {
        // Create a new incident
        gs.info('Condition is met for PA Threshold of # of SIRs');
        var incident = new GlideRecord('incident');
        incident.initialize();
        incident.short_description = 'Number of Security Incidents Breached the Limit of 100';
        incident.description = 'The PA threshold of ' + '100' + ' was breached.';
        incident.assignment_group.setDisplayValue('SIRT');
        incident.insert(); // Insert the new incident record
    }
})(current, previous);
0 Helpfuls

Go to solution
James Chun
Kilo Patron
In response to Ivan39

‎05-24-2024 02:14 PM

I have not tested this but it looks like the current object refers to a Threshold [pa_thresholds] record.

And my guess is that pa.job.threshold.notification event will be triggered when a score surpasses a threshold, so you can use a script something like the following;

(function createIncidentThrehold(){
	//Check if the event was triggered from the threshold record we want
	if( current.getUniqueValue() == 'use your [pa_thresholds] sys_id') 
	{
		//create incident;
	}
})();

 

This is just an example, you can use different conditions such as using the value of the Indicator and Condition.

JamesChun_0-1716585183861.png

Also, you may want to consider checking if there is an active Incident from the event before creating another one.

 

Cheers

0 Helpfuls