forked from shaniacht1/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathautomation-ChangeRemediationSLAOnSevChange.yml
75 lines (66 loc) · 3.31 KB
/
automation-ChangeRemediationSLAOnSevChange.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
args:
- auto: PREDEFINED
description: The old value of the field that was changed.
name: old
predefined:
- Low
- Medium
- High
- Critical
- auto: PREDEFINED
description: The new value of the field that was changed.
name: new
predefined:
- Low
- Medium
- High
- Critical
comment: |-
Changes the remediation SLA once a change in incident severity occurs.
This is done automatically and the changes can be configured to your needs.
commonfields:
id: ChangeRemediationSLAOnSevChange
version: -1
enabled: true
name: ChangeRemediationSLAOnSevChange
runas: DBotRole
runonce: false
script: |
import datetime
# ##### Help #####
# This is an example script. The script is used to change the Remediation SLA of an incident, when the severity of the incident changes for any reason. Please copy this script and make changes to your liking.
# The Configuration section is there to help you easily configure the script with your desired SLAs.
# The CRITICAL_SLA field defines the number of minutes that you would want an incident with critical severity to have, in its Remediation SLA field.
# The NONCRITICAL_SLA field defines the number of days that you would want an incident with non-critical severity to have, in its Remediation SLA field.
# The NONCRITICAL_SLA field can also be configured in minutes if you want.
# Note that the SLA can be set with a number that represents minutes instead of days, like so: demisto.executeCommand("setIncident",{'sla': 30, "slaField":"remediationsla"})
# but it can also be set with a number that represents a complete date and time structure, like so: demisto.executeCommand("setIncident",{'sla': 2018-12-26T12:10:24Z, "slaField":"remediationsla"})
# To get the date+time structure, you can use timedelta, like so: newsla = now + datetime.timedelta(days=2)
# then, you would use this to convert it to the date+time structure that can be passed to the SLA field: newsla = newsla.strftime('%Y-%m-%dT%H:%M:%S+00:00')
# Since this script is to be triggered by a change of a field, you may want to make use of the changes to the field in your script.
# For example, in this case, when the severity of an incident is changed, we want to check if it is now critical, or not. We do this by using demisto.args()['new'], to get the new value of the severity.
# The field changes can be obtained in the following way:
# The name of the triggered field is in: demisto.args()['name']
# The field's old value is in: demisto.args()['old']
# The field's new value is in: demisto.args()['new']
# To print the whole argument structure, use this: demisto.results(demisto.args())
# ##### Configuration #####
CRITICAL_SLA = 60 # In minutes
NONCRITICAL_SLA = 6 # In days
# ##### Logic #####
args_sev = demisto.args().get('new')
now = datetime.datetime.utcnow()
if args_sev == 'Critical':
demisto.log('Severity changed to Critical')
demisto.executeCommand("setIncident",{'sla': CRITICAL_SLA, "slaField":"remediationsla"})
else:
demisto.log('Severity changed to Not Critical' )
newsla = now + datetime.timedelta(days=NONCRITICAL_SLA)
newsla = newsla.strftime('%Y-%m-%dT%H:%M:%S+00:00')
demisto.executeCommand("setIncident",{'sla': newsla, "slaField":"remediationsla"})
scripttarget: 0
system: true
tags:
- field-change-triggered
- example
type: python