Applying Rule Actions on Cases
This topic covers details on rule actions to create or update a case.
Using a Rule to Create a Case
The Create a New Case Action panel provides all fields necessary to set case attributes. The following example shows that creation of the case is based on the On First Event trigger for this rule:
When you use a rule to create a case, you are required to give the case a name. It is possible that your organization has customized the Case resource so that additional fields are mandatory. If so, note that the rule will not check for the additional mandatory fields, and the rule will not fail if you do not set those mandatory fields with this rule action. You should therefore remember that after the rule creates the case, the case owner is responsible for editing and setting the other mandatory fields.
Note: After the rule action creates the case:
- The rule is identified as the creator of that case. You can view this information in the case editor's Attributes panel. The
Created Byfield displays the rule's URI. - The case's History panel contains text stating that the case was created by
<rule_name>and also provides the rule's URI.
To apply the Create New Case rule action:
-
Required: Provide a name for the case.
You can name a case in conjunction with an existing field value from an event. For example, you want your action to create a new case called Suspicious Login Attempts based on a value in the event field, Attacker Address. For this scenario, your case name’s format will be Suspicious Login Attempts $attackerAddress.
-
Specify a case group and owner.
-
Optionally choose Include Base Events in Case. This means that when the rule action is triggered, both correlation events and the correlated base events that triggered the rule will be added to the case’s Events tab.
-
Specify the case’s attributes when the rule is triggered. For information on case attributes, refer to Creating or Editing a Case.
For multi-line text fields, the value specified in this rule action will be appended to the existing values, but only if the new value being appended is unique. For example, your multi-line Attacker Address field has these IP addresses:
192.0.2.0 192.0.2.9 192.0.2.24
If the rule action is to set the field with
Attacker Address = 192.0.2.9, this value will not be appended because the value is already in the field.
Using a Rule to Add to an Existing Case
The Add To Existing Case Action panel provides all fields necessary to change case attributes. The panel does not fetch current values of the existing case. Instead, the default selection is Keep existing value. Remember that you are defining the rule to keep or change certain case attributes when the action is triggered, whatever the case attributes are at that time.
To apply the Add To Existing Case rule action:
-
Specify a case by choosing one of two options:
-
Select an existing case. Use the Case drop-down menu to navigate the Cases resource tree and select the case.
Caution: Make sure the case is not locked when the rule triggers; otherwise, the rule fails. However, even if the rule fails, correlation events are still added to the case because the addition of events does not alter the case resource itself.
-
Select Calculate case name dynamically to specify a case defined in another rule action.
This setting does not require an existing case. If the case does not yet exist, the case is created when the rule is triggered.
For the dynamic case name, specify the name based on the same case name you provided in the other rule action that creates the case. An example of a dynamic case name is one that includes a variable. In the example,
GetMonthis a variable name, and so the dynamic name entry is Suspicious Login Attempts $GetMonth. If your variable name has spaces, replace the spaces with the underscore character. For example, if your variable isGet Month, then your case name isSuspicious Login Attempts $Get_Month. -
Optionally choose Include Base Events in Case. This means both correlation events and the correlated base events that triggered the rule will be added to the case’s Events tab.
-
Specify the case’s updated attributes when the rule is triggered, or keep the existing values. For information on case attributes, refer to Creating or Editing a Case.
For multi-line text fields, the value specified in this rule action will be appended to the existing values, but only if the new value being appended is unique. For example, your multi-line Attacker Address field has these IP addresses:
192.0.2.0 192.0.2.9 192.0.2.24
If the rule action is to set the field with
Attacker Address = 192.0.2.9, this value will not be appended because the value is already in the field.
Using a Rule to Create a Ticket in ServiceNow® ITSM
The Create Ticket in ServiceNow® ITSM panel provides all fields necessary to create a ticket. The following example shows that creation of the case is based on the On First Event trigger for this rule:
To apply the Create Ticket in ServiceNow® ITSM rule action:
- Specify a short description and the appropriate Caller ID. For the description, you can either type a specific description or use an expression, such as
$name. All expressions common to the Action editor map to their expected values. -
(Optional) Modify the remaining fields as appropriate, and then click OK.
Note:If you accept the defaults, then the resulting ticket will have the default settings as specified by the mapping. For example, if you leave the Comments field blank, the ticket will contain the event details. Any changes you make to the default settings override the associated mappings. - On the Conditions tab of the Rule Editor, specify the conditions for the rule, and click Apply.