Forum Discussion
Solved
Tuning rule time-based
Hi, I'm trying to investigate how we can tune a rule to prevent false positives. A customer has scanned every sunday night their network. Every Sunday night, the rules alert and create an inciden...
- Rule logic would be the go-to for me as well, as what you want to achieve is very specific and targeted. Entity mapping as suggested by Kaaamil could prove tricky, as even though in theory you could map a timestamp to an entity, you'd need some logic to assess time/day of the week etc. which automation rule wouldn't allow.
Logic app is the only alternative I can think of - create it with an inc trigger, let it, get incident info, use Control/Condition block to evaluate the TimeCreated value (match day of the week and number of hours for example) and then close the incident if a match or no action if not.
Outside of logic app you'd still need an automation rule to call the logic app - incident based trigger when it matches your rule.
Hi
I believe that easies way would be to do this by modification of analytic rule logic but I understand you can't do this
What you can do is to implement some entity mapping (doesn't change rule logic) and if specific entity is being extracted - auto-close using automation
- Hi Kaaamil,
Thanks! I've looked into the entity mapping but unfortunately, I didn't find any useful entity.
The analytic rule would still be modified in this case. This will affect the updates of the analytic rule, we've automated the update process so a new update will undo the changes in the analytic rule.
