Forum Discussion
Solved
Tuning rule time-based
Hi, I'm trying to investigate how we can tune a rule to prevent false positives. A customer has scanned every sunday night their network. Every Sunday night, the rules alert and create an inciden...
- Rule logic would be the go-to for me as well, as what you want to achieve is very specific and targeted. Entity mapping as suggested by Kaaamil could prove tricky, as even though in theory you could map a timestamp to an entity, you'd need some logic to assess time/day of the week etc. which automation rule wouldn't allow.
Logic app is the only alternative I can think of - create it with an inc trigger, let it, get incident info, use Control/Condition block to evaluate the TimeCreated value (match day of the week and number of hours for example) and then close the incident if a match or no action if not.
Outside of logic app you'd still need an automation rule to call the logic app - incident based trigger when it matches your rule.
Rule logic would be the go-to for me as well, as what you want to achieve is very specific and targeted. Entity mapping as suggested by Kaaamil could prove tricky, as even though in theory you could map a timestamp to an entity, you'd need some logic to assess time/day of the week etc. which automation rule wouldn't allow.
Logic app is the only alternative I can think of - create it with an inc trigger, let it, get incident info, use Control/Condition block to evaluate the TimeCreated value (match day of the week and number of hours for example) and then close the incident if a match or no action if not.
Outside of logic app you'd still need an automation rule to call the logic app - incident based trigger when it matches your rule.
Logic app is the only alternative I can think of - create it with an inc trigger, let it, get incident info, use Control/Condition block to evaluate the TimeCreated value (match day of the week and number of hours for example) and then close the incident if a match or no action if not.
Outside of logic app you'd still need an automation rule to call the logic app - incident based trigger when it matches your rule.
- Thanks all!
Unfortunately, we discovered that this is not the best way. We have multiple automation rules, so if the playbook is running the other automation rule could still do something...- Can't you just create a custom rule (don't use a rule template or it's name) and this way, whatever automation you've got for updating analytics rules, won't match your rule to an existing template and force it to update?
- We thought about that but the problem is how to update the custom rule when the original rule gets an update.
Thanks for sharing your thoughts!
