Troubleshooting
Problem
Incident Rules will not be reevaluated for an incident, when they are created with conditions. Only when the fields in those conditions change, will the rule be run again.
Symptom
When running an integration where you only want to update specific incidents, you can add conditions for when the Rule should run.
If you specify conditions on that rule, it will only run when the fields listed in the conditions change. However, if there are no conditions, the rule will evaluate and run the workflow every time the incident is updated.
Cause
This is working as designed so that a rule does not continuously update the case multiple times with the same data every time the incident is changed.
Environment
IBM Security SOAR
Resolving The Problem
In order to work around the issue, specify the conditions when you want the function to run, inside the workflow instead, use an exclusive gateway. This allows the rule to be evaluated every time the incident is changed, but prevents incidents from being updated unless the incident meets a particular criteria.
A common use case is when using the Data Feeder application and you only want to specify that a particular type of incident is synchronized with a database.
1. Create a workflow with an exclusive gateway:
2. Set the conditions for running the function the same as the conditions in your rule and make the default gateway to run the workflow:
3. The pre-processor script should use the current incident ID or it will run on all incidents in the organization, which meet the criteria:
Pre-Processor
try:
inputs.df_min_incident_id = incident.id
inputs.df_max_incident_id = incident.id
except:
helper.fail("This version of Resilient cannot use this function")
4. Create a rule without any conditions, which uses the Workflow to evaluate when the Incident is updated:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cwPKAAY","label":"Resilient Core->Rules"}],"ARM Case Number":"TS006285146","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 August 2021
UID
ibm16475793