Create a new SLA or timer and add an SLA script to trigger when SLA time has passed.
By default, Cortex XSOAR comes out-of-the-box with several Timer/SLA fields, such as Remediation SLA and Time to Assignment, or create your own Timer/SLA fields. You can use the fields as an SLA, an SLA and timer, or a timer.
Action | Description |
|---|---|
SLAs | Set the date in the incident field, which counts the completion time. Use it to create widgets in a dashboard/report and to the incident layout, which is useful to see when an SLA is breached or at risk. You can also add an SLA script, so when an SLA is breached certain actions can occur, such as sending an email. For more information, see Automate changes to incident fields using SLA scripts. |
SLA Timers | Counts the time elapsed since the incident field started. You can add it to a playbook task or script. It does not run automatically. You need to start/stop/pause it in a playbook, script, or manually in the CLI. |
In the following example, configure the SLA information in the Time to Assignment field.
Navigate to → → → → .
Edit the Time to Assignment field.
Note
If creating a new SLA field, in the field type field, select Timer/SLA
Set the SLA time.
By default, the SLA field shows hours and minutes. You can change this to days and hours, by clicking Hours.
For example, if you set the SLA for one day and the
Time to Assignmenthas started but not stopped within one day, the analyst will be in breach of the SLA.Set the Risk Threshold.
Useful for dashboards and reports. When the timer falls below this threshold, it is considered at risk. By default, the threshold is 3 days. You can change this by adding a server configuration. See Configure the Global Risk Threshold.
Under Run on SLA Breach, select the script to run when the SLA time has passed. For example, the
sendEmailOnSLABreachscript sends an email when the SLA is breached. For more information, see Automate changes to incident fields using SLA scripts.Note
Only scripts to which you have added the SLA tag appear in the list of scripts you can select.
When you hover over the machine name (below the Field Name) note the name which is used in the command line or script.
Save the field.
Add the field to the incident layout.
Ensure that the incident layout is used in the incident type you want to view the SLA information.
If you want to automate SLA timers, add or configure a playbook to run the timer fields.
In this example, you want to create a new field that notifies a user when it reaches a particular stage in the investigation with an SLA of three days and the risk set to one day.
