Configure Timer/SLA fields - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-12
Category
Administrator Guide
Solution
Cloud
Abstract

Create a new SLA or timer and add an SLA script to trigger when SLA time has passed.

By default, Cortex XSOAR comes out-of-the-box with several Timer/SLA fields, such as Remediation SLA and Time to Assignment, or create your own Timer/SLA fields. You can use the fields as an SLA, an SLA and timer, or a timer.

Action

Description

SLAs

Set the date in the incident field, which counts the completion time. Use it to create widgets in a dashboard/report and to the incident layout, which is useful to see when an SLA is breached or at risk.

You can also add an SLA script, so when an SLA is breached certain actions can occur, such as sending an email. For more information, see Automate changes to incident fields using SLA scripts.

Note

Incidents sorted using an SLA/Timer field are sorted by the due date of the SLA field.

SLA Timers

Counts the time elapsed since the incident field started. You can add it to a playbook task or script. It does not run automatically. You need to start/stop/pause it in a playbook, script, or manually in the CLI.

In the following example, configure the SLA information in the Time to Assignment field.

  1. Navigate to Settings & InfoSettingsObject SetupIncidentsIncident Fields.

  2. Edit the Time to Assignment field.

    Note

    If creating a new SLA field, in the field type field, select Timer/SLA

  3. Set the SLA time.

    By default, the SLA field shows hours and minutes. You can change this to days and hours, by clicking Hours.

    For example, if you set the SLA for one day and the Time to Assignment has started but not stopped within one day, the analyst will be in breach of the SLA.

  4. Set the Risk Threshold.

    Useful for dashboards and reports. When the timer falls below this threshold, it is considered at risk. By default, the threshold is 3 days. You can change this by adding a server configuration. See Configure the Global Risk Threshold.

  5. Under Run on SLA Breach, select the script to run when the SLA time has passed. For example, the sendEmailOnSLABreach script sends an email when the SLA is breached. For more information, see Automate changes to incident fields using SLA scripts.

    Note

    Only scripts to which you have added the SLA tag appear in the list of scripts you can select.

    When you hover over the machine name (below the Field Name) note the name which is used in the command line or script.

  6. Save the field.

  7. Add the field to the incident layout.

    Ensure that the incident layout is used in the incident type you want to view the SLA information.

  8. If you want to automate SLA timers, add or configure a playbook to run the timer fields.

In this example, you want to create a new field that notifies a user when it reaches a particular stage in the investigation with an SLA of three days and the risk set to one day.

sla-field.png