Creating Action Groups
Last updated on 27 March, 2023Processes in Dexda, manual or automatic, involve a set of actions to accomplish a goal. The processes are controlled by rules, where each rule is associated with an action group. An action group is a sequence of individual actions that are executed in order. An example of an action group is “Close Alert” which contains action steps to close and update an alert when configured conditions are met.
For more information about the concept of actions, see About Action Groups. The following descibes how to create or edit action groups, and the various parameters involved in the configuration.
Viewing Action Groups
Select Actions in the navigation bar to open the Action Groups page. This lists action groups configured in your Dexda portal.
You can do the following to explore action groups:
- Select Filter to the right to filter the action groups in the list, for example by type.
- Select a column header to sort the listing.
- Select the arrow in the Rules column for an action group to see details about rules associated with the action group.
Working with Action Groups
Note: You neeed to have administrator permissions to edit, create, or delete action groups.
From the Action Groups page you can do the following:
- Edit the configuration of an existing action group. Select the link in the Name column. Or, select the More options menu to the right in the table row and select “Edit”.
- Create a new action group based on an existing one. Select the More options menu to the right in the table row and select “Clone”.
- Create a new action group from scratch. Select Create action in the upper right. This opens an empty configuration form where you can add configuration parameters.
See the following how to add values for configuration parameters.
Editing or Creating an Action Group
The following describes the steps when editing or creating an action group. Note that available configuration parameters vary depending on the actions you select when building the action group sequence. See Configuration Parameters.
Note: An action group will not be active until it is associated with a rule that is enabled. See Creating Rules.
- Name (Required): Add a descriptive name for the action group, for example “Close Insight”.
- Description (Required): Describe what the action group is used for, for example “Set Insight state to closed”.
- Source: Select the source that will initiate the action group, for example “insights”. See Configuration Parameters.
- Create an action step under Sequence by selecting the Add Step field, and select an action. This opens the configuration panel to the right.
- Add configuration as needed under Settings, Mappings, and Advanced, in the panel that opens to the right. Available options here depend on the type of action selected. Each action added to the sequence requires action-specific configuration.
- Settings: General information and lifecycle configuration for the action in the step.
- Name: Add a descriptive name for the step, for example “Set escalation to “closed”. Displays in the step sequence in the left panel.
- Description: If needed, explain further what the step in the sequence does.
- Execute: Select Add expression to add filters to run the action only if specified conditions are met. Select Add outcome to stop the action from running when specifed conditions are met.
- Mappings: Control data movement from the source record to the record created or updated by the selected action. Available options here depend on the selected action, see Configuration Parameters.
- Advanced: The options on the Advanced tab lets you use other configuration fields than the default ones. In most cases this is not needed.
- Continue by adding more steps and actions as needed under Sequence. You can move steps through drag-and-drop to change the order of execution. You can select Reset to restore the action group to the last submitted version.
- When satisfied, select Submit to save the action group.
Note: When editing an action group, you can select Reset to revert recent changes. This will reset the action group to the state it had at the most recent submit. This is useful when working with complex action groups with multiple sequence steps.
Configuration Parameters
The following explains the parameters used when configuring action groups.
Sources
A source is a built-in record that initiates the associated action group.
| Source | Description |
| alerts | Triggers the action group manually when the associated rule is executed from the user interface through right-click. Action groups that run with an input type of alert cannot run automatically since alert records are created rather than received. All automated updates to an alert are triggered as a response to a received event. |
| events | Triggers the action group automatically from event processing when the condition in the associated rule is matched. Action groups that run with an event-type of source can be constructed to create and update an open alert each time an event repeats by utilising the “Create alert” and “Update alert” actions. |
| insights | Triggers the action group when …?? |
| ml | From machine learning event that triggers …?? |
| sncCmdb | From the ServiceNow integration, triggers update to configuration item…?? |
| sncIncident | From the ServiceNow integration, triggers update to incident …?? |
| sncRunbook | From the ServiceNow integration, triggers update to …?? |
Actions
The following are built-in actions available when creating action groups.
| Action | Description |
| Store Enrichment data | Stores enrichment data received through: – A Dexda inbound integration such as the Dexda Data Xchange for ServiceNow (DDX). – A Dexda outbound call like “Update SNC CI or Asset”. In this case the “Store Enrichment Data” action should be placed immediately after the “Update SNC CI or Asset” action. To ensure the store action runs only when the asset was actually updated, a condition of “SNC CMDB entry updated” should be applied to the store action. See Configuring Store Enrichment Data Action. |
| Update SNC CI or Asset | Updates a CMDB CI or Asset record held in ServiceNow. See Configuring Update ServiceNow CI or Asset Action. |
| Create Insight | Describe …?? |
| Create SNC Runbook | Describe …?? |
| Update SNC Incident | Updates a ServiceNow incident. Requires the Lookup External Rowkey action to be called before the sysid of the incident can be retrieved (and the relevant incident updated). |
| Delay Action Execution | Waits for the specified number of seconds before executing the action. Usage examples: – Heartbeat monitoring: After updating the heartbeat alert in response to the latest heartbeat event, delay for 15 minutes and on awakening, check that the heartbeat has been updated by a subsequent heartbeat event. If not, escalate the event as a Heartbeat Timeout. – Clear timers: After receiving a “set”, delay for 15 mins and on awakening, only escalate the event if it as not been cleared by a subsequent “clear” event. |
| Lookup internal rowkey | Retrieves an internal rowkey given an external record type, for example sncIncident. |
| Create SNC incident | Creates a ServiceNow incident. |
| Update Alert | Updates an existing open alert. |
| Update Insight | Describe …?? |
| Store rowkey | Stores the rowkey of an external record (such as a ServiceNow incident sysid), together with the rowkey of the related internal (Dexda) record (such as an alert). Once stored, either the internal or external rowkeys can be retrieved. |
| Lookup external rowkey | Retrieves an external rowkey given an internal record type, for example alert. |
| Create Alert | Creates a new alert if no open alert exists. |
Action System
| Action | Description |
| Last Action Outcome | Describe …?? |
| Action Start Time | Describe …?? |
| User ID | Describe …?? |
Action Message Parameters
| Parameter | Description |
| triggeringValues.param1 triggeringValues.param2 triggeringValues.param3 triggeringValues.param4 triggeringValues.param5 | Describe …?? |
Outcome
Available outcome options.
| Outcome | Description |
| Action Failed | Describe …?? |
| Action Skipped | Describe …?? |
| SNC Incident already exists | Describe …?? |
| SNC Incident created | Describe …?? |
| Alert created | Describe …?? |
| Alert exists | Describe …?? |
| Alert updated | Describe …?? |
| Enrichment data stored | Describe …?? |
Mapping Fields
Mappings control the movement of data from the source record (or any subsequent record created in the flow), to the record created or updated by the selected action. The first action in a sequence can only access the data fields of the source record or itself. Subsequent actions can access the data from any of the set of records created by preceding actions in the sequence.
For a description of available parameters, see About Filters.
Mapping Type Fields
| Mapping field | Description |
| value | Use this type to set the value of the select field to the specified value. For example, set the alert’s state to string “new”. |
| increment_value | Use this type to increments the value of a numeric field by one (+1). |
| variable | Use this type to set the value of the selected field to the value of another record’s field. For example, updating the alert’s description with the latest event by mapping the alert’s description to the event’s description. |
| multi_variable | Use this type to build a a formatted string substituted with variables from another record. A string can be constructed using %s as a place holders for the specified variables. For example: “An event occurred on %s with severity %s”, with CI and severity specified in the list of variables. The formatter %n can be used to create a new line. |
Deleting Action Groups
Can you delete a an action group and if yes, what are the consequences… Can delete actions on an action group, but not the action group itself…??