Configuration Parameters for Actions
Last updated on 26 February, 2024The following explains the parameters used when configuring action groups.
Sources
A source is a built-in record that initiates the associated action group.
| Source | Description |
| alerts | Triggers the action manually when the associated rule is executed from the user interface through right-click. Action groups that run with an input type of alert cannot run automatically since alert records are created rather than received. All automated updates to an alert are triggered as a response to a received event. |
| events | Triggers the action automatically from event processing when the condition in the associated rule is matched. Action groups that run with an event-type source can be constructed to create and update an open alert each time an event repeats by utilising the Create alert and Update alert actions. |
| insights | Triggers the action manually when the associated rule is executed from the user interface through right-click. Action groups that run with an input type of insight cannot run automatically since insight records are created rather than received. All automated updates to an insight are triggered as a response to a received event. |
| ml | Triggers the action automatically from the machine learning processing when the condition in the associated rule is matched. Action groups that run with machine learning as a source can be constructed to create and update an insight record. |
| sncCmdb | From the ServiceNow integration, triggers the action group to process ServiceNow CMDB updates sent from the LMDX application. |
| sncIncident | From the ServiceNow integration, triggers update to configuration item to find internal insights and/or insights matching Incident and update Insight with new Incident details or store Incident details in Alert. |
Actions
The following are built-in actions available when creating action groups.
| Action | Description |
| Store Enrichment data | Stores enrichment data received through: – Dexda inbound integration such as the Dexda Data Xchange for ServiceNow (DDX). – Dexda outbound call like Update SNC CI or Asset. In this case the Store Enrichment Data action should be placed immediately after the Update SNC CI or Asset action. To ensure the store action runs only when the asset was actually updated, a condition of SNC CMDB entry updated should be applied to the store action. See Configuring Store Enrichment Data Action. |
| Create Insight | Creates a new insight record. |
| Update SNC Incident | Updates a ServiceNow incident. Requires the Lookup External Rowkey action to be called before the sysid of the incident can be retrieved (and the relevant incident updated). |
| Delay Action Execution | Waits for the specified number of seconds before executing the action. Usage examples: – Heartbeat monitoring: After updating the heartbeat alert in response to the latest heartbeat event, delay for 15 minutes and on awakening, check that the heartbeat has been updated by a subsequent heartbeat event. If not, escalate the event as a Heartbeat Timeout. – Clear timers: After receiving a set, delay for 15 mins and on awakening, only escalate the event if it as not been cleared by a subsequent clear event. |
| Lookup internal rowkey | Retrieves an internal rowkey given an external record type, for example sncIncident. |
| Create SNC incident | Creates a ServiceNow incident. |
| Update Alert | Updates an existing open alert. |
| Update Insight | Updates an existing insight record. |
| Store rowkey | Stores the rowkey of an external record (such as a ServiceNow incident sysid), together with the rowkey of the related internal (Dexda) record (such as an alert). Once stored, either the internal or external rowkeys can be retrieved. |
| Lookup external rowkey | Retrieves an external rowkey given an internal record type, for example alert. |
| Create Alert | Creates a new alert if no open alert exists. |
Action System
| Action | Description |
| Last Action Outcome | As actions are executed in sequence, the action this is used in can use the outcome of a previous action as an input. |
| Action Start Time | Timestamp of when this action has begun. |
| User ID | User ID |
| actionMessageParameters | Using triggeringValues.Param, when a parameter set in a rule is matched, it could trigger the associated action. You could add up to 5 such parameters. |
Mapping Fields
Mappings control the movement of data from the source record or any subsequent record created in the flow, to the record created or updated by the selected action. The first action in a sequence can only access the data fields of the source record or itself. Subsequent actions can access the data from any of the set of records created by preceding actions in the sequence.
For a description of available parameters, see About Filters.
Mapping Type Fields
| Mapping Field | Description |
| value | Use this type to set the value of the select field to the specified value. For example, set the alert’s state to string new. |
| increment_value | Use this type to increments the value of a numeric field by one (+1). |
| variable | Use this type to set the value of the selected field to the value of another record’s field. For example, updating the alert’s description with the latest event by mapping the alert’s description to the event’s description. |
| multi_variable | Use this type to build a formatted string substituted with variables from another record. A string can be constructed using %s as a placeholder for the specified variables. For example: An event occurred on %s with severity %s, with CI and severity specified in the list of variables. The formatter %n can be used to create a new line. |