.. _arbitrator-response-procedure-configuration: Response Procedure Configuration --------------------------------------- .. _SP23|New config screen added to allow customer ndx file retention times. Default is 6 months.: .. _SP23|New PRI and SIP Trunk probes for Cisco Voice Gateways. Please reference Arbitrator Cisco PRI and SIP Probe Configuration for instructions.: .. _SP25|Webex API support added (Requires Dashboard SP66 Release for visualization).: .. _22.1|VOSS-934: .. _22.1|EKB-12298: .. _22.2|EKB-13343: .. _23.1|EKB-13157: .. _23.1|EKB-15145: .. _23.1|VOSS-986: .. _23.1|VOSS-1153: .. _23.2|EKB-14142: .. _23.2|EKB-16510: .. _23.3|EKB-17216: .. _24.2|VOSS-1277: Overview ........... The Response Procedure configuration panel allows you to define an automated response to a correlated event. Each Response Procedure can be assigned to one or more Correlation Rules while also containing and/or executing one or more of the following responses: .. tabularcolumns:: |p{4.5cm}|p{10.5cm}| +-----------+------------------------------------------------------------------+ | Action | Description | +===========+==================================================================+ | Alert | Visually show the alert in the alert views within the User | | | Interface. | +-----------+------------------------------------------------------------------+ | | An email will be sent to the recipients address and contain the | | | Policy and Correlation Rule details that are triggered. | | Email | Additionally, any data that is extracted from the correlated | | | event will be included. | +-----------+------------------------------------------------------------------+ | | Executes the selected Control Script as a result of the | | | correlated event. Data from the correlated event will be passed | | Control | to the script as well. These scripts can be utilized as run-book | | | and/or automated remediation. | +-----------+------------------------------------------------------------------+ | Forward | The forward allows the correlated event to be forwarded to | | | another Arbitrator Correlation platform. | +-----------+------------------------------------------------------------------+ From release 24.2, alert details can be sent to platforms like Slack, MS Teams and Webex Teams - providing improved visibility and allowing instant collaboration. Create a Response Procedure ................................ To create a response procedure: 1. Click the "Calendar" icon at the top of the Configuration panel. 2. Click the plus icon in the bottom left of the Response Procedure name panel. A box will open up where you can fill in the name of your response procedure. 3. The panel to the right is broken into two sections: a. Response Procedure Details – This is the section that you select to add the elements defined in the table above. b. Do Not Run Windows – Allows you to define certain date and times that you don’t want the system to take the actions within the Response Procedure. | .. image:: /src/images/assurance-correlation-image53.png | Assign an Alert to a Response Procedure ........................................... To assign the Alert function to a response procedure: 1. Click the Alert check box in the top left of the Response Procedure Details panel. 2. If this system you are configuring is intended to be the redundant platform then click the Disable on Failover box to allow all data to flow but no actions to take place. | .. image:: /src/images/assurance-correlation-image54.png | Delete a Response Procedure ................................ To delete a Response Procedure: 1. Click the box next to the Response Procedure name. 2. Click the minus icon at the bottom of the Response Procedure name panel. 3. Click the Save icon to save your changes. | .. image:: /src/images/assurance-correlation-image51.png | .. _arbitrator-how-to-enable-servicenow-integration: Enable ServiceNow Integration ................................ | .. image:: /src/images/VAA-add-SNOW-control.png | 1. Navigate to Configuration (cog icon) on the arbitrator. #. Navigate to Control and click + to enter a new control. #. In the **Name** text box enter ServiceNow. #. Uncheck **Custom**. #. Fill in the following details: * **Select Category**: ServiceNow * **Select Script**: PushToServiceNow * **Service Now IP Address / Hostname:** * **Service Now Username:** * **Service Now Password:** #. Tick the blue tick box. #. Click the **Save**. #. Navigate to the Response Procedure Configuration menu. #. Apply the control to the required IRP, such as the default IRP. .. _arbitrator-servicenow-one-way-incident-integration: ServiceNow One Way Incident Integration ''''''''''''''''''''''''''''''''''''''''' As the Correlation Platform detects new incidents a response procedure is defined to send the event into ServiceNow utilizing their API. Incident Response Procedures (IRP) are defined on an incident basis. Thus you can choose which events need to be sent to ServiceNow based on severity, type, threshold, or others. When the IRP kicks off it will create an event, insert the following fields and send it to ServiceNow: * short description: Arbitrator Policy, Rule and Reference_Id * description: full message from arbitrator * severity: severity * urgency: based on severity * impact: based on severity * category: software * comments: full message from Arbitrator ServiceNow Requirements ''''''''''''''''''''''''''''' * ServiceNow URL * ServiceNow User with SOAP API rights to insert Incidents * ServiceNow Password Arbitrator Correlation Configuration '''''''''''''''''''''''''''''''''''''''' * Version Required: 4.0001-15b * Script: ``servicenow/PushToServiceNow.pl`` * parameters: * ``URL_TO_SERVICENOW_INSTANCE`` * ``USERNAME`` * ``PASSWORD`` .. rubric:: ServiceNow images: | .. image:: /src/images/924d7f4f8b22b0fc.png | .. image:: /src/images/ea8b6a1af79321ee.png