Prisma Cloud: New ServiceNow Incidents are not created when Prisma Cloud alerts reopen
1925
Created On 08/14/24 18:09 PM - Last Modified 04/04/25 14:17 PM
Symptom
- Prisma Cloud Notification templates for ServiceNow is enabled with the option "Auto create a new ServiceNow incident when Alert state changes from Resolved to Open" but:
- Alerts transitioned from RESOLVED state to OPEN state did not create new incidents in ServiceNow.
- Alerts transitioned from DISMISSED state to OPEN state did not create new incidents in ServiceNow
Environment
- Prisma Cloud Enterprise Edition
- Settings
- Integrations
- Notification Templates
- Integrations
- Alerts
- Settings
Cause
- When ServiceNow incidents are manually closed and if the Prisma Cloud Notification Templates for ServiceNow have the option "Auto create a new ServiceNow incident when Alert state changes from Resolved to Open" enabled, this will create a mismatch in sending further notifications when alert state changes.
- When Prisma Cloud creates an incident in ServiceNow, the sys ID is mapped to our database and when alert state changes to resolved or reopen etc this helps Prisma in closing and reopening the incidents.
- If a incident is manually closed, the mapping entry is not removed from our database and hence new Incidents won't be created as the notification template is enabled with "Auto create a new ServiceNow incident when Alert state changes from Resolved to Open" option.
Resolution
- To resolve the issue, we recommend users to not manually close the ServiceNow incidents.
- If the incidents were manually closed on the ServiceNow and users would like new incidents to be opened after alert reopened, please reach out to the Prisma Cloud Support team along with a list of alert IDs for which the ServiceNow incidents were manually closed.