When using a caller that is not the service account, Alert Closed Incident State will not resolve or close an incident

Added in v2.0.0.0

Problem

You have set your creation rule to use a caller other than your service account and the ‘Alert Closed Incident State' from the ‘Advanced’ tab is set to Resolve, Closed, or Cancelled. When a SCOM alert is closed the Incident remains on its previous status and does not get moved to the desires state.

Cause

Alert Sync and ServiceNow both adhere to ITIL best practice by default. They allow a caller to resolve or close their own Incidents, but require resolution/closure notes and codes when resolving Incidents for another caller. If at the time of SCOM alert resolution the Incident is linked to a different caller (set either by the creation rule or through other means) by default the Incident will not close. You may also see this behavior using the service account as the caller in a customized instance.

You can verify this is the case by impersonating the service account and updating an alert manually. You will receive an error similar to the following:

Workaround

  1. Rather that using ‘Alert Closed Incident State’ in your creation rules use 'Advanced Incident/Task Updates' to script the resolution of the ticket, setting the required fields as appropriate.

  2. In ServiceNow create or adjust your ‘Data Policy' and 'Data Policy Rules’ to exempt Incidents raised by creation rules from needing to fill in these fields.
    Specifically how you approach this would be down to your organizational requirements, however a suggestion might be to exempt any Incident created/updated by your service account, with a certain contact type, or a combination of both.