How to Create New Outcome Types in Security Incident Response Task?

Prudhvi T
ServiceNow Employee
ServiceNow Employee

‎10-06-2023 12:44 AM - edited ‎10-06-2023 12:47 AM

Playbooks in Security Incident Response often use response tasks as a channel to guide the security analysts and expedite the resolution of security incidents. These playbooks rely on responses provided by the analyst via the response task "State" field and subsequently generate follow-up response tasks.  It is important to note that "State" field choice as a response may not be intuitive for various types of response tasks in a playbook.

For instance, consider the response task "Does the email contain malicious observables?", In this case responding with a simple "Yes" or "No" is more intuitive than marking the state as "Close Completed".


In order to support various response types "outcome_type" and "outcome" fields are introduced in the response task table. To explain briefly, while creating a response task, its "outcome_type" field value is set to an appropriate type based on the nature of the task that the analyst will perform.
Examples: "yes_no", "accept_reject".

Later "outcome" dropdown on the response task form shows the choices relevant to the outcome type selected.

Example:

  • Outcome field shows "yes", "no" as choices when outcome_type is set to "yes_no"
  • Outcome field shows "accept", "reject" as choices when outcome_type is set to "accept_reject"

Now, you can start building meaningful outcome_types and make playbooks more readable.

  1. Steps to create a new outcome_type:
    1. Navigate to sys_db_object.list
    2. Open "Security Incident Response Task" table.
    3. Open "Outcome type" from the columns tab.
    4. Scroll to Choices related list.
    5. Click on "Insert a new row.." and create new outcome type similar to "yes_now" entry in the image.
      Screenshot 2023-10-06 at 11.58.00 AM.png
  2. Steps to create outcome choices for the newly created outcome_type
    1. Navigate to sys_db_object.list
    2. Open "Security Incident Response Task" table.
    3. Open "Outcome" from the columns tab.
    4. Scroll to Choices related list.
    5. Click on "Insert a new row.." and start creating outcome choices similar to yes, no choices in the image.
      Screenshot 2023-10-06 at 11.49.03 AM.png
    6. Make sure to populate the "Dependent value" with newly created outcome type in step 1.

 

Form rendering:

Since it makes sense to show only the outcome field on the form and not the state field for the outcome driven response tasks, a separate view "Outcome_driven_task" is created as shown in the image.
Screenshot 2023-10-06 at 12.21.39 PM.png

 

View rule configuration is used to open this new view instead of default view.

  • Classic UI View Rule Configuration:
    https://<<instance>>.service-now.com/sysrule_view_list.do?sysparm_query=tableSTARTSWITHsn_si_task&sysparm_view=
    Screenshot 2023-10-06 at 12.29.11 PM.png
  • Workspace UX View Rule Configuration:
    https://<<instance>>.service-now.com/nav_to.do?uri=sys_ux_view_rules_configuration.do?sys_id=eb12e802431021109a72e0ea78b8f230

    Screenshot 2023-10-06 at 12.32.09 PM.png

You can further customise it by adding new views for new outcome type and control them using view rules.

 

0 Helpfuls
  • 686 Views
Version history
Last update:
‎10-06-2023 12:47 AM
Updated by:
ServiceNow Employee
Contributors