MSIM Webinar Recording and Resources (Tips for Successful Deployment)

AntonioChallita · ‎12-14-2023

Dear SecOps Community Members,

On December 7th, 2023 we presented a webinar on Major Security Incident Management (MSIM) - Tips for Successful Deployment. For those of you who could not make it, we covered the following topics:

Overview of MSIM
Benefits of using Chat channels, SharePoint folders, Visual Task Boards and Status Reporting
Primary steps for configuring MSIM (both ServiceNow and Azure) - Hands on!
Partnering with Azure Admins for Teams and SharePoint configuration
Preview of Enhancements coming 1Q 2024 (Conference calling, status reporting, and more)

Here’s the link to the recording, for you to watch and/or share with your colleagues:

Also attached is the 2-page pdf covered in the webinar that explains more about the permissions used by MSIM on Microsoft Azure, and why MSIM follows the least privilege principle. Feel free to share this document with your Microsoft Azure admins.

The Q&A from the webinar is also available and posted below.

Wishing you a Happy Holiday season and a fantastic year ahead in 2024!

Sincerely,

Antonio

Question	Answer
When we configure only Teams in MSIM and got all the API permissions in the App on Azure graph, we were getting an error on the Flow designer of SI to MSI as it validates if both connections are successful	Flow designer “SI to MSI” will check the configuration for each of them If one exist then it continue to create the required subfolders/channels related to it. For the active configuration it will continue create as per the configuration and the same will appear on MSI at workspace. Flow designer displays information which says if one of them is not active but it wont stop us from using it
Are configurations in MSIM changed by end users or Admins?	If you are referring to the changes that can be made to the MSIM Overview Tab or Visual Task Board, those are typically handled by a ServiceNow admin, or an MSIM admin (as opposed to an end user). Configuring the UI Builder (UIB) to modify Overview or anyother tab on MSI workpsace can be done by System Administrator.
Is the functionality of collaboration with MS Teams and MS SharePoint within MSIM workspace dependent on each other? For example, will I be able to only complete configuration for collaboration with MS Team and use the chat feature within MSIM workspace ?	You configure either Teams or Sharepoint and use them independently. MSIM does not require to have both configured. If Teams is configured then Collaboration tab will be shown only with Teams component with empty space at sharepoint component and vice versa.
Currently what is the key feature after collaboration with Teams ? We can initiate a Teams chat window from MSIM workspace including the required people who would then get a notification of that text on their Teams application ?	MSIM enables you to: 1) Pre configure what channels are created based on MSI incident field parameters 2) Define which users or groups can be part of those pre configured channels 3) Create the channels from workspace 4) Add users directly from the workspace for existing channels as well 5) Any chat conversation which is happened in those channels will get displayed on “Activity Stream” of Collaboration tab 6) Even if someone modifies their message you can know the initial message and modified text 7) The Collaboration Tab has filters to read messages time. You can add messages to the timeline for tracking.
As per the latest MSIM Quick start guide that is for Vancouver it says on Page 6, that we would require on Azure - delegated permission 'sites.readwrite.all' for Microsoft Graph and application permission 'sites.fullcontol.all' for sharepoint. However in the session today it was recommended to have application permission 'sites.selected' with fullcontrol. Could you please confirm on this?	We have modified the required permissions in the upcoming February 2024 release, and have updated the Quick Start Guide (QSG) in December 2023 with the new permission. Please refer to the latest version of the QSG from the Store for the latest required permissions: https://store.servicenow.com/sn_appstore_store.do#!/store/application/d591deb12806201057b7a6460e6132...
How does enabling MSIM going to impact the admin role in production. We have not included sn_si.admin under admin	Currently system admin does not inherit any of the MSIM roles. In the coming releases we plan to add the system admin as an MSI admin.
Can you have predefined ms teams chat groups rather than needing to pick individuals each time?	Yes, you can define chat "groups" (rather than individual people) while configuring your chat channels. This can be done from MSIM configuration by navigating to "Channel Templates".
Bit of a Tangent, but you mention G Suite. Is there today any integrations with Google Chat?	Google Chat is on our Roadmap
"Any table record" by this you mean even a VIT/VUL can be escalated as MSIs? Just curious!	For VUL record we have already configured OOTB; Currently both VUL record and VUL Assessment record can promote/propose MSI record
Can the update set included into store release by default?	Yes update set is available as KB article and it is mentioned in the QSG which is linked on the Store
Can we define workflows that run against MSI items? Tasks that occur only on major incidents, like specific reporting items, etc.	Yes, ServiceNow is an open platform. This can be done.
Would will the Quick Start Guide be share with us?	Yes QSG is part of store you can find it under supporting documents here: https://store.servicenow.com/sn_appstore_store.do#!/store/application/d591deb12806201057b7a6460e6132...
Will there be Playbooks for MSI as exists for SIR?	Currently Playbooks exists in SIR for Standard incidents (which can be linked to a major incident). No playbooks exist specifically for MSIs. We'll evaluate your feedback for inclusion on the Roadmap.
We have a dilemma over some functionality in the Major Incident module. After creating a security incident, we have two options. The first is to Promote a Major Security Incident, and the second is to Propose a Major Security Incident. The first option works well, and the incident appears in the Accepted section of the Major Security Incidents module. The second option works only partially. After proposing a security incident, a Major Security incident is created and appears in the Proposed section. The issue is two buttons in the incident view: “Promote to Major Security Incident” & “Reject as Major Security Incident.” Clicking on each of those buttons doesn’t do anything. Do you know what could be wrong or if some configuration needs to be changed?	If your instance is on Vancouver, we have recently fixed it in our recent releases(November 2.2.5). Please log a case task if it doesn't work even after having latest release code. Hopefully no customizations made those actions. Please check the action definitions. If you are having difficulty troubleshooting, please create case with our support as Anil mentioned, we will assist you.
Is the folder structure for sharepoint and teams channels configurable per incident or what you set up in the configuration is the way it will be for each incident.	Refer step number 7 and 8 in QSG. You can write as many configuration records based on MSI incident field values and define the channel and folder permissions based on matching rule.
Regarding External participants, does that mean that we wouldn't be able to for example invite regulators into the incident call because they don't have an account in the instance?	Today, it is not possible to add user whose account is not present on the instance. We have raised enhancement request for this and working with platform team.
As per the Quick Start guide, to create a new certificate, we need to execute a PowerShell script. Is it doable only by Azure admins or app owners of the registered application can do it?	Both Azure admins or app owners can do this.
Can we accommodate external participants? i.e participants from outside organizations	live answered; If the participant is part of sys_user table in the instance then we can invite them over email; If the user record doesn't exist in the ServiceNow instance then we cannot invite them from the MSIM workspace
Might be good enhancement to create setup assistance as exists for other products	live answered: Guided Setup is being considered for MSIM roadmap
Is it possible easily to create tailored status reports?	Status Reports are fully configurable at both design time and run time at each and every section. Configuration is simple. In the Q1 2024 release we're making it more simpler and providing an option to share status reports over rich-text HTML emails.
Does the call get recorded and saved?	Yes, it gets recorded and you have an option on workspace to view the recording any time later..
Can we escalate MSIs directly from Sentinel?	live answered; No we cannot. We can escalate as MSI from an SIR security incident; If we have any entry in ServiceNow instance like security incident (or any table record) we can configure and escalate it as Major security incident. Refer to the MSIM “rollup framework” documentation for more information: https://docs.servicenow.com/bundle/vancouver-security-management/page/product/secops-integration-maj...
How are these major security incidents linked to SIRs? Can an SIR be escalated to a MSI?	An SIR can be proposed as a MSI (Major Security Incident) or promoted straight away. After an MSI record is created, additional SIRs can be linked to it.
To enable MSIM, does it impact existing SIR functionality. Can this be turned on immediately or does it need impact analysis for existing SIR module before we can turn it on?	live answered: MSIM is a separate application dedicated for major security incidents. It does not impact SIR functionality.