Best Practice for Adding Tags in Security Incident Module

Go to solution
Debbie Nelson
Kilo Contributor

‎06-12-2020 12:31 PM

We are just getting involved in the  Security Incident Response Module.  Is there a best practice for setting up a user to create tags in this module.  We have quite a large user base and I believe the concern is that it will get out of hand quickly.  We are considering a specific group and role for this process.  What have others done or what are suggestions?  Thank you.

Labels:
0 Helpfuls
  • 3,339 Views
1 ACCEPTED SOLUTION

Go to solution
qcj3
Kilo Guru

‎06-12-2020 01:34 PM

I think the confusion in this thread is that there are two "tags" in the security module.  You have Security Tags and Tags that are present across the instance.

 

find_real_file.png

There is a stark difference.  The left requires the sn_si.admin role to create.  The one on the right is less familiar to me and it appears that anyone can make a tag on the fly.  I know you can limit the general tag because our admin has it restricted, but I'm limited to SecOps and do most of my validation in my dev instance.

VVV I hope you found this helpful VVV

View solution in original post

Preview file
52 KB
0 Helpfuls
5 REPLIES 5

Go to solution
Milind Gharte
Kilo Guru

‎06-12-2020 12:40 PM

Hi,

Here is a link which will help you.

https://docs.servicenow.com/bundle/orlando-security-management/page/product/security-operations-comm...

 

If it helps,Please mark Correct and 👍 Helpful.

Warm Regards,

Milind

Go to solution
Debbie Nelson
Kilo Contributor

‎06-12-2020 12:43 PM

Thank you.  However, I'm not sure I asked correctly.  We have a large amount of users and we are trying to limit the amount of users that can create tags in security incident response module.  I'm wondering if other companies have a best practice for this.  Do you let everyone create tags?  Are there every duplicates entered?  How are people managing the creation of roles and groups that are allowed to generate tags?

0 Helpfuls

Go to solution
Chander Bhusha1
Tera Guru
In response to Debbie Nelson

‎06-12-2020 12:53 PM

HI Debbie,

 

The tags admin person can only create the tags. And the others can create only personal tags.

You cannot restrict creation of tags as the ACL won't apply to list layout of tags field so they can update the tags from list layout.

The answer to your question is NO as we cannot restrict creation of tags for users.

Please mark answer correct and helpful.

Thanks,

CB

Go to solution
Ashutosh Munot1
Kilo Patron

‎06-12-2020 01:07 PM

Hi,

We had a discussion on same lines recently with our SOC and CSIRT guys. This tags are decided by CSIRT and then used by SOC analyst when they work on Security incidents.


So we have allowed only sec admins to allow the creation of tags and not everyone so that governance is in place, naming convention is followed and uniqueness is there.


So i will just just go and have a good segregation of duties and adhere to it. Then it comes to security tag rules which makes use of this tags, security admin creates the rule and make sure the rule name reflects the tag usage properly


Thanks,
Ashutosh