How to set up Business Impact in the security incident response based on the CI value?

gthapa · a month ago

Hello ServiceNow community, I am trying to auto populate Business Impact field in Security incident response form, based on the Configuration items(CI)s field and its Tier value tied to CI. Is there a way I can turn off rules or script which auto triggers the Business Impact values? I am not sure what action to take o resolve this issue.

bsmolski · a month ago

Hi @gthapa,

The Business Impact value is driven via Security Incident Calculator Groups. These groups are essentially just a collection of calculations with logic for when to trigger and what value(s) to set. Logic can be set via basic filter conditions or by script. The first calculator in the group with matching triggering logic for your Security Incident is applied and all other calculations are ignored.

This means, you could find the relevant Calculator Group in your instance and add a new calculator higher up in the list that triggers based off your CI/tier logic and all the other calculators setting a value for the Business Impact field will be ignored.

If you want to learn more about how these work, please consider looking into the Security Incident Response Implementation course on ServiceNow University, which can currently be enrolled for free on demand.

Hope that helps,

Brett

gthapa · a month ago

hi @bsmolski - thanks for sharing the information on the Security Incident Calculator group. So there is a Calculator group named Business impact which basically sets up a logic of applying risk score calculations using the 'Aggregate from severity calculators' which triggers from the glideAjax run on the Script Include named 'SecurityCriticalityCalculator' .

So, if I deactivate this logic 'Aggregate from severity calculators' from the Business Impact calculator group and set my own new calculator group with logic that defines the Business Impact field, will this create any nuance or issues to any rules or even impact any other fields calculation logic?

Will this be the only way?

bsmolski · a month ago

Hello @gthapa,

I can't comment on the nuance of your instance's business logic, but what I will say is you could theoretically keep your existing "Business Impact" Calculator Group and add a new record under the Security Incident Calculators related list with a higher Order number than the existing calculator. That new calculator with the higher Order number will be executed first if it's triggering logic is matched against your current Security Incident and the "Aggregate from severity calculators" calculator will be ignored/skipped without you having to deactivate it.

One word of warning, the calculators can potentially change the values of multiple fields on your Security Incident. Meaning, the "Aggregate from severity calculators" calculator may be setting the value of more than just the Business Impact field. You'll need to carefully review the Script Include logic to fully grasp the consequences of deactivating the calculator.

Hope that helps,

Brett

gthapa · 4 weeks ago

Thanks @bsmolski . this was truly helpful