Is it possible to reopen a Security Incident Response (SIR) record?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi community, I wanted to ask whether anyone has experience reopening a Security Incident Response (SIR) record and if so, how you approached it.
I'm currently working on a UI Action to handle this, but even when I attempt to change the state programmatically, the SIR doesn't actually reopen. The state field seems to update, but the record doesn't behave as expected after the change.
Has anyone run into this before? Any tips, workarounds, or things I might be missing would be greatly appreciated. Thanks in advance!
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
It’s not that the record is still “closed” behind the scenes, the state field does change.
The issue is that SIR has lifecycle logic tied to closure (flows, BRs, tasks, UI policies), and changing the state alone doesn’t undo any of that. So you end up with a record in an open state, but with all the closure side effects still applied. So if you are creating any UI action it should handle that logic, not just flipping the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
From a product and tech debt point of view it is not recommended to re-open tickets. Like Mujeebqasimi responded you will need to evaluate and handle each case of the SIR Incident closure logic to make sure it is re-opening correctly.
Generally, I try to have the business users address this through business process changes such as creating another security incident to then link to the original one that was closed prematurely.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Reopening a Security Incident Response (SIR) record in ServiceNow is generally discouraged as a best practice.
When a SIR is closed, it triggers a range of lifecycle processes—such as workflows, business rules, and UI policies—that are designed to fully conclude the record.
Simply changing the state field programmatically doesn’t truly restore the record, because those underlying processes remain completed and are not automatically restarted.
If you still need to implement a UI Action for reopening, here are some key challenges :
1. Closure Logic Still Applies
Even if you update the state, the record can continue to behave as closed. This happens because the original closure event has already executed all related workflows, tasks, and automation.
2. Impact on Processes and Metrics
Reopening incidents can distort reporting data, such as closure rates and trends. It may also interfere with SLA tracking, leading to inaccurate performance metrics.
3. Read-Only Constraints
Once a SIR is closed, many fields become locked due to Data Policies or ACL rules tied specifically to the closed state, making further updates difficult even after changing the state.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Reopening a Security Incident Response (SIR) record in ServiceNow is generally discouraged as a best practice.
When a SIR is closed, it triggers a range of lifecycle processes—such as workflows, business rules, and UI policies—that are designed to fully conclude the record.
Simply changing the state field programmatically doesn’t truly restore the record, because those underlying processes remain completed and are not automatically restarted.
If you still need to implement a UI Action for reopening, here are some Challenges with Reopening SIR Records:
1. Closure Logic Still Applies
Even if you update the state, the record can continue to behave as closed. This happens because the original closure event has already executed all related workflows, tasks, and automation.
2. Impact on Processes and Metrics
Reopening incidents can distort reporting data, such as closure rates and trends. It may also interfere with SLA tracking, leading to inaccurate performance metrics.
3. Read-Only Constraints
Once a SIR is closed, many fields become locked due to Data Policies or ACL rules tied specifically to the closed state, making further updates difficult even after changing the state.
