Hey there - Here's a way to report on both, applied Security Tags, as well as Security Tag Groups...
Within the the SIR Application, they give us a neat Table that creates a record, every time a Security Tag is applied to a record.
- Table = sn_sec_cmn_applied_security_tag
- What's cool here, is you can perform a "Group by" on the Security Tag
- This is because, each row, represents one Tag -> so the Group by is supported
- Unfortunately, we cannot dot-walk to fields and their values, for a given SIR record that a Security Tag was applied to
If we want to be able to create Reports to consume data from SIR records, and Group them by Security Tags, we can create a Database View to accomplish this.
- A database view in ServiceNow, essentially joins two (or more) tables together
- Reference -> Create a database view
Here's an example of approaching this:
- You want to perform this in the "Security Incident" App Scope
- Navigate to [Database Views] in the App Nav
-
- Create a new record here (a new DB View)
- In this DB View our goal is to join two tables together:
-
- [sn_si_incident] - SIR Table
- [sn_sec_cmn_applied_security_tag] - Applied Security Tags table
- We can join these tables by using the {sys_id} of the SIR record, and {record_id} of the Applied Security Tag record
- Now, you can consume data from this Database View to ask questions like:
- -> Show me SIR records created in the past 3mo, with Category = Privilege Escalation -> and *Group them by Security Tags
Consuming Database View (Grouping SIRs, by Applied Security Tag):
Setting Up Database View (Join SIR Table and Applied Security Tags Table)
Creating Reports Using your DB View
Additional thoughts to consider:
After you get going with the DB View - keep in mind that if an SIR has more than one Security Tag applied, it will show up more than once in the results returned (you'll get one record, per instance of the Security Tag being applied).
Depending on who will need access to these reports, there may need to be some ACL entries introduced so that users can <read>, based on the ServiceNow `roles` they have.
Hey there - Here's a way to report on both, applied Security Tags, as well as Security Tag Groups...
Within the the SIR Application, they give us a neat Table that creates a record, every time a Security Tag is applied to a record.
- Table = sn_sec_cmn_applied_security_tag
- What's cool here, is you can perform a "Group by" on the Security Tag
- This is because, each row, represents one Tag -> so the Group by is supported
- Unfortunately, we cannot dot-walk to fields and their values, for a given SIR record that a Security Tag was applied to
If we want to be able to create Reports to consume data from SIR records, and Group them by Security Tags, we can create a Database View to accomplish this.
- A database view in ServiceNow, essentially joins two (or more) tables together
- Reference -> Create a database view
Here's an example of approaching this:
- You want to perform this in the "Security Incident" App Scope
- Navigate to [Database Views] in the App Nav
-
- Create a new record here (a new DB View)
- In this DB View our goal is to join two tables together:
-
- [sn_si_incident] - SIR Table
- [sn_sec_cmn_applied_security_tag] - Applied Security Tags table
- We can join these tables by using the {sys_id} of the SIR record, and {record_id} of the Applied Security Tag record
- Now, you can consume data from this Database View to ask questions like:
- -> Show me SIR records created in the past 3mo, with Category = Privilege Escalation -> and *Group them by Security Tags
Consuming Database View (Grouping SIRs, by Applied Security Tag):
Setting Up Database View (Join SIR Table and Applied Security Tags Table)
Creating Reports Using your DB View
Additional thoughts to consider:
After you get going with the DB View - keep in mind that if an SIR has more than one Security Tag applied, it will show up more than once in the results returned (you'll get one record, per instance of the Security Tag being applied).
Depending on who will need access to these reports, there may need to be some ACL entries introduced so that users can <read>, based on the ServiceNow `roles` they have.
