Security incident response question

Srikanth Rayar1 · ‎06-07-2022

We would like to know which fields, if any, that if they are changed in a parent SIR, are also changed in its child SIRs.

It is just a question to understand the relationship between parent and child SIRs
Could you please help me on this.

Brad W1 · ‎06-07-2022

Hi Srikanth,

All work notes recorded in the parent are propagated to any active children in Activities under the Incident Details tab. When a parent is closed or canceled, any active children are also closed or canceled. Any active Response Tasks on the child incident(s) are canceled. If there are no other open Tasks, the child incident is closed. When closed, the Post Incident Interview records the closure and the information found on the Closure Information tab is propagated from the parent to the children.

https://docs.servicenow.com/csh?topicname=perform-addtl-tasks-on-si.html&version=latest

Also a nice feature, if you install the Security Incident Response Spoke, is the Child Security Incident Automation Playbook. It rolls up the affected users and CIs to the parent security incidents, adds observables from the child incident to the parent security incident, and closes or cancels the child security incident when the parent security incident is closed. You will need to enable this Flow or copy and create your own.

https://docs.servicenow.com/csh?topicname=cj-sir-flow-library4.html&version=latest

- Brad

View solution in original post

Brad W1 · ‎06-07-2022

Hi Srikanth,

All work notes recorded in the parent are propagated to any active children in Activities under the Incident Details tab. When a parent is closed or canceled, any active children are also closed or canceled. Any active Response Tasks on the child incident(s) are canceled. If there are no other open Tasks, the child incident is closed. When closed, the Post Incident Interview records the closure and the information found on the Closure Information tab is propagated from the parent to the children.

https://docs.servicenow.com/csh?topicname=perform-addtl-tasks-on-si.html&version=latest

Also a nice feature, if you install the Security Incident Response Spoke, is the Child Security Incident Automation Playbook. It rolls up the affected users and CIs to the parent security incidents, adds observables from the child incident to the parent security incident, and closes or cancels the child security incident when the parent security incident is closed. You will need to enable this Flow or copy and create your own.

https://docs.servicenow.com/csh?topicname=cj-sir-flow-library4.html&version=latest

- Brad

Fatih Karacaer · ‎06-10-2022

Hi Srikanth,

Out of the box, only the work notes and the close/cancel states are propagated to the children. The business rules on sn_si_incident table below takes care of these actions.

Some organisations configure their systems for other fields like Assigned_to, Assignment_group, Category, and Subcategory. It is reasonable to go to that direction to a certain extent. And the playbook Brad shared above is very useful for that.

Srikanth Rayar1 · ‎06-14-2022

This is helpful. One of the main things we wanted to understand was if any of the other fields were changed in a parent, if their corresponding field in the child tickets would change, too. For example, Incident Category, Detection Source, Impacted Region, etc.

sujju · ‎02-08-2025

Could you please share how to copy assigned_to filed from SIR parent to child?