Security Incident Closure workflow
- UpdatedAug 1, 2024
- 3 minutes to read
- Xanadu
- Security Incident Response
Close the security incident by updating the incident state.
Before you begin
Role required: sn_si.analyst
Procedure
-
Perform the closing activities.
This is a mandatory step to review any task before closing a security incident. Any response tasks must be reviewed by the analyst and closed or canceled before closing as security incident. When the Analyst clicks on Review active tasks, it takes the user to the Response Tasks tab. A session message is displayed prompting that you are in the process of closing a security incident. Click continue.
- Click Continue. The first step – review active tasks in closing the security incident is complete.
Figure 1. Reviewing closure tasks 
- Move to the next step to review the active playbooks for the analyst to review, which is an optional step. You can click the link to review the active playbook task and close them as required. Note: Any active workflow(s), playbook activities, and flows will be automatically cancelled on closure of the security incident.
Figure 2. Review playbook tasks 
- Post-incident review report: You will now be moved to review the post-incident activities to proceed further with the closure. If the assessment is optional then skip the step or if the assessment is mandatory then
take the assessment and complete it.
Figure 3. Review/Take assessment 
- Configure/preview report: This is again an optional step, click the link to review report and proceed to Next step.
- Provide Resolution details: The analyst can select the check box to create knowledge articles automatically.
- Provide the Closure code, Closure notes and click Close incident.
Note: By any chance if the analyst cancels the Close the security incident dialogue box, then the analyst can navigate to the Details tab and change the incident state to close to continue with the closure.
Related Content
- Working with Security Incident Records
The Security Incident Record consists of the following.
- Security Incident Playbook
Invoke the security incident playbook flow automatically or manually.
- Prerequisites for the Playbooks
You need the following roles and plugins to build the Playbooks.
- Rebuilding existing playbooks in Workflow Studio
You can’t convert existing flows directly into playbooks in Workflow Studio. Each flow designer step that creates a response task to guide the analyst must be broken down into separate actions or subflows.
- Activity Definitions
The ServiceNow AI Platform provides a few activity definitions within the base system. In addition, for the playbooks that SIR Workspace base system, there are a few activity definitions defined in the base system under Enterprise Security Case Management PAD Commons application.
- Sample Playbooks for SIR Workspace
You can create or configure playbooks for SIR Workspace quickly and easily without writing complicated code. You can use these playbooks to resolve security threats in a step-by-step manner. You can invoke the security incident playbook flow automatically or manually.
- Working with MSI Records
Using the Security Incident Response workspace, you can propose, promote, or link security incidents as major security incidents when the incidents are identified as critical threat to the organization.
- Working with Form UI actions
Following are the UI actions that are displayed on the security incident form.
- Handle security incidents using AWA
Using AWA, security analysts can handle the security incidents assigned to them, which are available in the inbox folder of SIR Workspace.