Security Incident Response - Get Running Services Flow

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • The Security Incident Response - Get Running Services Flow retrieves a list of running services from Windows-based, ServiceNow, configuration items (CIs). This flow is used for incident enrichment during investigations.

    Before you begin

    Role required: sn_si.analyst

    About this task

    The Security Incident Response - Get Running Services Flow runs automatically when you add a new configuration item to a Windows security incident after the state changes to Analysis. The information this flow obtains appears on the Show Enrichment Data tabs for the security incident.

    Note:
    If the security incident remains in the Draft state, the Security Incident Response - Get Running Services Flow does not run.
    The flow activities include:
    Figure 1. Get Running Services
    Security Incident Response - Get Running Services flow diagram

    Procedure

    1. Open a security incident.
    2. Update the State to Analysis, if necessary.
    3. Add a Windows-based configuration item (server, laptop, or similar).
    4. Click Update.
      Security Incident Response provides running services information in the Related Links > Security Incident Enrichmentstab. For more information, see Security Operations enrichment data mapping.