Security Incident Malicious Software workflow template

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • The Security Incident - Malicious Software - Template allows you to perform a series of tasks designed to handle malicious software on your network.

    Avant de commencer

    Role required: sn_si.write

    Pourquoi et quand exécuter cette tâche

    The workflow is triggered when the Category in a security incident is set to Malicious Software. This action causes a response task to be created for the first activity in the workflow.

    Figure 1. Malicious Software
    Malicious Software workflow template

    Procédure

    1. Open the security incident for this potential attack, or create a new security incident.
    2. In Category, select Malicious code activity.
    3. Save the record.
    4. Scroll down and open the Response Tasks related list.
      The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
      Tableau 1. Response tasks in Malicious Software Template
      Response task Action Results
      Scan Endpoint - Malware Found? After running a scan, determine whether malware was found.

      In the task, select Yes or No in Outcome.

      		 If you select Yes, the Remove Malware - Success? task is executed.

      If you select No, the flow ends.
      Remove Malware - Success? Determine whether the malware was successfully removed.

      In the task, select Yes or No in Outcome.

      		 If you select Yes, the Was there a larger breach? task is executed.

      If you select No, the Wipe & Reimage task is executed.
      Wipe & Reimage If you did not successfully remove the malware found, this task instructs you to perform a wipe and reimage on the computers infected with the malware. After the task is complete, the Set State to Review task is executed.
      Was there a larger breach? Determine whether the breach caused by the malicious software is larger than first believed.

      In the task, select Yes or No in Outcome.

      		 If you select Yes, the following tasks are executed in parallel:
      • Legal Review
      • HR Review
      • Law Enforcement Review

      If you select No, the flow ends.
      Legal Review

      HR Review

      Law Enforcement Review

      		 Perform the steps necessary for each of these departments to review the process you followed to eradicate the malicious software. When the tasks are complete, the Set State to Review task is executed.
      Set State to Review No action required. The State of the security incident is changed automatically to Review, and the flow ends.