Example 3: Add specific runtime details inputs to an implementation: Run Additional Actions

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:5分

    • Add specific runtime details inputs to an implementation, Run Additional Actions.

    You can perform Run Additional Actions related integration capabilities action using the Investigation tab from the SIR Workspace.

    1. On the Investigation tab, navigate to the Entry Points Lists section displayed on the left side of the page.
    2. Select the respective entry point and run the integration capability action.
      注:
      You can also navigate to the Related Records tab on the workspace to perform the integrations capabilities action.

    Add specific inputs to an implementation

    Add specific run time inputs for each of the selected implementation as applicable.

    始める前に

    Role required: sn_si.analyst

    The available implementations are listed. Select the implementation(s), after you select them only the supported records will be submitted against each selected implementation(s).

    手順

    1. Navigate to Workspaces > Security Incident Response Workspace.
    2. Open any security incident.
    3. Go to Investigation tab of the workspace.
      The investigation tab with the entry points lists is displayed.
      Investigation tab.
    4. Select the configuration item from the entry point list.
      For example, select configuration Item entry point list. The corresponding configuration items records are displayed.
      図 : 1. Select Configuration Item
      Select Configuration Item.
    5. Select any Configuration Item.
    6. Navigate to the related lists drop down that is displayed on top of the page.
      For security incident configuration item (CI), the drop down lists contains the following list of capabilities actions. The listed CI actions collect the results and store them as enrichment data on a security incident:
      • Get file: This capability performs the action to get files with a specific hash value or a file name.
      • Isolate Host: This capability restricts system connections to other devices.
      • Get Host Details: This capability retrieves the host details, details of logged-in users, and other enrichment capabilities.
      • Run Additional Actions: This capability runs the additional actions beyond the standard actions.
      • Get Network Statistics: This capability retrieves the network statistics for an affected resource.
      • Get Running Process: This capability retrieves a list of running processes on a configuration item (CI) from a host.
      • Get Logged on Users: This capability gathers the data of logged on users and relates it to the security incident.
    7. Select Run Additional Actions to perform threat intel related integration capabilities action.
      The Run Additional Implementations modal dialogue box is displayed.
    8. Select one or more implementations from the list.
      Run Additional Actions
    9. Click Next.
      You will now be moved to the next step to add the run time details.
    10. Enter a comment to associate with the action.
    11. Click Submit.
      Submitted records and Activity stream work notes.
      After the selected records are submitted, a message is displayed that the Additional Action request is being executed. Also, the respective implementation action progress is displayed in the Activity section.
    12. View the results from the EDR related list section.