Automatically generate the next steps your analysts can take to help them close a security incident in the Security Incident Response Workspace. The recommended steps are based on existing security incidents and knowledge
articles.
Before you begin
Recommended next steps work for active security incidents in any states other than Closed or Cancelled.
The AI Search application must be enabled so that the Recommended Actions skill works for security incidents. To verify AI Search is enabled on your instance, navigate to . Contact support if the page indicates AI Search is not enabled.
Roles required: sn_si.analyst, sn_si.manager, or sn_si.basic
Procedure
-
Navigate to and open a security incident that is assigned to you.
-
Select the Recommended Actions icon in the contextual sidebar.
-
Select Get recommendations.
-
In the Check AI generated content modal, select I acknowledge.
Generated recommended actions are displayed in cards. Up to four references for the actions are displayed at the top. These references can be any combination of knowledge articles (KB)s or security incidents
(SIR#).
-
In a card, choose one.
| Option | Description |
|---|
| View details |
View the details for this remediation action. |
| Save to work notes |
Review the work notes and have the option to edit them before you save them to the work notes of the security incident. |
| Select a Reference link |
View the security incident or the knowledge article used as the sources for these actions. |
Note: Click Show More button to view the recommended actions in chronological order, guiding the security analysts through the next best steps for analyzing and investigating the security
incident.
- Optional:
Select the refresh icon in the Recommended actions panel to regenerate the recommended actions.
The recommended actions remain cached for one hour. You might choose to refresh the recommended steps if:
- You believe information related to the security incident has changed since the last time you generated the actions.
- You leave the page, log out, log back in, and return within one hour to the security incident.
You must regenerate the actions starting with step 3 to view the them after one hour.
- Optional:
Click on the Helpful or Not helpful icons to share your feedback on the recommendations.
Note: If you mark a recommendation as Not Helpful, then you’ll have the option to add detailed feedback which helps in improving the quality of future recommendations.
-
Select Create response task on a card.
A new tab opens in the workspace. The Short description and the Description fields are populated automatically from the details on the recommended action card you
selected.
-
Edit the form as needed and the select Save to create the response task.
Until you change the Value on the system property, the two options on any recommended actions you generate remain View details and Create response task.
- Optional:
Create a response task from the recommended actions.
By default, the workflow provides you with the option to save the recommended actions to work notes from the cards. If you want to have the option to create a response task from an action card instead of saving them to
work notes, you must change the Value field for the SecOps Recommended Action [sn_sec_ra.card_action_config] system property.
-
As a user with the Security Incident Manager role [sn_si.manager], navigate to sys_properties.LIST.
-
Locate the SecOps Recommended Action [sn_sec_ra.card_action_config] system property and open the record.
-
Change the Value from share_to_work_notes to create_task.
-
Save the record.
-
Return to the security incident record and refresh the page.
The action cards provide you with the options to View details and Create response task.
