Components installed with Security Incident Response
Several types of components are installed when you download and activate the Security Incident Response application, including user roles, tables, properties, and scheduled jobs.
Note:
The Application Files table lists the components that are
installed with this application. For instructions on how to access this table, see Find components installed with an
application.
Demo data is available for this feature.
Properties installed
Users with the System Administrator [admin] role can view the properties. Users with the Security Administrator [sn_si.admin] role can modify them.
| Property | Usage |
|---|---|
| The default category nodes that are displayed in the Relationship Graph tab within the Workspace. The default values represent the table names corresponding to the related
records. sn_si_aw.defaultCategories |
|
| Default start time for all agents when no schedule is set, formatted as
08:00 sn_si.default.start.time |
|
| Default end time for all agents when no schedule is set, formatted as
17:00 sn_si.default.end.time |
|
| Include Destination type observables along with other context type observables
in the security incident user and CI relationships sn_si.link_dest_ip |
Determines whether a security incident observable with a context type of Destination is displayed under the Configuration Items or Affected Users tabs. By default, observables with a Destination context type are excluded. To include the observables, choose Yes. |
| Allow customization when creating a Problem or Change Request from a Security
Incident sn_si.popup |
When a problem or change is created, this property opens a pop-up window to modify the request. If this properties are set to false, the problem or change request has the same priority, short description, and description as the security incident without the option to add or edit those fields.
|
| Associate Sightings Search results with CIs in the
CMDB. sn_si.associate_ci_with_sighting_search |
When set to true, sightings search results include associated configuration items that are in your CMDB.
|
| Risk score in the range is highlighted green, formatted as
0-49 sn_si.risk.score.green |
In the Security Incidents list, security incidents with a risk score between 0 and 49 are marked with a green dot. |
| Risk score in the range is highlighted orange, formatted as
50-79 sn_si.risk.score.orange |
In the Security Incidents list, security incidents with a risk score between 50 and 79 are marked with an orange dot. |
| Risk score in the range is highlighted red, formatted as
80-100 sn_si.risk.score.red |
In the Security Incidents list, security incidents with a risk score between 80 and 100 are marked with a red dot. |
| This parameter enables or disables Sightings Search Configurations that have
implemented this feature. sn_si.enable_sighting_search |
When set to true, sightings searches can be performed on activated
integrations.
|
| The number of rows of raw data that are saved when a Sighting Search is
performed. Range 0-100 sn_si.sighting_search_raw_data_rows |
This property defaults to 50 rows of raw data. Half of the result rows are reported from the beginning of the search time frame and half from the end of the search time frame. So, if you select 50 rows, 25 come from the start of the search time frame and 25 from the end of the search time frame. |
| Automatically advance the Incident State to Contain when a Response Task
advances to Work In Progress sn_si.rollup_task_state |
While using flows or workflows, consider setting this property to
false. This enables you to control the Incident State from
within flows or workflows. It also helps avoid any potential conflicts while
transitioning from one incident state to another.
|
| Assignment properties for Security Incident Response | |
| Location Weight sn_si.location.weight |
A rating used when calculating the criteria to use for auto-assigning a
security analyst. If, for example, location is considered for a task, the location
weight value is added to the security analyst rating.
|
| Skills Weight sn_si.skills.weight |
A rating used when calculating the criteria to use for auto-assigning a
security analyst. If, for example, skills are considered for a task, the skills
weight value is added to the security analyst rating.
|
| Set the maximum number of security analysts to be processed by auto-assignment
at a time sn_si.max.agents.processed |
The system has an absolute limit of 300 security analysts. If you specify more
than 300, it sets the value to that level. The system cannot auto-dispatch a task
for a dispatch group that contains more security analysts than the value
configured.
|
| Time Zone Weight sn_si.timezone.weight |
A rating used when calculating the criteria to use for auto-assigning a
security analyst. If, for example, the security analyst time zone is considered for
a task, the time zone weight value is added to the security analyst rating.
|
| Amount of time (in minutes) to add between the end of a task and the travel
start of the next. sn_si.work.spacing |
An example of a valid time value is 10.
|
Specified journal fields containing code tags that render
content as HTML.sn_si.journal_field.html_enabled |
|
| Calculate the Impacted services in background. sn_si.refresh_impacted.event |
Affected Services/Impacted CIs related list is generated through events. When enabled the refresh gets executed in the background and security tags are added to the incident. Set the value to true to perform the operation in background.
|
| Retrieve the critical service from a pre-calculated data. sn_si.critical_service.calculator.use_cache |
Enables the critical service calculator to use a pre-calculated data of configuration items. Set the value to true to lookup from a pre calculated data
|
Roles installed
| Role title [name] | Description | Contains roles |
|---|---|---|
| Security Incident Administrator [sn_si.admin] |
Full control over all Security Incident Response data. Also administers territories and skills, as needed. Note: In the base system, the administrator also has access to sn_si.admin. Security Incident Response can be restricted from the administrator as long as at least one other user is assigned the security administrator role. |
|
| Profile Admin [sn_si.ingestion_profile_admin] |
Configure the plugins, create, edit, delete, and manage profiles for Splunk, Splunk ES, and Azure Sentinel Integration for Security Operations application. Note: Users with the sn_si.admin role can perform all
operations available to a Profile Admin, as the sn_si.admin role inherits the required permissions by default. The sn_si.ingestion_profile_admin role is assignable to users by the sn_si.admin. |
N/A |
| Security Incident Analyst [sn_si.analyst] |
Manage security incidents. Underlying role for basic Security access. Users with this role can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents. |
|
| Security Incident Basic [sn_si.basic] |
Underlying role for basic Security access. Users with this role can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents. |
|
| Chief Information Security Officer (CISO) [sn_si.ciso] |
View and manipulate the CISO dashboard. Also, if the Vulnerability Response plugin is activated, users with this role can add vulnerability significance definition treemaps to the dashboard. You can also do the same with Security Incident Response plugin. |
|
| Security Incident External [sn_si.external] |
View any security incidents that belong to their particular group. Note: The following two rules are applicable throughout ServiceNow irrespective of scoped admin or scope app.
|
service_fulfiller |
| Security Incident Integration User [sn_si.integration_user] |
External tools can provide new security incident records and update security incident records. | import_transformer |
| Security Incident Knowledge Administrator [sn_si.knowledge_admin] |
Manage, update, and delete the information in the Security Incident knowledge base. |
|
| Security Incident Manager [sn_si.manager] |
Same access as security analysts. |
|
| Security Incident Read [sn_si.read] |
Read security incidents. |
|
| Security Restriction Access Manager [sn_si.restriction_access_manager] | Allows users or groups to 'enforce restriction' on security incidents. This is applicable only for field change. | N/A |
| Security Incident Special Access sn_si.special_access |
Provides access to specific security incidents to users outside of the Security Operations organization. | N/A |
| Security Special Access Enabler [sn_si.special_access_enabler] | Provides special access role to a user outside of the Security Operations organization to specific security incidents. | N/A |
| Security Incident Special Access Read Manager [sn_si.special_access_read_manager] | Manage the Security Incident Special Access [sn_si.special_access] role. Use this role to modify the Read access field in the security incident form. This role is assignable by sn_si.admin. | sn_si.special_access_enabler |
| Security Incident Special Access Writer Manager [sn_si.special_access_write_manager] | Manage the Security Incident Special Access [sn_si.special_access] role. Use this role to modify the Privileged access field in the security incident form. This role is assignable by sn_si.admin. | sn_si.special_access_enabler |
Scheduled jobs installed
| Scheduled job | Description |
|---|---|
| Lookup Security Incident Observables | Performs a lookup for observables on a user-defined schedule. |
Tables installed
| Table | Description |
|---|---|
| News Feed Configuration [sn_si_feed_configuration] |
Configuration records used to define the content displayed in the security incident news feed. |
| Post Incident Review Assignment Rule [sn_si_pir_condition] |
Automates selection of participants of a post incident review survey when a security incident is closed. |
| Security Incident [sn_si_incident] |
Stores a security incident, the responses to the incident, all linked tasks, changes, problems, and incidents related to this security incident. |
| Security Incident Attack Vectors [sn_si_attack_vector] |
Attack vector options. |
| Security Incident Audit Log [sn_si_audit_log] |
Stores security incident enrichment audit logs. |
| Security Incident Calculator [sn_si_calculator] |
A calculator to set certain security incident fields when certain conditions are met. |
| Security Incident Calculator Group [sn_si_calculator_group] |
A grouping of security incident calculators. The order of the calculator group determines which group is evaluated first, and in each group, one calculator at most is used. |
| Security Incident Enrichment Firewall [sn_si_enrichment_firewall] |
Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to Palo Alto Networks Firewall. |
| Security Incident Enrichment Malware
Results [sn_si_enrichment_malware] |
Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to malware. |
| Security Incident Enrichment Network
Statistics [sn_si_enrichment_network_statistics] |
Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to network statistics. |
| Security Incident Enrichment Running Processes [sn_si_enrichment_running _processes] |
Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to running processes. |
| Security Incident Enrichment Running
Services [sn_si_enrichment_running_service] |
Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to running services. |
| Security Incident Email Search [sn_si_m2m_incident_email_search] |
Maps email search records to security incidents. |
| Security Incident Import [sn_si_incident_import] |
Import table for security incidents. Used to create security incidents from external systems. |
| Security Incident Process Definition [sn_si_process_definition] |
Stores configuration for Security Incident process flows. |
| Security Incident Process Definition
Selector [sn_si_process_definition_selector] |
Stores the Security Incident Process Definition to use for security incidents. |
| Security Incident Related Customer Service
Case [sn_si_m2m_incident_customerservice_case] |
Maps customer service cases and security incidents |
| Security Incident Related Enrichment
Data [sn_si_m2m_incident_enrichment] |
Maps security incidents and related enrichment data records. |
| Security Incident Response
Task [sn_si_task] |
Manages subtasks related to handling a security incident. These tasks can be assigned to security personnel, or to people in other departments, to manage interdepartmental communication and task tracking. |
| Security Incident Response
Task Template [sn_si_task_template] |
Used to create a Security Incident Response task. These templates are often used in catalog entries, to automatically create a set of appropriate subtasks for a particular type of security incident. |
| Security Incident Runbook Document [sn_si_runbook_document] |
Associates security incident conditions or filters with a knowledge article. Used to specify runbook procedures for security incident remediation. |
| Security Incident Template [sn_si_incident_template] |
Used to create a security incident. These templates are often used in catalog entries to create a prebuilt security incident. |
| Security Request [sn_si_request] |
A security-related request to the security team. |
| Security Scan Request [sn_si_scan_request] |
A request for a threat lookup. |
| Severity Calculator sn_si_severity_calculator |
Defines the severity, impact, risk, and criticality values for a security incident. |
| Task Affected User [sn_si_m2m_task_affected_user] |
A many-to-many table associating security incidents with affected users. |
| Template Workflow Activity Outcome Evaluator
[sn_si_wf_activity_outcome_evaluator] |
Maps a capability with an evaluation script. A new subflow can be added to a template workflow to set a response task outcome rather than having an analyst manually set it. |