Major Security Incident Management administration
Plan and configure your Major Security Incident Management implementation.
You can configure the following aspects of Major Security Incident Management administration:
Enable proposal, promotion, and linking of major security incidents
Enable users to decide to propose or promote incidents as major security incidents. Easily track all incidents related to a major security incident by enabling security incidents to be linked to the parent or child incident.
Before you begin
Role required: sn_msi.workspace_admin
Procedure
- Navigate to .
- Enable users to propose a security incident to a major security incident by selecting the Propose Major Security Incident check box in the SIR/VR Workspace Actions section.
- Enable users to promote a security incident to a major security incident by selecting the Promote to Major Security Incident check box.
- Enable linking a security incident to a major security incident so they can be tracked together by selecting the Link to Major Security Incident check box.
- Select Update.
Tag security incidents as major security incidents
Tag or label the security incidents or vulnerable records to a major security incident when the incident is proposed or promoted. If a security incident is proposed then the incident record is referred as major security incident candidate. When a security is promoted then the incident record is referred as Major Security Incident with state as Accepted.
Before you begin
Role required: sn_msi.workspace_admin
Procedure
- Navigate to .
- Enable Display Labels check box to label the proposed incident candidate as major security incident by selecting the Label Name - Propose As Candidate lookup field and select Major Security Incident Candidate in the SIR/VR Workspace Labels section.
- Enable Display Labels check box to label the promoted incident candidate as major security incident by selecting the Label Name - Promotion to Major Security Incident lookup field and select Major Security Incident in the SIR/VR Workspace Labels section.
- Select Update.
Configure labels for major security incidents
Configure labels in major security incident management to create custom labels and filter the external collaboration activities and tasks in the activity stream. The different types of implemented labels are State labels and timeline labels.
Before you begin
Role required: sn_msi.workspace_admin
Procedure
- Navigate to .
- Enable Display Labels check box to enable labeling different incident states such as Analysis, Contain, Eradicate, Recover, Review, Timeline Event in the MSIM Workspace Labels (Display on Collaboration Activities and Tasks) section.
- Select Update.
Configure labels for major security incidents
Configure different types of labels to better filter and also indicate the incident states. Major security incident labels provide the flexibility to label the collaboration activities and tasks of the incident records.
Before you begin
Role required: sn_msi.workspace_admin
You can select or deselect the labels using the labels icon that is available on the Activity stream section of the Collaboration and Task organizer section of the MSIM workspace.
Procedure
Configure timeline categories for major security incidents
Configure and assign Timeline categories such as Threat, Response, or Custom to your major security incidents using the Timeline section on the Overview tab.
Before you begin
Role required: sn_msi.workspace_admin
Procedure
Set notification preferences for MSIM
Automate the email notification process and notify the users when a security incident is either proposed or promoted to a major security incident candidate.
Role required: sn_msi.workspace_admin.
The notifications are triggered only when a security incident is proposed and sent to all those users and groups who are configured to the notifications list. By default, the email notification is received by the user who had proposed the security incident as a major security incident candidate.
Who will receive:
- By default, group name is created and any user who is added to this group will be privileged to be a and the users who are under that group will receive the notification emails.
- Any specific user who is added to the list will also receive the notification emails.
What will it contain:
If you want to modify the email contents such as body of the email which includes the Subject or Message HTML, you must have the System Administrator role access or assigned as System Administrator and not an MSI Administrator.
This notification is triggered when a security incident is promoted and when the File Explorer and Microsoft Teams base structure is created. By default, this notification is received by the user who had promoted the security incident to a major security incident.
- By default, a by name is created and any user who is added to this group will be privileged to have role and all the users who are under that group will receive the notification email.
- Any specific user who is added to the list will also receive the notification emails.
If you want to modify the email contents such as body of the email, which includes the Subject or Message HTML, you must have the System Administrator role access or assigned as System Administrator and not an MSI Administrator.
Configure MSI closure activities
Establish actions that will occur automatically when a major security incident is closed. Increase security by automatically archiving and removing access to folders containing resolution information.
Before you begin
Role required: sn_msi.workspace_admin
Procedure
- Navigate to .
- Archive chat communications related to resolve the incident by selecting the Archive Collaboration Channels check box in the Automated Closure Actions section.
- Remove folders containing material related to resolving the incident by selecting the Remove Collaboration Folders check box.
- Select Update.