Working with Security Incident Records

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Security Incident Records

    The Security Incident Record provides a comprehensive structure for managing security incidents within the ServiceNow platform. It consists of key components that include essential information about the incident, allowing analysts to effectively track and respond to security threats.

    Show full answer Show less

    Key Features

    • Security Incident Number: Unique identifier for the incident.
    • Form Banner: Displays critical fields like Category, Priority, Risk Score, and Assignment.
    • Overview Section: Offers a snapshot of the incident, including business impact, threat intelligence, and related incidents.
    • Investigation and Playbook Tabs: Facilitate incident investigation and automation through Process Automation Designer.
    • Response Tasks: Captures all tasks associated with the incident.
    • Post Incident Review: Available when the incident reaches the Review state for assessments and reporting.
    • Contextual Menu: Provides quick access to actions and resources across all tabs.
    • Relationship Graphs: Visualizes connections between incidents and related items for better analysis.

    Key Outcomes

    By utilizing the Security Incident Record, ServiceNow customers can expect to enhance their incident response capabilities, improve collaboration among analysts, and streamline the post-incident review process. The integration with TISC and access to reports further empower teams to analyze incidents thoroughly and take informed actions. Overall, this structured approach facilitates a more effective response to security incidents, leading to improved security posture.

    The Security Incident Record consists of the following.

    Key components available on a security incident record:
    Figure 1. Key components of a security incident
    Working with Security Incident Records
    Number Name Description
    1 Security incident number The security incident number is available against the tab name.
    2 Short description Short description of the security incident which is displayed above the form banner.
    3 Form banner This is read-only section, which contains the key fields such as Category, Priority, Risk score, State, and the incident assignment details.
    Note:
    The regular platform tags can be applied here as well.
    4 Security tags Displays the security tags associated with a security incident.
    5 Overview Provides a snapshot overview of the security incident such as Description, Business Impact comprising of asset details by type, affected users by criticality, Threat intelligence items comprising of observables by finding and by type, Response Tasks, Related security incidents comprising of child security incidents and similar security incidents.
    6 Details The details tab displays the security incident form.
    7 Investigation The Investigation tab displays the incident investigation experience.
    8 Playbook Playbook is triggered through Process Automation Designer (PAD). If a process is created, and if the a trigger condition is set to trigger the playbook for a security incident. Then a playbook appears.
    9 Response Tasks The Response Tasks captures all the response tasks associated with a security incident.
    10 Related Records The Related Records tab consists of all the related lists from the classic UI under this section. The related lists are grouped under various section such as business impact, threat intel, and so on for an easy navigation.
    11 Other Records Other records tab consists of IT records such as changes requests, incidents, and emails grouped and displayed in this section.
    12 Post Incident Review tab As the security incident progresses to the Review state, the Post Incident Review tab is displayed with the post incident assessments and reports within the tab.
    13 Contextual menu Provides easy access to the quick actions and is available across all the tabs for the analyst to access whenever required.

    The contextual menu provides easy navigation to the multiple resources such as:

    1. Activity Stream
    2. Playbook
    3. Analyst Assist
    4. Runbook
    5. Templates
    6. Attachments
    14 Form UI actions The various security incident form UI actions are displayed on the top right of the incident form. The available form UI actions are:
    • Discuss
    • Save
    • Create Response Task
    • Compose Email
    • Add Playbook
    • Open Associated Workflow(s)
    • Crete incident
    • Create Problem
    • Create Change Request
    • Create Outage
    • Calculate Severity
    • Link to Major Security Incident
    • Propose as Major Security Incident
    • Promote to Major Security Incident
    • Run Additional Action(s) on Endpoint
    • Associate MITRE ATT&CK Technique
    • Switch to Classic UI
    • Add to Security Case
    • Delete

    For more information, see Working with Form UI actions.