View Major Security Incident trend charts

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of View Major Security Incident Trend Charts

    This feature enables ServiceNow customers to visualize major security incident impacts through interactive bar graphs and charts. The Overview tab provides essential metrics regarding the incident's scope, detailing affected assets, users, locations, and resources, all based on active tasks linked to Security Incident Response (SIR) incidents. These visualizations dynamically update as tasks are opened or closed, reflecting real-time incident management activity.

    Show full answer Show less

    Key Features

    • Time Tracking: Displays the duration of the incident since detection, calculated from the Detection Date.
    • Estimated Resolution Date: Shows the anticipated date of incident resolution, updated from the Details tab.
    • Active Team Management: Lists response teams and their members engaged in incident resolution, with trend charts reflecting team activity.
    • Linked SIR Incidents: Visualizes linked incidents by state (e.g., Analysis, Contain), allowing easy navigation to incident details.
    • SIR Tasks Overview: Displays active task totals by state, with options to filter and view individual task details.
    • MSI Tasks: Allows viewing of tasks created directly on the Major Security Incident (MSI) record.
    • External Collaboration: Tracks collaboration activities via Microsoft Teams and SharePoint, categorized by incident state.

    Key Outcomes

    By utilizing these features, ServiceNow customers can effectively manage major security incidents, enhance team collaboration, and make informed decisions based on real-time data insights. The trend charts and metrics facilitate tracking the progress and impact of incidents, enabling proactive incident management and resolution efforts.

    View the major security incident impact progress metrics visualized as bar graphs and charts.

    In addition to the incident timeline and progress trend chart visualizations, the Overview tab provides relevant impact metrics to manage the changing scope of the incident, including rollup of affected assets, users, locations, and team resources.

    The counts displayed in the visualization components are based on active tasks on linked Security Incident Response (SIR) incidents. As tasks are opened and closed, these counts change in terms of the nature and volume of remaining activity planned for the major security incident to represent the trends shown in the trend chart visualization components.

    Figure 1. MSIM Overview tab impact metrics
    View the impact metrics of the major security incident
    Refer to the following table for the UI actions that you can perform from the Overview section:
    Table 1. Overview UI sections
    Title Description
    Time Displays the period in total number of days from when the major security incident is active.

    The time is calculated based on the Detection Date entered in the Details tab of the workspace.

    The Detection Date is often captured initially when the major security incident was first created or proposed. Whenever, this date is modified the time is automatically calculated, refreshed, and displayed in the format days: hours: minutes, for example 20D: 13H: 58M.

    Estimated resolution date: The date by when the incident resolution date is estimated to resolve. This date is often captured initially when the major security incident was first created or promoted.

    The date is updated and refreshed based on the estimated date provided in the Details tab of the workspace.

    If the estimated date is not provided in the Details section, then this section displays ‘hyphen’ without any date value.
    Active Team Displays the different response teams and team members from each team who are actively working on the major security incident and its related tasks.
    Active Team trend: Displays the trend chart of each team and its team members who are actively working on the major security incident and related tasks on regular interval.
    Note:
    View the assigned active groups from the Details tab of the workspace.
    Linked SIR incidents By incident state: View the distribution of linked security incidents based on a incident state such as Analysis, Contain, Eradicate, Recover, or Review.

    Trends by incident state: Further indicates the trend view of how the number of linked incidents are progressing based on incident state.

    Selecting each incident state link allows you to navigate and view the linked security incident details directly on the Linked SI/VI tab of the workspace.

    This section is updated and refreshed automatically whenever changes occur to the underlying incidents.
    SIR Tasks Displays active task totals that are linked to the MSI record via SIR incidents.
    • By task state: View the incident response tasks based on the incident state such as Draft, Assigned, Work in progress, Closed Complete. This distribution chart allows for a further distribution breakdown by assignment groups. Selecting each task state allows you to view a filtered list by incident task state on the Tasks tab of the workspace. The filtered view allows you to view and update individual task details.
    • In progress tasks by incident state label: Displays active tasks and groups based on incident state label that must be applied in the Task Organizer components. These default labels have values such as Analysis, Contain, Eradicate, Recover, or Review to indicate the nature of the task involved.
    • Overdue: Displays the security incident response tasks, which are active and had exceeded the due date.

      You can view the details of all the overdue tasks by selecting the total Overdue count and having it auto navigate to the Tasks tab.

    • Trends by task state: View the progress trend of both work in progress and closed response tasks over the incident duration.
    Note:
    The trend chart graph retrieves the latest data based on the scheduled job. You can configure or modify the data retrieval time interval as required.
    MSI Tasks Displays active tasks in total, which were created directly on the MSI record (and these aren’t linked response tasks):

    By task state: View the major security incident created tasks, assigned tasks and its related information.

    Selecting each task state allows you to view a filtered list by incident task state on the Tasks tab of the workspace. The filtered view will allow for viewing and updating individual task details.
    External Collaboration Displays collaboration activities in total for all the labelled collaboration activities from the Collaboration Activity Stream:
    • By incident state label:View the incident collaboration activities data that are coordinated with Microsoft Teams and Microsoft SharePoint files and folders and are labeled using incident state labels such as Analysis, Contain, Eradicate, or Recover from the Collaboration tab of the workspace.
    • Trends by activity type: View the trend chart for the number of Microsoft Teams and Microsoft SharePoint files and folders activities over the incident duration.