Security Incident - Evaluate response task outcome workflow

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Security Incident - Evaluate Response task outcome workflow determines the task to use, invokes a chosen workflow and evaluation script based on the outcome evaluator record provided as input to the chosen workflow.

    Before you begin

    Role required: sn_si.write

    About this task

    This workflow runs at the same time as the create task activity to be evaluated. The evaluation script queries the artifacts (such as sightings search records or running processes) of the configured capability. It uses context information from the response task (such as its parent security incident) to determine the appropriate outcome. The outcome is generally yes or no, but can be workflow activity dependent. When creating an outcome evaluator record, only capabilities that have a configured workflow, with the Is task based capability check box selected, and a task input variable set are available to select.

    Procedure

    Review the workflow process activities and the workflow diagram.

    The workflow includes the following process activities:

    • Run script to determine response task
    • Should Run Workflow
    • Parallel Flow Launcher Launch Capability Workflow
    • Create Evaluation Event
    Figure 1. Evaluate response task outcome

    Security Incident Evaluate Response Outcome workflow diagram