Other additional Security Incident Response setup tasks

  • Release version: Xanadu
  • Updated August 1, 2024
  • 8 minutes to read

    • If you are an administrator in the global domain, you configure how Security Incident Response handles day-to-day operations.

    Before you begin

    Role required: sn_si.admin
    Note:

    These options are standard to many service management applications, and as such, they use service management terminology. For example, Request is used for the main task (that is, the security incident) and Task is used for subtasks or Response Tasks.

    If you are an administrator in a domain lower than the global domain, you can view the Configurations screen, but cannot modify the settings.

    Procedure

    1. Navigate to All > Security Incident > Administration > Configuration.
      The options for configuring the applications are organized under these tabs:
      • The Business Process tab contains options for setting up the request life cycle, creating catalogs and requests, and configuring notifications.
      • The Assignment tab contains options for setting up manual and auto-assignment.
      • The Add-ons tab contains options for enabling the knowledge base, managed documents, and task activities.
    2. Fill in the fields on the Business process tab.
      Table 1. Configuration screen — Business Process tab
      Field Description
      Lifecycle
      Work notes are required to close or cancel a request or task Enable this option to require the user to enter work notes before a security incident or response task can be closed or canceled.
      Copy task work notes to request Enable this option to synchronize response task work notes with the work notes on the security incident. So when work notes in the task are added, the same work notes appear in the parent security incident.
      Catalog and Request Creation
      Create or update requests by inbound email Enable this option to create or update security incidents from inbound emails.
      Requests are created using Select catalog or regular form to activate the catalog and enable automatic publishing of security incident templates to the catalog.

      Select regular form only to deactivate the catalog and disable automatic publishing of security incident templates to the catalog.
      Templates create a dedicated catalog item Enable this option to activate automatic publishing of catalog items for the application.
      Notifications
      For a request or task, when the selected field changes, send notification to recipients You can configure notifications to be sent to specific recipients when selected fields in security incidents and response tasks change.
      1. From Table, select Request (security incident or Task (response task).
      2. From Field, select the field to use for generating notifications. When a change is made to the selected field, a notification is sent to the identified recipients.
      3. From Recipients, select one or more recipients.
      4. If you select a specific user or a specific group, you are prompted to select a user or group.
      5. To define more notifications using other fields or recipients, repeat the preceding steps for the next set of notification settings.
      6. To remove a notification, click the delete notification symbol icon to the right of the notification.
    3. Click the Assignment tab and fill in the fields.
      Table 2. Configuration screen — Assignment tab
      Field Description
      Assignment method for requests Select the method for assigning security incidents:
      • using auto-assignment: Security incidents are automatically assigned.
      • using a workflow: Security incidents are assigned by the selected workflow.
      • manually: Security incidents are manually assigned.
      Use this workflow to assign requests Select the workflow for dispatching security incidents. This field appears when using a workflow is selected from the Assignment method for requests list.
      Assignment method for tasks Select the method for assigning response tasks:
      • using auto-assignment: Response tasks are automatically assigned.
      • using a workflow: Response tasks are assigned by the selected workflow.
      • manually: Response tasks are manually assigned.
      Use this workflow to assign tasks Select the workflow for assigning response tasks. This field appears when using a workflow is selected from the Assignment method for tasks list.
      Assign requests or tasks based on assignment group coverage areas Enable this option to limit the assignment of security incidents and response tasks to groups that cover the location of the task.
      Scheduling
      Auto-selection of agents consider time zone for tasks Enable this option to consider the time zone of the agent when assigning a task. This field appears when auto-assignment is selected for security incidents or response tasks.
      Additional Factors
      Auto-selection of agents consider location of agents Enable this option to give preference to agents who are closer to the task location, when assigning any tasks. This field appears when auto-assignment is selected for security incidents or response tasks.
      Auto-selection of agents for tasks requires them to have skills Select the degree to which agent skills must be matched to a task when determining auto-assignment.
      • Select all to require that an assigned agent must have all the skills to perform the task. An agent who lacks even one skill is eliminated.
      • Select some if you want agents who have most of the skills required to perform the task.
      • Select none if you want to auto-assign agents without taking skills into account. This field appears when auto-assignment is selected for security incidents or response tasks.
      Auto-selection attempt to assign the same agent to all tasks in a request Enable this option to auto-assign all response tasks for a security incident to the same agent.
    4. Click the Add-ons tab and fill in the fields.
      Table 3. Configuration screen — Add-ons tab
      Field Description
      Documentation
      Enable a dedicated knowledge base Enable this option to activate the knowledge base for Security Incident Response.
      Enable managed documents Enable this option to add a related list to managed documents.
      Enable task activities Enable this option to log task interactions and communications, such as phone calls and email messages.
    5. Click Save.

    Lock down security administration

    To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

    Before you begin

    When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users.

    A security role is required to have access to Security Incident Response features and records.

    Role required: sn_si.admin

    Procedure

    1. After the Security Incident Response plugin has been activated, a user with the admin role assigns the Scoped Admin (sn_si.admin) role to at least one user.
    2. The user with the admin role changes to the Security Incident scope.
    3. Navigate to All > sys_store_app.list.
    4. Type sn_si in the Scope field.
      System applications.
    5. Click Security Incident Response.
    6. Scroll down to the Related Links and click Remove from the role contained by admin.
    7. Log out and log back in.
      The admin user cannot access the Security Incident Response application.

    Manage Restricted Caller Access

    The Restricted Caller Access (RCA) feature enables an administrator to define cross-scope access to an application or application resource and allow or deny access requests. This feature is enabled in Security Incident Response by default so security analysts can protect sensitive security-related information.

    A field called Caller access has been added to all tables and script includes in Security Incident Response, and the field defaults to Caller Tracking. This setting means that application scopes are allowed access to Security Incident Response tables and script includes. However, a tracking record is created for each record and stored in the Restricted Caller Access Privilege [sys_restricted_caller_access] table.
    Note:
    Take care when changing records from Caller Tracking to Caller Restricted. Records with this status cannot be accessed until an administrator manually allows access to it. The administrator must navigate to System Applications > Application Restricted Caller Access, locate the table or script include for which access has been requested, and change the Status field from Requested to Allowed.

    Run quick start tests for Security Incident Response

    Validate that Security Incident Response still works after you make any configuration changes, such as applying an upgrade or developing an application. Copy and customize these quick start tests to pass when using your instance-specific data.

    Security Incident Response quick start tests require activating Security Incident Response plugin (com.snc.security_incident) and loading the demo data.

    Table 4. Security Incident Response tests
    Test Description Release version
    SIR: Create Security Incident Determine whether a user can successfully create a security incident from the security incident form. Xanadu
    SIR: Create Security Incident via Security Incident Catalog Determine whether a user can successfully create a security incident from the catalog. Xanadu
    SIR: Security Incident life cycle Validate the response tasks of the Policy Violation workflow. Xanadu
    SIR: Threat Lookup Validates the Threat Lookup capability. Xanadu
    SIR: PIR Assessments OOTB configuration Use this test to validate PIR assessments and base system configurations. Xanadu
    SIR: PIR Assessments conditional configuration

    Verify that security incidents matching the mandatory conditional rule are not closed without completing the post incident assessment.

    Verify that the security incidents matching the optional conditional rule can be closed without completing the post incident assessment.

    Verify that assessments are not generated for the security incidents that do not match any rule.

    		 Xanadu
    SIR: PIR run time verification Verify that PIR reports are configured and attached to the security incidents as per the new design. Xanadu
    SIR: PIR design time setup verification Verify that the security incident is mapped with the report template based on the administrator configuration. Xanadu
    SIR: Link Security Incident to a existing Major Security Incident Link a Security Incident to an existing Major Security Incident and validate data from Security Incident rolled up to Major Security Incident. Xanadu
    SIR: Promote Security Incident as Major Security Incident Promote a Security Incident as Major Security Incident and validate data from Security Incident rolled up to Major Security Incident. Xanadu
    SIR: Propose Security Incident as Major Security Incident Propose a Security Incident as Major Security Incident and validate data from Security Incident rolled up to Major Security Incident. Xanadu
    Verify that only Allowed Members can access the security incident once Enforce Restriction is ON Verify that only the allowed members can access the security incident once the Enforce Restriction is enabled. Xanadu
    Verify that only Allowed Groups can access the security incident once Enforce Restriction is ON Verify that only the allowed groups can access the security incident once the Enforce Restriction is enabled. Xanadu
    Validate Read Access Validate the view access. Xanadu
    Validate Write Access Validate the edit access. Xanadu