View Major Security Incident impact metrics
Summarize
Summary of View Major Security Incident impact metrics
This feature provides ServiceNow customers with real-time summary reporting on the impact and progress of major security incidents using the Major Security Incident Management (MSIM) workspace. It consolidates critical metrics to help manage the scope and resolution of incidents effectively, including affected assets, users, locations, involved teams, and a timeline of significant milestones.
Show less
Key Features
- Overview Tab: Displays impact metrics such as a rollup of affected assets, users, locations, and team resources, alongside an executive summary and key incident milestones.
- Executive Summary: Editable brief description of the incident with user and timestamp details; can be copied to other records for consistency.
- Incident Impact: Shows details of impacted resources aggregated from active tasks and linked incidents. Users can drill down into assets, users, and locations to see related tasks and incident details.
- Duration Counters: Track elapsed time since detection, estimated resolution date, and next update time for the incident, with editable next update scheduling.
- Timeline Component: Provides a horizontal view of key events and milestones throughout the incident lifecycle. It supports collapsing/expanding, filtering event types, and color-coded incident state durations to visualize progress.
- Timeline Event Management: Allows creation of custom timeline events for past or future dates not automatically captured, with fields for title, category (Custom, Response, Threat), timestamp, description, and linkage to incident records.
- Interactive Timeline Controls: Includes zoom in/out for detailed event viewing, refresh for latest updates, and legend display for event types such as record changes and collaboration activities.
Practical Benefits for ServiceNow Customers
- Enables comprehensive visibility into the impact and resolution progress of major security incidents within a unified workspace.
- Facilitates better incident management decisions by consolidating affected resources and tracking timelines and milestones in real-time.
- Improves communication and reporting through editable executive summaries and detailed timeline event logs.
- Supports customization by allowing addition of custom events and flexible filtering, helping teams tailor the incident view to their operational needs.
- Provides quick navigation from summary metrics to detailed incident tasks and impacted resources for efficient investigation and response.
Provides up-to-date summary reporting of the impact and progress of major security incidents, which is an important aspect of managing a major security incident using the new workspace.
The Overview tab provides the relevant metrics to manage both the scope and progress of the incident, including a rollup of affected assets, users, locations, and team resources, as well as the timeline of significant incident milestones.
Timeline provides a horizontal view of key events and milestones that have occurred as part of the specific major security incident resolution. The timeline component is displayed on top of all the Major Security Incident Management workspace tabs with an ability to collapse and expand for viewing as required. The events data represented will be updated and refreshed whenever designated milestone events or milestones are added or updated.
Each event or milestone is indicated with a different timeline event type option to identify the number and type of events or milestones. For example NOW record updates, collaboration activities. In addition, the time range period for the different major security incident states is tracked automatically and displayed using color-coded ranges displayed along with the duration of each incident state.
| Task | Description |
|---|---|
| Executive Summary | A brief summary of the major security incident along with the user name, user role, and timestamp details.
|
| Incident Impact | These components display the impacted resources based on a rollup of all active tasks and linked incidents with identified assets, users, locations, and assigned team members. The impacted resources are:
Selecting the number values enables you to drill down and navigate to the impacted assets, users, and location details and displays the related tasks on the Incident Impact tab of the workspace. Based on your selected incident impact type link, the related incident details such as task type and its description, assignment group and incident state are displayed in the tab of the MSIM workspace. |
| Duration counters | These components display the duration of the major security incident. The impacted resources are:
|
You can enable or disable viewing of certain event types for both timeline indicators and timeline ranges accordingly using the filter toggle buttons.
| Task | Description |
|---|---|
| New Event | Creates new custom events and associates these events to the MSI record. This helps in creating events for both past and future dates that might not otherwise get captured via a labeled task, record state change, or labeled collaboration activity, which are displayed by default on the timeline. |
| Refresh | Refreshes the Timeline events to display the latest updates. |
| Timeline Indicators | Lists the various types of events such as Now Record field changes, Labeled Collaboration Activities, and Other (custom), along with the icons and total number of events that occurred with respect to each event type indicator. The slide indicator enables you to enable or disable all events for a specific event type. |
| Show Legend | Select to display the drop-down legend with different types of timeline indicators. |
| Timeline progress bar | Displays the overall progress of the incident via designated timeline events or milestones that are occurred within the different timeline ranges displayed. You can also link an Event type to an Event category. After you link it, the Event details get updated at both places on the timeline. |
| Timeline ranges | Displays various incidents state types and duration as the incident progresses throughout the full major security incident life-cycle. Enable or disable a specific event based on the incident state. |
Create a Timeline event
- In the Overview tab, navigate to the Timeline section.
- Select .
- On the Add a new timeline event pop-up, fill the fields.
Figure 3. New Timeline event Task Description Title Enter the title for the timeline event. Category Select a category for the timeline event. The following categories are provided as a part of the base system, and you can choose one based on your requirements.- Custom.
- Response.
- Threat.
To add or configure a Timeline event category, see Configure timeline categories for major security incidents.
Timestamp Select the date and time of the timeline event using the Timestamp calendar. You can add events to the Timeline before and after the start date. Description Provide a brief description about the timeline event. Linked to Option to link the timeline event to a major security incident record. - Select .
- You can use Zoom in and Zoom out icons to zoom in or out on the timeline progress bar, which includes displaying individual events when numbers are displayed to represent
several events in close time proximity.
You can also add the default zoom level to show all events.
- Select the Refresh icon to display the latest timeline events.