Step 7. Create rollup record configurations
Create rollup record configuration to link and unlink additional records to MSI.
Before you begin
Role required: admin and sn_msi.workspace_admin
Note:
The system admin can create the
record and MSI workspace admin can update it.
To rollup information such as configuration items, observables, and indicator of compromise related to a Security case, create a rollup record configuration.
Procedure
-
Select or create a new linked record and navigate to the Rollup
Record Configuration section from the same page.
Figure 1. Rollup Record Configuration section
What to do next
- For more detailed information, see Configure Rollup Records in Major Security Incident Management
- For a security case example information, seeWriting script for a Security Case
Writing script for a Security Case
Writing a script for a Security Case to roll up record configuration.
Before you begin
Role required: admin and sn_msi.workspace_admin
Note:
The system admin can create the
record and MSI workspace admin can update it.
Procedure
-
Click New to create a new roll up record
configuration.
Below is an example record created to Rollup Observables data related to Security Case we are trying to Rollup with the field values as:
Name Description Roll up Type Relationship Note:The observable information is available in a related list format.Rollup Script Input sourceSysId contains security case sys id and msiSysId contains major security incident sys id. Line 2: As a first step, query for Glide Record for sourceSysId from Security Case(sn_ti_case) table.Line 7: Next, query sn_ti_m2m_task_observable table using security case sys ID to figure out all the linked observables to a security case.
MSIMRollupEngine.linkToMSI("entityGr”, “sourceSysId”, “fieldNameInLinkedRecordTable”, “msiSysId”, “isPrimaryRecord”)Line 10: Next, iterate over all the linked observables and link them to a Major Security Incident using the method: