Business rules installed with Security Incident Response

Security Incident Response adds the following business rules.
Table 1. Business rules for Security Incident Response
Business rule Tables Description
Add extended info into SI Alert

[em_alert]

When an alert creates a security incident or has additional information for a security incident, pulls that information into the security incident.
Assigned
  • Security Incident [sn_si_incident]
  • Security Incident Response Task [sn_si_task]
Stores the time when an incident was assigned.
Auto business rule for Assessments Security Incident

[sn_si_incident]

Handles creation of assessable records for security incidents when ready for review. Supports Post Incident Report.
Auto deletion rule for Assessments Security Incident

[sn_si_incident]

Handles deletion of assessable records for security incidents when no longer needed – Post Incident Report support.
Calculate Severity on Creation Security Incident

[sn_si_incident]

Calculates the severity of a new security incident.
Cancel Cleanup Security Incident Response Task

[sn_si_task]

When a task is canceled, this business rule does the following:
  • Verifies if the cancellation will change the state of the security incident.
  • Cancels any requested part transfers.
  • Eliminates dependencies.
Cancellation Security Incident

[sn_si_incident]

When a security incident is canceled, cancels all tasks for the incident.
Check if all are closed Assessment Instance

[asmt_assessment_instance]

As each assessment (post-incident review questionnaire) is completed, checks for any outstanding post incident review questionnaires. If all questionnaires are completed, generates the post incident report.
Copy location Security Incident Response Task

[sn_si_task]

Copies the location from the security incident Location field to the new task.
Create Knowledge On Closure Security Incident

[sn_si_incident]

If Knowledge is selected on a security incident form, creates a knowledge base article when the incident is closed.
Generate Assessments Security Incident

[sn_si_incident]

Creates, removes, and adds post-incident review questionnaires when a security incident is in review.
Messages Severity Calculator

[sn_si_severity_calculator]

Stores the "Leave alone" message for the severity calculator client script.
Prevent non-security roles reading
  • Application Menu [sys_app_application]
  • Product Model [cmdb_model]
  • Risk Task [sn_si_m2m_risk_task]
  • Security Incident Attack Vectors [sn_si_attack_vector]
  • Severity Calculator [sn_si_severity_calculator]
  • State Flow [sf_state_flow]
  • Task [task]
Prevents system administrator and other roles from viewing any part of the Security Incident Response data.
Prevent non-security roles updating
  • Contained Role [sys_user_role_contains]
  • Group Role [sys_group_has_role]
  • Risk Task [sn_si_m2m_risk_task]
  • Security Incident [sn_si_incident]
  • Security Incident Attack Vectors [sn_si_attack_vector]
  • Security Incident Flow [sn_si_sf_incident]
  • Security Incident Response Task [sn_si_task]
  • Security Incident Response Task Flow [sn_si_sf_task]
  • Security Incident Template [sn_si_incident_template]
  • Severity Calculator [sn_si_severity_calculator]
  • System Property [sys_properties]
  • User [sys_user]
  • User Role [sys_user_has_role]
Prevents system administrator and other roles from viewing any part of the Security Incident Response data.
Ready for approval Security Incident

[sn_si_incident]

If approvals are enabled in the Security Incident configuration, starts the approval workflow.
Reassign Security Incident Response Task

[sn_si_task]

If a task with parts on order is reassigned to someone else, reroutes the parts to the new assignee.
Refresh impacted services on CI change Security Incident

[sn_si_incident]

When the CI changes, updates the list of affected services.
Require reviews Security Incident

[sn_si_incident]

If a post incident review is required, ensures the security incident cannot be closed until a post-incident report has been created.
Review required for priority one Security Incident

[sn_si_incident]

When a priority 1 security incident is created, a post-incident review is required before the incident can be closed.
State Flow Notes for sn_security_incident Security Incident

[sn_si_incident]

Handles any work notes added by state flows.
Store assignee Security Incident

[sn_si_incident]

When an incident is reassigned, adds the newly assigned agent to the list of people who must complete any post-incident response questionnaire that is created for the incident.
Store external url in scratchpad Security Incident

[sn_si_incident]

Stores the external URL for use when drilling down to the originating data for a security incident created by an external event.
Update related incident Security Incident

[sn_si_incident]

As additional comments (not work notes) are added to a security incident, updates the originating incident, if there is one.
Update security incident
  • Change Request [change_request]
  • Incident [incident]
  • Problem [problem]
As updates are made to the change request, updates the originating security incident.
When the Security Incident Response plugin is activated, the Tree map plugin is automatically activated. The Tree map plugin adds the following business rule.
Table 2. Business rule for tree map
Business rule Table Description
Update metric values with PA values Treemap Indicator

[treemap_metric]

When the Performance Analytics data source is used, this business rule updates the Treemap Indicator with information from the PA Indicator, such as unit, precision, and direction.