Manually create a security incident

You can create a new security incident from the Security Incident form, as well as from several other forms.

Before you begin

Role required: sn_si.admin

About this task

You can create security incidents from the following forms:
  • Incident form
  • Event Management Alert form
  • Vulnerable Items form
  • Security Request form
You can also create security incidents using these methods:
  • Selecting Security Incident > Create New.
  • Selecting a security incident from the Security Incident Catalog.
  • Security incidents can also be automatically created from ServiceNow alerts via alert rules.

Procedure

  1. Navigate to Security Incident > Incidents > Create New.
  2. Fill in the fields on the form, as appropriate.
    Table 1. Security incident
    Field Description
    Number [Read only] The automatically-generated security incident number.
    Requested by The person requesting the work to be performed.
    Location The location of the caller or service. If an Affected CI is not selected, this field is pre-filled with the requester's location.
    Category The category that identifies the type of security issue.
    Subcategory The subcategory that further defines the issue.
    Affected CI The configuration item affected by the security issue.
    Opened [Read only] Displays the date and time the incident was opened.
    State The current state of the security incident. Upon security incident creation, this field defaults to Draft.
    Substate Identifies whether the security incident includes a pending problem or change.
    Contact type Identifies the method used to log the security incident.
    Assignment group The assignment group from which the assigned worker will be selected.
    Assigned to The individual assigned to perform the work.
    Short description

    A description of the security incident. As you type the short description, links to related articles from the knowledge base appear.

    It is recommended that you scan the information, because it may solve your issue.

  3. Select the following tabs and complete the information, as appropriate.
    Table 2. Security incident tabs
    Field Description
    General
    Attack Vector Click the lock icon to select attack vectors. After the field is unlocked, options are available for adding or removing multiple attack vectors and viewing attack vector details. When you have completed your entries, click the lock icon to lock the field.
    Business Unit Click the lock icon to select the affected business units.
    Impact Select the level that describes the criticality level of the attack.
    Priority Select the order in which this attack needs to be addressed, based on the urgency.
    Risk Select the risk level to the business unit.
    Severity Select a severity for the security incident.
    Description Enter a description for the security incident.
    Related Records
    Problem Select a Problem (PRB) record related to the underlying issue that caused this security incident to be created. The PRBs for this were created by right-clicking in the security incident form header and selecting Create Problem.
    Change request Select a Change (CHG) record related to the underlying issue that caused this security incident to be created. The CHGs for this were created by right-clicking in the security incident form header and selecting Create Change.
    Parent Select an Incident (INC) record related to the underlying issue that caused this security incident to be created.
    Post Incident Review
    Post incident review required Select this check box to indicate that the post-incident review is required for this security incident.
    Post incident review assignees Click the lock icon to add users who will participate in the post-incident review. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Post incident report Using the text editor, create the post incident report with the results of the post-incident review.
    Activities
    Watch list Click the lock icon to add users who will be notified when changes to the security incident occur. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Work notes list Click the lock icon to add users who will be notified when new work notes are added. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Additional comments Enter comments that will be visible to the requesting user.
    Work notes Enter work notes that will be visible to the security users.
  4. When you have completed your entries, click Submit.
    Note: You can make manual entries to the Impact, Priority, Risk, and Severity fields. If you have active severity calculators, the information in the security incident will be validated against the conditions defined in the calculators and the severity fields may be updated. After the security incident has been created, you can click the Calculate Severity related link to update the fields any time the information in the security incident changes. To view or make changes to the rules that dictate how these fields are set, navigate to Security Incident > Severity Calculators.
  5. After you have created security incidents, you can view them using any of the following applications under Security Incident > Incidents:
    • Created by me
    • Open Security Incidents
    • All Security Incidents
    • Assigned to me
    • Open - Unassigned