Business rules installed with Security Incident Response

Security Incident Response adds the following business rules.
Table 1. Business rules for Security Incident Response
Business rule Tables Description
Add extended info into SI Alert

[em_alert]

When an alert creates a security incident and has additional information for a security incident, this business rule pulls that information into the security incident.
Assigned
  • Security Incident [sn_si_incident]
  • Security Incident Response Task [sn_si_task]
Stores the time when an incident was assigned.
Auto deletion rule for Assessments Security Incident

[sn_si_incident]

Handles deletion of assessable records for security incidents when no longer needed – Post Incident Report support.
Calculate business criticality Security Incident

[sn_si_incident]

Calculates the business criticality whenever
 a vulnerability record is saved or updated.
Calculate Severity Security Incident

[sn_si_incident]

Runs the security incident calculators when the security incident is created or when an affected resource is updated.
Cancel Cleanup Security Incident Response Task

[sn_si_task]

When a task is canceled, this business rule does the following:
  • Verifies if the cancellation will change the state of the security incident.
  • Cancels any requested part transfers.
  • Eliminates dependencies.
Cancellation Security Incident

[sn_si_incident]

When a security incident is canceled, cancels all tasks for the incident.
Check if all are closed Assessment Instance

[asmt_assessment_instance]

As each assessment (post-incident review questionnaire) is completed, checks for any outstanding post incident review questionnaires. If all questionnaires are completed, generates the post incident report.
Copy location Security Incident Response Task

[sn_si_task]

Copies the location from the security incident Location field to the new task.
Create Knowledge On Closure Security Incident

[sn_si_incident]

If Create Knowledge Article is selected on a security incident form, creates a knowledge base article when the incident is closed.
Disallow closure with open response task Security Incident

[sn_si_incident]

Prevents a security incident from
 closing if there are any open response
 tasks.
Generate Assessments Security Incident

[sn_si_incident]

Creates, removes, and adds post incident review questionnaires when a security incident is in review.
Generate PIR when in Review and Closed Security Incident

[sn_si_incident]

Automatically generates the post incident report when
 changes are made to the incident while
 in the Review or Closed state.
Handle assessments Security Incident

[sn_si_incident]

Facilitates the creation of assessments
 for the security incident.
Limit Sec Manager Admin User access Group Member

[sys_user_grmember]

Prevents security users from making 
modifications to non-security groups.
Messages Severity Calculator

[sn_si_severity_calculator]

Stores the "Leave alone" message for the severity calculator client script.
Prevent non-security roles reading
  • Application Menu [sys_app_application]
  • Attachment [sys_attachment]
  • History [sys_history_line]
  • Journal Entry [sys_journal_field]
  • Product Model [cmdb_model]
  • Security Incident Attack Vectors [sn_si_attack_vector]
  • Severity Calculator [sn_si_severity_calculator]
  • Task [task]
Prevents system administrator and other non-security roles from viewing any part of the Security Incident Response data.
Prevent non-security roles updating
  • Contained Role [sys_user_role_contains]
  • Group Member [sys_user_grmember]
  • Group Role [sys_group_has_role]
  • Security Incident [sn_si_incident]
  • Security Incident Attack Vectors [sn_si_attack_vector]
  • Security Incident Flow [sn_si_sf_incident]
  • Security Incident Response Task [sn_si_task]
  • Security Incident Response Task Flow [sn_si_sf_task]
  • Security Incident Response Task Template [sn_si_task_template]
  • Security Incident Template [sn_si_incident_template]
  • Severity Calculator [sn_si_severity_calculator]
  • SM Configuration [sm_config]
  • SM Notification Rule [sm_notification_rule]
  • System Property [sys_properties]
  • User [sys_user]
  • User Role [sys_user_has_role]
Prevents system administrator and other non-security roles from viewing or updating any part of the Security Incident Response data.
Ready for approval Security Incident

[sn_si_incident]

If approvals are enabled in the Security Incident configuration, starts the approval workflow.
Reassign Security Incident Response Task

[sn_si_task]

If a task with parts on order is reassigned to someone else, reroutes the parts to the new assignee.
Refresh impacted services on CI change Security Incident

[sn_si_incident]

When the affected resource (CI) changes, updates the list of affected services.
Require assessments to be complete Security Incident

[sn_si_incident]

Prevents security incidents from being
 closed until all assessments are
 completed.
State Flow Notes for sn_security_incident Security Incident

[sn_si_incident]

Handles any work notes added by state flows.
Store assignee Security Incident

[sn_si_incident]

When an incident is reassigned, adds the newly assigned security analyst to the list of people who must complete any post incident review questionnaire that is created for the incident.
Store external url in scratchpad Security Incident

[sn_si_incident]

Stores the external URL for use when drilling down to the originating data for a security incident created by an external event.
Sync affected users
  • Security Incident [sn_si_incident]
  • Task Affected User [sn_si_m2m_task_affected_user]
Syncs the affected users between 
the security incident and 
the many-to-many table.
Update related incident Security Incident

[sn_si_incident]

As additional comments (not work notes) are added to a security incident, updates the originating incident, if there is one.
Update security incident
  • Change Request [change_request]
  • Incident [incident]
  • Problem [problem]
As updates are made to the change request, updates the originating security incident.
Note: The Prevent non-security roles reading and Prevent non-security roles updating business rules are dependent on a property in Security Incident Properties. If the Admin users can access Security Incident Response property is set to No, these business rules are invalid.