Security incidents Security incidents can be created in numerous ways, some manually and others automatically. Additionally, you can create response tasks, which define the actual steps needed to handle the security incident. If you have any security role, you can use any of the following methods for manually creating security incidents. Table 1. Methods for manually creating security incidents Method Description Manually created from the Self-Service Security Incident catalog You can create security incidents by selecting from categories of security threats defined in the security incident catalog. Manually created from incidents On the Incident form in incident management, click Create Security Incident to create a new security incident. Manually converted from a security request On the Security Request form, click Convert to Security Incident button to create a new security incident. Manually converted from an existing alert On the Event Management Alert form, click Create Security Incident to create a new security incident. Manually created from the Security Incident list New security incident response (SIR) records can be created using the Create New module on the navigation bar. Manually converted from a vulnerability record (if the Vulnerability Response plugin is activated) On the Vulnerability Items form, click Create Security Incident button to create a new security incident. Automatic creation of security incidents Generally, security admins will be responsible for setting up alert rules used to automatically generate security incidents. Table 2. Security admin method for creating security incidents Method Description Automatically created using alert rules Security incidents can be created based on alert rules defined in the Event Management application. Manually create a security incidentYou can create a new security incident from the Security Incident form, as well as from several other forms.Security incident automatic creationWhen the Security Incident Response Event Management support plugin is activated, the Event Management application is also activated. This allows the Security Incident Response system to receive security events from integrated third-party alert monitoring tools, such as Splunk, and to use the imported data to create security incidents. Create response tasksAfter a security incident has been created, response tasks are then created to track separate actions to be performed to respond to the security issue. Identify all Resources/CIs affected by a security incidentIf you know which resource (server, desktop or other configuration item) is behind a security incident and want to identify related resources and business services that might be affected, you can use the Business Service Management (BSM) map. The BSM map displays the upstream and downstream dependencies for a selected root CI. Security analyst assignmentDepending on your settings in the Security Incident Administration configuration screen, you can assign analysts manually or using auto-assignment.Create a change, incident, or problem from a security incidentAfter you have created and saved a security incident, you can create a change request (CHG), incident (INC), or problem (PRB) record from it.Search security incidentsYou can find information quickly in an instance using the search icon in the screen header. Zing is the text indexing and search engine that performs all text searches in your instance.Close security incidentsWhen a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate closure code. Closure codes can be searched on later for ease of location.