Business rules installed with Security Incident Response

Security Incident Response adds the following business rules.
Table 1. Business rules for Security Incident Response
Business rule Tables Description
Add extended info into SI Alert

[em_alert]

When an alert creates a security incident and has additional information for a security incident, this business rule pulls that information into the security incident.
Auto assessment business rule Security Incident

[sn_si_incident]

Supports assessments for security incident post incident review functionality.
Auto deletion rule for Assessments Security Incident

[sn_si_incident]

Handles deletion of assessable records for security incidents when no longer needed (Post Incident Report support).
Calculate business criticality Security Incident

[sn_si_incident]

Calculates the business criticality whenever
 a vulnerability record is saved or updated.
Calculate Severity Security Incident

[sn_si_incident]

Runs the security incident calculators when the security incident is created or when a configuration item is updated.
Clean special access lists Security Incident

sn_si.incident

If a user with the Special access role was added to both the Read access and Privilege access lists, only the Privilege access permissions persist.
Close child security incidents Security Incident

[sn_si_incident]

Closes child security incidents when the parent security incident is closed
Copy CI And User Security Incident Response Task

[sn_si_task]

Copies CI and user from a security incident to its child response task.
Copy location Security Incident Response Task

[sn_si_task]

Copies the location from the security incident Location field to the new task.
Create Knowledge On Closure Security Incident

[sn_si_incident]

If Create Knowledge Article is selected on a security incident form, this rule creates a knowledge base article when the incident is closed.
Disallow closure with open response task Security Incident

[sn_si_incident]

Prevents a security incident from
 closing if there are open response
 tasks.
Dont allow new tasks for closed incident Security Incident Response Task

[sn_si_task]

Prevents new response tasks from being created for closed security incidents.
Generate PIR PDF Security Incident

[sn_si_incident]

Generates a post incident review PDF document.
Generate PIR when in Review and Close Security Incident

[sn_si_incident]

Automatically generates the post incident report when
 changes are made to the incident while
 in the Review or Closed state.
Handle assessments Security Incident

[sn_si_incident]

Facilitates the creation of assessments
 for the security incident.
Handle assessments setup Security Incident

[sn_si_incident]

Handles assessments in support of Post Incident Review functionality.
Limit Sec Manager Admin User access Group Member

[sys_user_grmember]

Prevents security users from making 
modifications to non-security groups.
Manage special access role Security Incident

sn_si.incident

Gives the special access role to users added to either the Read access or Privileged access fields on the Security Incident Response form.
Messages Severity Calculator

[sn_si_severity_calculator]

Stores the "Leave alone" message for the severity calculator client script.
Prevent duplicate runbook articles Runbook Document

[sn_si_runbook_document]

On update/insert of the article, checks whether the combination of filter conditions or filters, and KB article exists. If so, the transaction is rolled back.
Prevent non-security roles reading
  • Application Menu [sys_app_application]
  • Attachment [sys_attachment]
  • History [sys_history_line]
  • Journal Entry [sys_journal_field]
  • Product Model [cmdb_model]
  • Security Incident Attack Vectors [sn_si_attack_vector]
  • Severity Calculator [sn_si_severity_calculator]
  • Task [task]
Prevents an administrator and other non-security roles from viewing any part of the Security Incident Response data.
Prevent non-security roles updating
  • Contained Role [sys_user_role_contains]
  • Group Member [sys_user_grmember]
  • Group Role [sys_group_has_role]
  • Security Incident [sn_si_incident]
  • Security Incident Attack Vectors [sn_si_attack_vector]
  • Security Incident Flow [sn_si_sf_incident]
  • Security Incident Response Task [sn_si_task]
  • Security Incident Response Task Flow [sn_si_sf_task]
  • Security Incident Response Task Template [sn_si_task_template]
  • Security Incident Template [sn_si_incident_template]
  • Severity Calculator [sn_si_severity_calculator]
  • SM Configuration [sm_config]
  • SM Notification Rule [sm_notification_rule]
  • System Property [sys_properties]
  • User [sys_user]
  • User Role [sys_user_has_role]
Prevents an administrator and other non-security roles from viewing or updating any part of the Security Incident Response data.
Process definition change Security Incident Process Definition Selector

[sn_si_process_definition_selector]

Handles the change of the selected security incident process definition.
Propagate work notes to child incidents Security Incident

[sn_si_incident]

Pushes work notes made on a parent security incident to children security incidents.
Refresh impacted services on CI change Security Incident

[sn_si_incident]

When the configuration item (CI) changes, this rule updates the list of affected services.
Regen PIR on closure/cancel/update Assessment Instance

[asmt_assessment_instance]

Regenerates post incident review report when a security incident is closed, canceled, or updated.
Request for IoC lookup Security Incident

[sn_si_incident]

Computes the security incident observable fields delta and launches the workflow to create a lookup request.
Require assessments to be complete Security Incident

[sn_si_incident]

Prevents security incidents from being
 closed until all assessments are
 completed.
Set initial state Security Incident

[sn_si_incident]

Security Incident Response Task

[sn_si_task]

Sets the initial state of the associated task
Store assignee Security Incident

[sn_si_incident]

When an incident is reassigned, the newly assigned security analyst is added to the list of people who must complete any post incident review questionnaire created for the incident.
Store external url in scratchpad Security Incident

[sn_si_incident]

Stores the external URL for use when drilling down to the originating data for a security incident created by an external event.
Sync affected users
  • Security Incident [sn_si_incident]
  • Task Affected User [sn_si_m2m_task_affected_user]
  • Security Incident Response Task [sn_si_task]
Syncs the affected users between 
the security incident, the Security Incident Response task, and the many-to-many tables.
Trigger Workflows Security Incident

[sn_si_incident]

CIs Affected

[task_ci]

Triggers security incident workflows when conditions are met.
Update related incident Security Incident

[sn_si_incident]

As more comments (not work notes) are added to a security incident, this rule updates the originating incident, if there is one.
Update security incident
  • Change Request [change_request]
  • Incident [incident]
  • Problem [problem]
As updates are made to the change request, updates the originating security incident.
Validate state change Security Incident

[sn_si_incident]

Security Incident Response Task

[sn_si_task]

Checks that a state change being made on a security incident or response task is valid.
Verify at least one filter in advanced Runbook Document

[sn_si_runbook_document]

If the Advanced option is selected, ensures that at least one filer is listed. If not, it prevents the update or insert.
Note: The Prevent non-security roles reading and Prevent non-security roles updating business rules depend on a property in Security Incident Properties. If the Admin users can access Security Incident Response property is set to No, these business rules are invalid.