Manually create a security incident from a Security Incident form

You can create a security incident from the Security Incident form, as well as from several other forms.

Before you begin

Role required: sn_si.basic

About this task

You can create security incidents based on an existing record from the following forms:
  • Incident form
  • Event Management Alert form
  • Vulnerable Items form
  • Security Request form
You can also create security incidents using these methods:
  • From any security incident list.
  • Select a security incident from the Security Incident Catalog.
  • Automatically create a security incident from ServiceNow alerts via alert rules.

Procedure

  1. Navigate to any security incident list (for example, Security Incident > Incidents > Unassigned Incidents), and click New.
  2. Fill in the fields on the form, as appropriate.
    Table 1. Security incident
    Field Description
    Number [Read only] The security incident number.
    Requested by The person requesting the work to be performed.
    Configuration Item The server, computer, router, or other configuration item affected by the security issue.
    Affected user The person affected by the security issue.
    Location The location of the requester or resource. If a Configuration Item is not selected, this field is pre-filled with the location of the requester.
    Category The category that identifies the type of security issue.
    Subcategory The subcategory that further defines the issue.
    Opened [Read only] Displays the date and time the incident was opened.
    State The current state of the security incident. Upon security incident creation, this field defaults to Draft.
    Substate Identifies whether the security incident includes a pending problem or change.
    Source Identifies the source of the security incident, such as log monitoring, a phone call, or an incident.
    Business criticality Select the importance of this security incident to your business. The default value is Non-critical. If, after the security incident record has been saved, you change the value in the Priority field, or in the Impact, Severity, and/or Risk fields on the General tab, the Business criticality is recalculated.
    Priority Select the order in which to address this security incident, based on the urgency. If this value is changed after the record is saved, it can affect the Business criticality calculation.
    Assignment group The group to which this security incident is assigned.
    Assigned to The individual assigned to perform the work.
    Short description

    A brief description of the security incident. As you type the short description, links to related articles from the knowledge base appear.

    Scanning the information could solve your issue.

  3. Right-click in the record header and select Save.
  4. Select the following tabs and complete the information, as appropriate.
    Table 2. Security incident tabs
    Field Description
    Incident Details
    Read access Gives a user with the special access role read access to the security incident. The user is able to read and write work notes. See Roles installed with Security Incident Response for more information.
    Note: If a user is added to both Read access and Privileged access lists, then only the Privileged access permissions persist.
    Watch list Click the lock icon to add users who are notified when changes to the security incident occur. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Privileged access Gives a user with the special access role read and write access to all fields of the security incident except Assigned to. Users with special access roles have their own module containing all security incidents assigned to them. No other modules are available to them. No one else can see the Visible to Me module.
    Note:

    Only an assigned user or someone with a security role (for example, sn_si_analyst or sn_si.admin) can change the Assigned to field.

    If a user is added to both Read access and Privileged access lists, then only the Privileged access permissions persist.

    Work notes list Click the lock icon () to add users who are notified when new work notes are added. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Description Enter a full description of the security incident, along with any information that can help to find the cause or resolve the issue.
    Additional comments Enter comments that are visible to the requesting user.
    Secure notes Click the lock icon to unlock the field, enter work notes that are visible to the security users, and click the icon again to lock it.
    Activity All task activity (actions, comments, work notes, and so on) on related records for this security incident. This field is dynamically updated as other users work on this incident or tasks related to this incident.
    Related Records
    Problem Select a Problem (PRB) record that resolves the underlying issue that caused this security incident to be created. The PRBs for this incident are typically created by right-clicking in the security incident form header and selecting Create Problem.
    Parent Select a task record related to the underlying issue that caused this security incident to be created.
    Parent security incident Select a security incident record related to the underlying issue that caused this security incident to be created. See Parent and child security incident relationships.
    Incident Select an Incident (INC) record that resolves the underlying issue that caused this security incident to be created.

    The incident is typically created by right-clicking in the security incident form header and selecting Create Incident.

    Change request Select a Change Request (CHG) record that resolves the underlying issue that caused this security incident to be created. The change request is typically created by right-clicking in the security incident form header and selecting Create Change.
    Security Incident Observables
    Source IP Typically the IP address of a computer on which malware was detected.
    Note: If Threat Intelligence and Security Operations Palo Alto Networks - Firewall are activated, changing or adding a value to this field causes the Security Operations Palo Alto Networks - Get Log Data workflow to execute. The workflow retrieves enriched threat log data from the firewall and attaches it to the security incident. The information is also parsed and displayed in the Fire Logs section under the Enrichment Data tab.
    Destination IP The IP address the malware attempted to communicate with.
    Malware URL For phishing emails, the URL that is accessed if the targeted user clicks the link.
    Referrer URL When the user clicks a link in a phishing email, this field shows the URL of the final jump before the malware URL is accessed.
    Malware hash An identification (specifically, a message digest hash) of the malware program.
    Other IoC Other Security Incident Observables used to identify the malware.
    The following tabs are not available until you have saved or submitted the security incident.
    Enrichment Data

    Raw data details are stored in an attachment to the enrichment data record. If they exceed the field limit, displayed details are truncated.

    Security Enrichment Data Stores raw enrichment data from Security Incident Response workflows, such as retrieving network statistics or running processes.
    Malware Results Stores enrichment data from malware detection systems such as the Palo Alto Network enrichment workflows for Wildfire and Autofocus.
    Running Processes Stores the records created by the Security Incident Response Get Running Processes workflow.
    Network Statistics Stores the records created by the Security Incident Response Get Network Statistics workflow.
    Firewall Logs Stores enrichment data from firewall logs, such as the Palo Alto Network firewall logs.
    Threat Intelligence
    Associated Attack Modes/Methods If Threat Intelligence is activated, you can view any other attack types associated with any of the same threat records.
    Associated Indicators If Threat Intelligence is activated, you can view any other indicators associated with any of the same threat records.
    Associated Observables If Threat Intelligence is activated, you can view any other observables associated with any of the same threat records.
    Resources with Similar IoC If Threat Intelligence is activated, you can view any other resources with similar indicators.
    Users with Similar IoC If Threat Intelligence is activated, you can view any other users with similar indicators.
    Vulnerability Details
    Vulnerability Groups If Vulnerability Response is activated, you can view vulnerability groups associated with this security incident.
    Vulnerability Items If Vulnerability Response is activated, you can view vulnerability items associated with this security incident.
    Post Incident Review
    Request assessments Click the lock icon to add users who participate in the post-incident review. After the field is unlocked, options are available for adding or removing multiple users or entering user email addresses. When you have completed your entries, click the lock icon to lock the field.
    Post incident report

    The generated post incident report that is filled in when the security incident is moved to Review, Closed, or when all requested assessments are completed. This report contains:

    • A summary of what was done
    • Who requested it
    • The time line
    • All details about the security incident (type, configuration item, location, priority, and so on)
    • All related incidents, changes, problems, and tasks
    • The details of the resolution
    • Responses to the post incident review assessment from all users
    • Audit work notes
    Closure Information (This tab is visible when the security incident is in the Review or Closed state.)
    Create knowledge article Select this check box to generate a knowledge article using the contents of the post incident report.
    Close code Select the close code that best describes the reason for closing the security incident.
    Close notes How the security incident has been closed, including lessons learned, resolution, and so on.
    Closed by [Read only] Displays the user who closed the security incident.
    Closed [Read only] Displays the date and time the security incident was closed.
  5. Within Related Links, you can perform the following tasks:
    OptionDescription
    View Manual Runbook View list of runbooks available for this security incident.
    Response Workflow View any workflow associated with this incident.
    View Details in External System

    If this security incident was generated from an external application, directly or by events, and a link to the originating data was provided, the View Details in External System action opens the URL. You can view and search through the logs that generated this incident.

    Scan for Vulnerabilities If Vulnerability Response is activated, and you have selected at least one affected CI for the security incident, you can submit a scan request to determine what vulnerabilities exist on the CI.
  6. View the following features in the form header context menu:
    Form header context menu
    OptionDescription
    Calculate Severity Handles the security incident severity calculations and rules for base calculators and calculator groups. If the base calculator and CI Group filter are available for evaluation, then they are processed as an AND statement. If only one is available, it is individually evaluated.
    Repair SLAs Repair SLA records to ensure that SLA timing and duration information is accurate.
  7. View the following Related Lists to discover or add more information about the security incident.
    OptionDescription
    Task SLAs View or add active task SLAs that were defined for the security incident.
    Tasks Displays tasks already defined for the security incident. You can manually create a response task or create another type of task from this related list.
    Configuration Items After affected CIs are identified, you can manually add affected resources from this related list.
    Affected Users After affected users are identified, you can manually add affected users from this related list.
    Groups Associated to CIs After configuration items are identified, any matching CI or Filter group are automatically added.
    Child Security Incidents Select a task record related to the issue that caused this security incident to be created.
    Similar Security Incidents View any other security incidents associated with any of the same observable records.
    Exchange Search The list of search criteria used, as a group, to run queries on a Microsoft® Exchange Server.
    Security Scan Requests Scan and lookup requests attached to the security incident.
    Affected Services View or add business services associated with the security incident.
    Note: If an affected CI is added after the security incident is opened, it is a good idea to right-click in the form header and select Refresh Impacted Services.
    Outages View or manually add new outage records associated with the security incident.
    Customer Service Cases If Customer Service is activated, you can view Customer Service case information.
    Vulnerabilities on Configuration Items [Optional] Available to add from the form header context menu under Configure > Related Lists.

    If Vulnerability Response is activated, you can view vulnerability information for resources, such as servers, desktops, or other CIs, affected by this security incident.

    Risks [Optional] Available to add from the form header context menu under Configure > Related Lists.

    If any of the core GRC plugins (Policy and Compliance Management, Audit, Management, or Risk Management) are activated, you can view or add risks associated with the security incident.

    Note:

    You can add Security Incident Audit Logs to Related Lists from the context header menu.

    Related Lists menu
  8. When you have completed your entries, click Submit.
    You can make these updates to the security incident:
    Security incident header bar
    Note: Customer Service must be activated to see and use the Create Customer Service Case feature.
    Note: Only someone in the security admin role can delete a security incident.
  9. After you have created security incidents, you can view them using any of the following items under Security Incident:
    • Assigned to Me > Incidents
    • Assigned to Team > Incidents
    • Unassigned > Incidents
    Note: If you have activated the Security Operations QRadar Integration, you can use default workflows to enrich data in security incidents when the Configuration item field, or the Source IP or Destination IP fields on the Security Incident Observable tab are updated.