Security Incident Response - Get Running Services workflow

The Security Incident Response - Get Running Services workflow retrieves a list of running services from Windows-based, ServiceNow, configuration items (CIs). This workflow is used for incident enrichment during investigations.

Before you begin

Role required: sn_si.analyst

About this task

The Security Incident Response - Get Running Services workflow runs automatically when you add a new configuration item to a Windows security incident after the state changes to Analysis. The information this workflow obtains appears on the Show Enrichment Data tabs for the security incident.

Note: If the security incident remains in the Draft state, the Security Incident Response - Get Running Services workflow workflow does not run.
Workflow activities include:
Security Incident Response - Get Running Services workflow diagram

Procedure

  1. Open a security incident.
  2. Update the State to Analysis, if necessary.
  3. Add a Windows-based configuration item (server, laptop, or similar).
  4. Click Update.
    Security Incident Response provides running services information in the Related Links > Security Incident Enrichments tab. For more information, see Security Operations enrichment data mapping.