Security Operations System Command Integration - Get Running Processes workflow

The Security Operations System Command Integration - Get Running Processes workflow retrieves the running processes of a configuration item when added or updated to a Windows or Unix-based security incident in the Analysis state.

Before you begin

Role required: sn_si.analyst

About this task

For new security incidents, the workflow runs automatically when you submit the incident with a selected configuration item, when the state automatically changes to Analysis. If it remains in the Draft state, then it does not run.

Existing security incidents are automatically updated when you are in the Analysis state and you add a new configuration item.

Security Operations System Command Integration - Get Running Processes workflow diagram

Procedure

  1. Open a security incident.
  2. Update the State to Analysis, if necessary.
  3. Add a configuration item (computer, server, or similar).
  4. Click Update.
    Security Incident Response Orchestration provides running process information in the Related Link > Security Incident Enrichments tab. For more information, see Security Operations enrichment data mapping.