Security Incident - Evaluate response task outcome workflow

Security Incident - Evaluate Response task outcome workflow determines the task to use, invokes a chosen workflow and evaluation script based on the outcome evaluator record provided as input to the chosen workflow.

Before you begin

Role required: sn_si.write ??

About this task

This workflow is intended to run at the same time as the create task activity to be evaluated. The evaluation script queries the artifacts (such as sightings search records, or running processes) of the configured capability using context information from the response task (such as its parent security incident) to determine the appropriate outcome for the response task. The outcome could potentially be workflow activity dependent, but is generally yes or no. When creating an outcome evaluator record only capabilities that have a configured workflow, with the Is task based capability box checked, and a task input variable set are available to select.

Workflow process activities include:
  • Run script to determine response task
  • Should Run Workflow
  • Parallel Flow Launcher Launch Capability Workflow
  • Create Evaluation Event
Security Incident Evaluate Response Outcome workflow diagram