Security Incident Reconnaissance workflow template

Reconnaissance is usually a preliminary step toward a further attack seeking to exploit a device or system. The Security Incident - Reconnaissance - Template allows you to perform a series of tasks designed to handle reconnaissance on your network.

Before you begin

Role required: sn_si.write

About this task

The workflow is triggered when the Category in a security incident is set to Reconnaissance activity. This action causes a response task to be created for the first activity in the workflow.

Reconnaissance workflow template

Procedure

  1. Open the security incident for this potential attack, or create a new security incident.
  2. In Category, select Reconnaissance activity.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
    Table 1. Response tasks in Reconnaissance Template
    Response task Action Results
    Reconnaissance activity verified? Determine whether any observed reconnaissance has been verified.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Identify impacted systems task is created.

    If you select No, the workflow ends.

    Identify impacted systems Determine the systems impacted by the reconnaissance. When this task is complete, the Allow reconnaissancefor law enforcement analysis? task is created.
    Allow reconnaissance for law enforcement analysis? Determine whether you want the reconnaissance to be analyzed by law enforcement agencies.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Law enforcement process task is created.

    If you select No, the Update system(s) to prevent reconnaissance task is created.

    Law enforcement process Perform the law enforcement process as defined by your company. When this task is complete, the Update system(s) to prevent reconnaissance task is created.
    Update system(s) to prevent reconnaissance Perform the steps necessary to update the systems affected by the reconnaissance. When this task is complete, the Set state to review task is created.
    Set state to review No action required. The State of the security incident is changed automatically to Review, and the Lessons learned meeting task is created.
    Lessons learned meeting Conduct a lessons learned meeting to triage the work performed for this reconnaissance incident.

    Update the State field in the task as appropriate.

    When this task is complete, the workflow ends.