Security Incident Rogue Server or Service workflow template

The Security Incident - Rogue Server or Service - Template allows you to perform a series of tasks designed to handle activity from rogue servers or services affecting your network.

Before you begin

Role required: sn_si.write

About this task

The workflow is triggered when the Category in a security incident is set to Rogue server or service. This action causes a response task to be created for the first activity in the workflow.

Rogue server or service workflow template

Procedure

  1. Open the security incident for this potential attack, or create a new security incident.
  2. In Category, select Rogue server or service activity.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
    Table 1. Response tasks in Rogue Server or Service Template
    Response task Action Results
    Rogue server or service verified? Determine whether a connection with a rogue server or service has been verified on your network.

    In the task, select Yes or No in Outcome.

    If you select Yes, the following two tasks are created in parallel:
    • Identify impacted system(s)
    • Potential data loss?

    If you select No, the workflow ends.

    Identify impacted system(s) Determine the systems impacted by contact with the rogue server or service. When this task is complete, the Update system(s) - Remove rogue connections task is created.
    Potential data loss? Determine whether the connection with the rogue server or service caused potential data loss.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Create potential data loss incident task is created.

    If you select No, the Update system(s) - Remove rogue connections task is created.

    Create potential data loss incident Perform the steps necessary to create a security incident for the potential data loss. When this task is complete, the Update system(s) - Remove rogue connections task is created.
    Update system(s) - Remove rogue connections Perform the steps necessary to remove the rogue connections. When this task is complete, the Set state to review task is created.
    Set state to review No action required. The State of the security incident is changed automatically to Review, and the Lessons learned meeting task is created.
    Lessons learned meeting Conduct a lessons learned meeting to triage the work performed for this rogue server or service incident.

    Update the State field in the task as appropriate.

    When this task is complete, the workflow ends.