Security Incident Spam workflow template

The Security Incident - Spam - Template allows you to perform a series of tasks designed to handle email spam on your network.

Before you begin

Role required: sn_si.write

About this task

The workflow is triggered when the Category in a security incident is set or changed to Spam source. This action causes a response task to be created for the first activity in the workflow.

Security incident spam workflow template

Procedure

  1. Open the security incident for which you want to handle email spam, or create a new security incident.
  2. In Category, select Spam source.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
    Table 1. Response tasks in Spam Template
    Response task Action Results
    Spam contains malicious content? Determine whether the spam contains malicious software. In the task, select Yes or No in Outcome. If you selected Yes, the following response tasks are created:
    • Quarantine email message
    • Create malicious software incident

    If you selected No, the Update email software is created.

    Create malicious software incident Perform the steps to create a security incident, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, this response task waits until the next three response tasks have been completed. The state of the security incident then transitions to Review.
    Quarantine email message Perform the steps to quarantine the spam, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is created.
    Block source on firewall Perform the steps to block the email address on the firewall, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is created.
    Update email software Add the email address to your block list, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is created.
    Note: This response task is also created if you answered No to the Spam contains malicious content? response task.
    Set state to review No action required. The State of the security incident is automatically changed to Review.