Security Incident Unauthorized Access workflow template

The Security Incident - Unauthorized Access - Template allows you to perform a series of tasks designed to handle unauthorized access to your network.

Before you begin

Role required: sn_si.write

About this task

The workflow is triggered when the Category in a security incident is set to Unauthorized access. This action causes a response task to be created for the first activity in the workflow.

Unauthorized access workflow template

Procedure

  1. Open the security incident for this potential attack, or create a new security incident.
  2. In Category, select Unauthorized access.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
    Table 1. Response tasks in Unauthorized Access Template
    Response task Action Results
    User credentials compromised? Determine whether any users credentials have been compromised.

    In the task, select Yes or No in Outcome.

    If you select Yes, the following two tasks are created in parallel:
    • Malicious software?
    • Deactivate user account

    If you select No, the Contact user and determine intent task is created.

    Malicious software? Determine whether the unauthorized access resulted in the introduction of malicious software.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Create malicious software incident task is created.

    If you select No, the Set state to review task is created.

    Create malicious software incident Perform the steps necessary to create a security incident for the unauthorized access. When this task is complete, the Set state to review task is created.
    Deactivate user account Perform the steps necessary to deactivate the compromised user account. When this task is complete, the Set state to review task is created.
    Contact user and determine intent Perform the steps necessary to contact the user who responsible for the unauthorized access and determine the reason for the access attempt. When this task is complete, the HR process task is created.
    HR process Perform the steps necessary to contact human resources to implement disciplinary action if necessary. When this task is complete, the Set state to review task is created.
    Set state to review No action required. The State of the security incident is changed automatically to Review, and the workflow ends.