Business rules installed with Security Incident Response

Security Incident Response adds the following business rules.
Table 1. Business rules for Security Incident Response
Business rule Tables Description
Add extended info into SI Alert

[em_alert]

When an alert creates a security incident and has additional information for a security incident, this business rule pulls that information into the security incident.
Associate tasks to indicator Observable Indicator

[sn_ti_m2m_observable_indicator]

When an observable is associated with an indicator, the observable's tasks are automatically associated with the indicator.
Auto assessment business rule Security Incident

[sn_si_incident]

Supports assessments for security incident post incident review functionality.
Auto deletion rule for Assessments Security Incident

[sn_si_incident]

Handles deletion of assessable records for security incidents when no longer needed (Post Incident Report support).
Calculate business criticality Security Incident

[sn_si_incident]

Calculates the business criticality whenever
 a vulnerability record is saved or updated.
Calculate Severity Security Incident

[sn_si_incident]

Runs the security incident calculators when the following actions occur:
  • A security incident is created.
  • A configuration item (CI) in a security incident is updated.
  • A security incident's Category is set to Denial of Service, Malicious code activity, or Spear Phishing; one of the associated affected CIs has a Business Criticality of 1- Critical; and the risk score is not changed.
Clean special access lists Security Incident

sn_si.incident

If a user with the Special access role was added to both the Read access and Privilege access lists, only the Privilege access permissions persist.
Close child security incidents Security Incident

[sn_si_incident]

Closes child security incidents when the parent security incident is closed.
Copy CI And User Security Incident Response Task

[sn_si_task]

Copies CI and user from a security incident to its child response task.
Copy location Security Incident Response Task

[sn_si_task]

Copies the location from the security incident Location field to the new task.
Create Knowledge On Closure Security Incident

[sn_si_incident]

If Create Knowledge Article is selected on a security incident form, this rule creates a knowledge base article when the incident is closed.
Create risk score audit Security Incident

[sn_si_incident]

For each manually updated risk score change, adds a risk score audit record that includes the score change and reason for the change. This business rule requires that the Risk score override check box is selected.
Disallow closure with open response task Security Incident

[sn_si_incident]

If there are open response
 tasks, prevents a security incident from
 closing.
Dont allow new tasks for closed incident Security Incident Response Task

[sn_si_task]

Prevents new response tasks from being created for closed security incidents.
Generate PIR PDF Security Incident

[sn_si_incident]

Generates a post incident review PDF document.
Generate PIR when in Review and Close Security Incident

[sn_si_incident]

Automatically generates the post incident report when
 changes are made to the incident while
 in the Review or Closed state.
Handle assessments Security Incident

[sn_si_incident]

Facilitates the creation of assessments
 for the security incident.
Handle assessments setup Security Incident

[sn_si_incident]

Handles assessments in support of Post Incident Review functionality.
Handle Deprecated Observable Fields [sn_si_incident] Checks deprecated fields for the delta between current and previous observables. Adds observables as needed. Changes the default value of the observable to Unknown.
Limit Sec Manager Admin User access Group Member

[sys_user_grmember]

Prevents security users from making 
modifications to non-security groups.
Manage special access role Security Incident

sn_si.incident

Gives the special access role to users added to either the Read access or Privileged accessfields on the Security Incident Response form.
Messages Severity Calculator

[sn_si_severity_calculator]

Stores the "Leave alone" message for the severity calculator client script.
Prevent duplicate runbook articles Runbook Document [sn_si_runbook_document] On update/insert of the article, checks whether the combination of filter conditions or filters, and KB article exists. If so, the transaction is rolled back.
Process definition change Security Incident Process Definition Selector

[sn_si_process_definition_selector]

Handles the change of the selected security incident process definition.
Propagate work notes to child incidents Security Incident

[sn_si_incident]

Pushes work notes made on a parent security incident to children security incidents.
Refresh impacted services on CI change Security Incident

[sn_si_incident]

When the configuration item (CI) changes, this rule updates the list of affected services.
Regen PIR on closure/cancel/update Assessment Instance

[asmt_assessment_instance]

Regenerates post incident review report when a security incident is closed, canceled, or updated.
Require assessments to be complete Security Incident

[sn_si_incident]

Prevents security incidents from being
 closed until all assessments are
 completed.
Risk score override work notes Security Incident

[sn_si_incident]

Writes a work note when the risk score is toggled on or off.
Set initial state Security Incident

[sn_si_incident]

Security Incident Response Task

[sn_si_task]

Sets the initial state of the associated task.
Store assignee Security Incident

[sn_si_incident]

When an incident is reassigned, that security analyst is added to the list of people who must complete any post incident review questionnaire created for the incident.
Store external url in scratchpad Security Incident

[sn_si_incident]

Stores the external URL for use when drilling down to the originating data for a security incident created by an external event.
Sync affected users
  • Security Incident [sn_si_incident]
  • Task Affected User [sn_si_m2m_task_affected_user]
  • Security Incident Response Task [sn_si_task]
Syncs the affected users between 
the security incident, the Security Incident Response task, and the many-to-many tables.
Trigger Workflows Security Incident

[sn_si_incident]

CIs Affected

[task_ci]

Triggers security incident workflows when conditions are met.
Update related incident Security Incident

[sn_si_incident]

As more comments (not work notes) are added to a security incident, this rule updates the originating incident, if there is one.
Update risk score Security Incident

[sn_si_incident]

Updates a security incident risk score when the Risk score override check box is not selected, and any of the following fields are modified:
  • Affected user
  • Business criticality
  • Priority
Update security incident
  • Change Request [change_request]
  • Incident [incident]
  • Problem [problem]
As updates are made to the change request, updates the originating security incident.
Update SI risk score Business Service

[cmdb_ci_service]

Update a security incident risk score when the Business criticality of the associated configuration item changes.
Impacted Services

[task_cmdb_ci_service]

Update a security incident risk score when a record in the Affected Services related list is added, updated, or deleted, and the security incident is not closed or cancelled.
Task Affected User

[sn_si_m2m_task_affected_user]

Update a security incident risk score when a record in the Affected User related list is added, updated, or deleted, and the security incident is not closed or cancelled.
User

[sys_user]

Update a security incident risk score when the Business criticality of the affected user changes.
Vulnerable Item

[sn_vul_vulnerable_item]

Update a security incident risk score when the Business criticality of an associated vulnerable item changes.

This business rule is available only when the Vulnerability Response plugin is activated.

Vulnerability Item Task

[sn_vul_m2m_item_task]

Update a security incident risk score when an associated vulnerable item is added, updated, or deleted, and the security incident is not closed or cancelled.

This business rule is available only when the Vulnerability Response plugin is activated.

Validate state change Security Incident

[sn_si_incident]

Security Incident Response Task

[sn_si_task]

Checks that a state change being made on a security incident or response task is valid.
Verify at least one filter in advanced Runbook Document

[sn_si_runbook_document]

If the Advanced option is selected, ensures that at least one filer is listed. If not, it prevents the update or insert.
Note: The Prevent non-security roles reading and Prevent non-security roles updating business rules depend on a property in Security Incident Properties. If the Admin users can access Security Incident Response property is set to No, these business rules are invalid.