Properties installed with Security Incident Response

Security Incident Response adds the following properties.
Table 1. Security Incident properties
Property Usage
Allow customization when creating a problem or change request from a Security Incident

sn_si.popup

When a problem or change is created, this property opens a pop-up window to modify the request.

If set to false, the problem or change request has the same priority, short description, and description as the security incident. You cannot add or edit those fields.

  • Type: true | false
  • Default value: true
  • Location: Security Incident > Administration > Properties
Allow multiple CSM cases from a Security Incident.

sn_si.allow_multiple_csm_cases

When set to true, keeps the Create CSM Case button available on the security incident. When set to false, only one case can be created and the button disappears for that incident.
Note: To set this property, the Customer Service plugin must be installed.
  • Type: true | false
  • Default value: false
  • Location: Security Incident > Administration > Properties
Automatically share the results of a sighing search to the default ServiceNow trusted circle.

sn_tis.auto_share_sighing_searches

When set to true, all sightings search results are automatically shared with the default ServiceNow trusted circle, using the default anonymous profile, upon completion of the search.
Default start time for all agents when no schedule is set, formatted as 08:00

sn_si.default.start.time

  • Type: string
  • Default value: 08:00
  • Location: Security Incident > Administration > Properties
Default end time for all agents when no schedule is set, formatted as 17:00

sn_si.default.end.time

  • Type: string
  • Default value: 17:00
  • Location: Security Incident > Administration > Properties
Include Destination type observables along with other context type observables in the security incident user and CI relationships

sn_si.link_dest_ip

Determines whether a security incident observable with a context type of Destination is displayed under the Configuration Items or Affected Users tabs. By default, observables with a Destination context type are excluded. To include these observables, choose Yes.
Include observables with no local sightings when automatically sharing sighting search results.

sn_tis.auto_share_zero_sightings

When set to true, all sightings search details are shared regardless of their sightings count. The default is false meaning observables with zero sightings are not shared.
Risk score in the range will be highlighted green, formatted as 0 - 49

sn_si.risk.score.green

In the Security Incidents list, security incidents with a risk score between 0 and 49 are marked with a green dot.
Risk score in the range will be highlighted orange, formatted as 50 - 79

sn_si.risk.score.orange

In the Security Incidents list, security incidents with a risk score between 50 and 79 are marked with an orange dot.
Risk score in the range will be highlighted red, formatted as 80 - 100

sn_si.risk.score.red

In the Security Incidents list, security incidents with a risk score between 80 and 100 are marked with a red dot.
Assignment properties for Security Incident Response
Amount of time (in minutes) to add between the end of a task and the travel start of the next.

sn_si.work.spacing

An example of a valid time value is 10.
  • Type: integer
  • Default value: 0
  • Location: Security Incident > Administration > Properties
Location Weight

sn_si.location.weight

A rating used when calculating the criteria to use for auto-assigning a security analyst. If, for example, location is considered for a task, the location weight value is added to the security analyst rating.
  • Type: integer
  • Default value: 10
  • Location: Security Incident > Administration > Properties
Respond with local sightings whenever a threat share is received from a trusted circle.

sn_tis.threat_share_responses

When set to true, whenever shared intelligence is received, a response is sent to the original sender with your local sightings search results.
Set the maximum number of security analysts that are processed by auto-assignment at a time

sn_si.max.agents.processed

The system has an absolute limit of 300 security analysts. If you specify more than 300, it sets the value to that level. The system cannot auto-dispatch a task for a dispatch group that contains more security analysts than the value configured.
  • Type: integer
  • Default value: 100
  • Location: Security Incident > Administration > Properties
Skills Weight

sn_si.skills.weight

A rating used when calculating the criteria to use for auto-assigning a security analyst. If, for example, skills are considered for a task, the skills weight value is added to the security analyst rating.
  • Type: integer
  • Default value: 10
  • Location: Security Incident > Administration > Properties
Time Zone Weight

sn_si.timezone.weight

A rating used when calculating the criteria to use for auto-assigning a security analyst. If, for example, the security analyst time zone is considered for a task, the time zone weight value is added to the security analyst rating.
  • Type: integer
  • Default value: 10
  • Location: Security Incident > Administration > Properties