Perform tasks from security incident related links

You can perform several other actions on an existing security incident using the related links.

Before you begin

Role required: sn_si.basic

Procedure

  1. Open the security incident you want to update.
  2. Within Related Links, you can perform the following tasks:
    OptionDescription
    Viesw Manual Runbook View list of runbooks available for this security incident.
    Response Workflow View any workflow associated with this incident.
    Add Multiple Observables Adds a list of observables in comma, new line, tab, or pipe-delimited formats.
    Add to Security Case Adds the security incident to one or more security cases. You can also create a new security case and add this security incident to it.
    Get QRadar IP Summaries If a QRadar integration is available, and contains valid CIs, source, and destination IP addresses, it triggers the QRadar workflows and displays the results in work notes.
    Run Orchestration Choose and run a Security Operations workflow.
    Show SLA Time Line You can view an SLA timeline from a Task SLA record or from an SLA definition.
    Show All Related Lists Displays all standard related lists and any lists added manually.
    Note: Manually added items are available only in this view.
    Show Affected Items Displays the lists of CIs, users, and services directly affected by this incident
    Show Related Items Displays the lists of related incidents, CIs, users, and groups affected by this incident.
    Show IoC Displays the lists of observables, indicators, malware, modes and methods, and security scan requests associated with this incident.
    Show Enrichment Data Displays the lists of enrichment data, processes, services, statistics, lookups, firewall logs, and compromised user information associated with this incident.
    Show Response Tasks Displays the lists of tasks, SLAs, risk score audits, outages, and Exchange searches associated with this incident.
    View Details in External System

    If this security incident was generated from an external application, directly or by events, and a link to the originating data was provided, the View Details in External System action opens the URL. You can view and search through the logs that generated this incident.

    Scan for Vulnerabilities If Vulnerability Response is activated, and you have selected at least one affected CI for the security incident, you can submit a scan request. This request determines what vulnerabilities exist on the CI.

Parent and child security incident relationships

You can associate and track the impact of any given issue using parent and child security incident relationships in Security Incident Response.

Using the Related Records tab, you can add a Parent security incident issue to any Security Incident Response form. This feature automatically makes the incident a child that appears in the Related Lists - Child Security Incidents tab of the parent issue.

Note: You cannot make an existing parent security incident its own child by using the same number for both incidents.
Example of adding a Parent security incident
Example of a child view

You can add one or more Child Security Incidents to any security incident record, as well, using the Edit button in the Child Security Incidents tab. In the following example, all three records are connected.

Example of grandparent, parent, and child security incidents
Note: All work notes recorded in the parent are propagated to any active children in Activities under the Incident Details tab.

When a parent is closed or canceled, any active children are also closed or canceled. Any active Response Tasks on one or more child incidents are canceled. If there are no other open Tasks, the child incident is closed. When closed, the Post Incident Interview records the closure and the information found on the Closure Information tab is propagated from the parent to the children.

Child response task closed and post incident review updated

Show affected items for a security incident

You can view affected items, such as CIs, affected users, and affected services associated with a security incident.

Before you begin

Role required: sn_si.basic

Procedure

  1. If it is not already open, open the security incident for which you want to view affected items.
  2. Click the Show Affected Items related link.
  3. Click any of the related lists to view or add information for the security incident.
    Tab Description
    Configuration Items Affected configuration items. After affected CIs are identified, you can manually add affected resources from this related list.
    Affected Users After affected users are identified, you can manually add affected users from this related list.
    Affected Services View or add business services associated with the security incident.
    Note: If an affected CI is added after the security incident is opened, it is a good idea to right-click in the form header and select Refresh Impacted Services.
  4. Click any of the following related links to further update the security incident:
  5. When you have completed your entries, click Submit.

Show enrichment data for a security incident

You can view enrichment data, such as running processes and services, and network statistics associated with a security incident.

Before you begin

Role required: sn_si.basic

Procedure

  1. Open the security incident for which you want to view enrichment data.
  2. Click the Show Enrichment Data related link.
  3. Click any of the related lists to view or add information for the security incident.
    Note: Raw data details are stored in an attachment to the enrichment data record. If they exceed the field limit, displayed details are truncated.
    Tab Description
    Security Enrichment Data Stores raw enrichment data from Security Incident Response workflows, such as retrieving network statistics or running processes.
    Running Processes Stores the records created by the Security Incident Response Get Running Processes workflow.
    Running Services Stores the records created by the Security Incident Response Get Running Services workflow.
    Network Statistics Stores the records created by the Security Incident Response Get Network Statistics workflow.
    Domain Lookups If the WhoisXML API Integration plugin is activated, store the records created by a Whois lookup.
    Firewall Logs Stores enrichment data from firewall logs, such as the Palo Alto Network firewall logs.
    Compromised User Info Stores account identified as being compromised through a Have I Been Pwned? lookup.
  4. Click any of the following related links to further update the security incident:
  5. When you have completed your entries, click Submit.

Show response task information for a security incident

You can view response task information, such as task SLAs, risk score audits, and outages associated with a security incident.

Before you begin

Role required: sn_si.basic

Procedure

  1. Open the security incident for which you want to view response tasks.
  2. Click the Show Response Tasks related link.
  3. Click any of the related lists to view or add information for the security incident.
    Tab Description
    Tasks Displays tasks already defined for the security incident. You can manually create a response task or create another type of task from this related list.
    Response Tasks Displays actions to be performed in response to the security incident.
    Task SLAs View or add active task SLAs that were defined for the security incident.
    Risk Score Audits An audit record for each instance of a risk score being changed.
    Outages View or manually add new outage records associated with the security incident.
    Exchange Search The list of search criteria used, as a group, to run queries on a Microsoft® Exchange Server.
  4. Click any of the following related links to further update the security incident:
  5. When you have completed your entries, click Submit.

View related events and alerts in security incidents

As a security incident is being worked on, you can view the details of the events. For alerts, you can view and acknowledge these alerts, and create incidents or security incidents from them as needed.

Before you begin

You must have the Security Incident Response Event Management support plugin activated.

Role required: si.sn_agent

Procedure

  1. Navigate to any security incident list (for example, Security Incident > Incidents > Unassigned Incidents).
  2. If the resources affected by the security incident you are viewing have received alerts or events within the previous 24 hours, one or both of the following related lists appear:
    • Security Incident CI Alerts
    • Security Incident CI Events
  3. Click the related list you want to view.
    Related list Description
    Security Incident CI Alerts You can view details for alerts received within the previous 24 hours. You have the option of clicking Acknowledge to indicate that you are aware of the alert and it is being handled. Use Close to indicate that the alert is not important.
    Security Incident CI Events You can view details for event received within the previous 24 hours.

View security incident to customer service case mapping

Security Incident Response ships with a default field mapping that maps a security incident to a Customer Service case. You can view the security incident to CS case default map.

Before you begin

Role required: sec_cmn.read

Procedure

  1. Navigate to Security Operations > Utilities > Field Mapping.
  2. Click Security Incident to CSM Case Field Mapping to view the default map.
    Default security incident to Case Management case
  3. You can edit the mapping, as needed.
  4. When you have completed your changes, click Update.

View a runbook

Runbooks give you access to procedures related to tasks you are working on.

Before you begin

Role required: sn.si.knowledge_admin

Procedure

  1. Navigate to Security Incident > Manual Runbook > View Runbook Documents.
  2. Select a runbook from the list.
    View runbook
  3. To create a runbook, click New. See Create a runbook for instructions.

Identify all configuration items affected by a security incident

If you know which resource (server, desktop or other configuration item) is behind a security incident and want to identify related resources and business services that can be affected, you can use the Business Service Management (BSM) map.

Before you begin

Role required: admin or sn_si.admin

About this task

The BSM map displays the upstream and downstream dependencies for a selected root CI.

There are two methods you can use to view the BSM map for a CI:
  • If you want to view CIs from the context of a task, view from the security incident form.
  • If you do not want to view CIs from a task viewpoint, view from the navigation bar.

Procedure

  1. From the Security Incident form, populate the Configuration item field, and click the BSM map icon (Show CI map).
    The BSM map screen displays the map for the last incident you accessed in Incident Management or the last security incident you accessed in Security Incident Management.
    BSM map
  2. Click the icons next to a configuration item to view different kinds of details about the resource (server, desktop, or other CI). For example, click the alert icon () to view alerts associated with the CI.
    Note: To view a list of all the available icons, click Filters above the BSM map and expand Filter Task Types.
  3. To arrange the map in different configurations, select any of the formats listed above the map (Vertical, Horizontal, Radial), or click Filters to filter the map for easier viewing.
  4. If you opened the BSM map from the security incident form, you can add a dependent CI to the security incident by right-clicking the CI and selecting Add Affected CIs.
    You can also add multiple CIs at a time. Drag a box around the CIs you want to add, right-click the box, and select Add Affected CIs.
    The CIs are added to the Affected CIs related list of the security incident.