Perform tasks from security incident related links

You can perform several other actions on an existing security incident using the related links.

Before you begin

Role required: sn_si.basic


  1. Open the security incident you want to update.
  2. Within Related Links, you can perform the following tasks:
    View Manual Runbook View list of runbooks available for this security incident.
    Response Workflow View any workflow associated with this incident.
    Add Multiple Observables Adds a list of observables in comma, new line, tab, or pipe-delimited formats.
    Add to Security Case Adds the security incident to one or more security cases. You can also create a new security case and add this security incident to it.
    Get QRadar IP Summaries If a QRadar integration is available, and contains valid CIs, source, and destination IP addresses, it triggers the QRadar workflows and displays the results in work notes.
    Run Orchestration Choose and run a Security Operations workflow.
    Show SLA Time Line You can view an SLA timeline from a Task SLA record or from an SLA definition.
    Show All Related Lists Displays all standard related lists and any lists added manually.
    Note: Manually added items are available only in this view.
    Show Affected Items Displays the lists of CIs, users, and services directly affected by this incident
    Show Related Items Displays the lists of related incidents, CIs, users, and groups affected by this incident.
    Show IoC Displays the lists of observables, indicators, malware, modes and methods, and security scan requests associated with this incident.
    Show Enrichment Data Displays the lists of enrichment data, processes, services, statistics, lookups, firewall logs, and compromised user information associated with this incident.
    Show Response Tasks Displays the lists of tasks, SLAs, risk score audits, outages, and Exchange searches associated with this incident.
    View Details in External System

    If this security incident was generated from an external application, directly or by events, and a link to the originating data was provided, the View Details in External System action opens the URL. You can view and search through the logs that generated this incident.

    Scan for Vulnerabilities If Vulnerability Response is activated, and you have selected at least one affected CI for the security incident, you can submit a scan request. This request determines what vulnerabilities exist on the CI.