Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Activate Security Incident Response

Activate Security Incident Response

Activate the Security Incident Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription.

Before you begin

Role required: admin
Important: Application administration is enabled for Security Incident Response by default. If you are upgrading from an earlier version, verify whether you have added custom tables to Security Incident Response. If so, and your custom tables rely on global ACLs, you may need to recreate those global ACLs in the Security Incident Response scope after the upgrade. If you added custom roles or custom ACLs, retest them after the upgrade and ensure the assignable by attribute on the roles is set correctly to allow access to application administration.

About this task

If the related plugins are not active, Security Incident Response activates these plugins.
Table 1. Plugins for Security Incident Response
Plugin Description
Service Management Core

[com.snc.service_management.core]

Installs the core Service Management items used to allow other service-related plugins to work, such as Field Service, Facilities, HR, Legal, Finance, Marketing, and the custom app creator.
Task-Outage Relationship

[com.snc.task_outage]

Allows users to create an outage from an Incident and a Problem form. Incidents and problems have a many-to-many relationship with outages.
Tree map

[com.snc.treemap]

Enables support for treemap view on any applications.
Threat Core

[com.snc.threat.feeds]

Observables table data from Threat Intelligence.
Security Support Orchestration

[com.snc.secops.orchestration]

Provides an integration of Security Operations with Orchestration to allow the facilitation of workflow activities within Security Incident Response, Threat Intelligence, or Vulnerability Response.
Security Incident Response support

[com.snc.security_support.sir]

Provides support functionality for use within the Security Incident Response application.
WebKit HTML to PDF

[com.snc.whtp]

Enables the instance to use the service WebKit HTML to PDF.
Note: After the plugin is activated, logout and log back in to set the default view.

To purchase a subscription, contact your ServiceNow account manager. After purchasing the subscription, activate the plugin within the production instance.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Roles installed with Security Incident Response

When the Security Incident Response plugin is activated, the following roles are added. Determine which users should be assigned which roles and assign them.

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users. To protect investigations and keep security incidents private, the sn_si.admin user has the option of restricting Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless they are expressly allowed entry. This is an optional procedure.
Table 2. Roles for Security Incident Response
Role title [name] Description Contains roles
security admin

[sn_si.admin]

Full control over all Security Incident Response data. Also administers territories and skills, as needed.
Note: In the base system, the administrator also has access to sn_si.admin. Security Incident Response can be restricted from the administrator as long as at least one other user is assigned the security administrator role.
  • catalog_admin
  • skill_admin
  • skill_model_admin
  • sn_si.analyst
  • sn_si.manager
  • sn_si.knowledge_admin
  • sn_si.manager
  • template_admin
  • template_editor_global
  • territory_admin
  • treemap_admin
  • user_admin
security analyst

[sn_si.analyst]

Tier 1 and 2 security analysts work on security incidents. They can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents.
  • sn_si.basic
  • sn_vul.vulnerability_read (if the Vulnerability Response plugin is activated)
security basic

[sn_si.basic]

Underlying role for basic Security access. Users with this role can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents.
  • document_management_user
  • grc_user (if the GRC:Risk plugin is activated)
  • inventory_user
  • pa_viewer
  • service_fullfiller
  • skill_user
  • sn_si.read
  • task_activity_writer
  • task_editor
  • treemap_user
ciso

[sn_si.ciso]

View and manipulate the CISO dashboard. Also, if the Vulnerability Response plugin is activated, users with this role can add vulnerability significance definition treemaps to the dashboard.
  • pa_viewer
  • sn_si.read
external

[sn_si.external]

External users can view tasks assigned to them.
  • service_fulfiller
integration user

[sn_si.integration_user]

External tools can provide new security incident records and update security incident records.
  • import_transformer
knowledge admin

[sn_si.knowledge_admin]

Manage, update, and delete the information in the Security Incident knowledge base.
  • knowledge_admin
manager

[sn_si.manager]

Same access as security analysts.
  • sn_si.basic
read

[sn_si.read]

Read security incidents.
  • grc_compliance_reader (if the GRC:Risk plugin is activated)

Lock down security administration (optional)

To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

Before you begin

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users.

A security role is required to have access to Security Incident Response features and records.

Role required: sn_si.admin

Procedure

  1. After the Security Incident Response plugin has been activated, a user with the admin role assigns the Security Admin (sn_si.admin) role to at least one user.
  2. The user with the admin role changes to the Security Incident scope.
  3. Navigate to System Applications > Applications.
  4. Click Downloads.
  5. Type security in the Search applications field.
    System application
  6. Click Security Incident.
  7. Scroll down to the Related Links and click Remove from the role contained by admin.
  8. Log out and log back in.
    The admin user cannot access the Security Incident Response application.