Create a security incident from the Security Incident list

In addition to automatic methods for creating security incidents, you can create them manually, as needed.

Before you begin

Role required: sn_si.basic

Procedure

  1. Navigate to any security incident list (for example, Security Incident > Incidents > Show All Incidents).
    Security incident lists
  2. Click New.
    New security incident
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Select security tag If needed, select a Security tag to add metadata to the record or identify who should have access to this security incident record. This field appears only after the security incident has been saved.
    Number [Read only] The security incident number.
    Requested by The person requesting the work to be performed.
    Configuration Item The server, computer, router, or other configuration item affected by the security issue.
    Affected user The person affected by the security issue.
    Location The location of the requester or resource.
    Category The category that identifies the type of security issue.

    If a category is selected, a workflow for analyzing this issue is executed when the record is saved. For example, if you select Spear Phishing, the Security Incident - Phishing - Template workflow is executed.

    For more information, see Security Incident Response Orchestration workflow templates.

    Subcategory The subcategory that further defines the issue.
    Opened [Read only] Displays the date and time the incident was opened.
    State The current state of the security incident. Upon security incident creation, this field defaults to Draft.
    Substate Identifies whether the security incident includes a pending problem or change.
    Source Identifies the source of the security incident, such as email, a phone call, or network monitoring.
    Risk score Displays the risk score calculated for this security incident. The value is based on the priority and type of security incident; and the number of sources that triggered a failed reputation score on an indicator. The risk score aids in prioritizing security incident work for analysts.

    Three security incident properties allow you to further designate a color-coded dot to appear next to the risk score in list view to make them more easily identifiable.

    If you make changes to certain fields in the security incident, such as the Business impact or Priority, and save the record, the Risk score is automatically recalculated and displayed. The change is also reflected in the work notes and on the Risk Score Audits related list.
    Note: The risk score is also recalculated when affected users are associated with a security incident, affected services, or vulnerable items.
    You can also manually enter a new Risk score. The risk score can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually entered risk score is not be automatically recalculated.
    Note: If you have upgraded your instance from Geneva, Helsinki, or Istanbul to Jakarta, risk scores were calculated for all your open security incidents. For more information, see Security incident calculators.
    Risk score override Select this check box to override the automatic update of the risk score. The override is reflected in the work notes.
    Business impact Select the importance of this security incident to your business. The default value is Non-critical. If, after the security incident record has been saved, you change the value in the Priority fand/or Risk fields, the Business impact is recalculated.
    Priority Select the order in which to address this security incident, based on the urgency. If this value is changed after the record is saved, it can affect the Business impact calculation.
    Assignment group The group to which this security incident is assigned.
    Assigned to The individual assigned to analyze this security incident. Assignments can be performed manually or automatically. For more information, see Security analyst assignment.
    Short description

    A brief description of the security incident.

    Knowledge results As you type the short description, links to related articles from the knowledge base appear.

    Scanning the information could solve your issue.

  4. Right-click in the record header and select Save.
  5. After you have saved a security incident, many different types of information are available to aid in analysis.