Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Security Incident Denial of Service workflow template

Security Incident Denial of Service workflow template

The Security Incident - Denial of Service - Template allows you to perform a series of tasks designed to handle Denial of Service (DOS) attacks.

Before you begin

Role required: sn_si.write

About this task

The workflow is triggered when the Category in a security incident is set to Denial of Service. This action causes a response task to be created for the first activity in the workflow.

Denial of Service (DOS) Template

Procedure

  1. Open the security incident for this denial of service occurrence, or create a new security incident.
  2. In Category, select Denial of Service.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the flow to end.
    Table 1. Response tasks in Denial of Service Template
    Response task Action Results
    Is target business critical? Determine if the target of this DOS attack is business critical.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Set priority to critical task is executed.

    If you select No, the Is a vulnerability being exploited? task is executed.

    Set priority to critical No action required. The Priority of the security incident is changed automatically to Critical, and the Is a vulnerability being exploited? task is executed.
    Is a vulnerability being exploited? Determine whether this DOS attack exploits a software vulnerability.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Emergency patch request task is executed.

    If you select No, the Internal attacker? task is executed.

    Emergency patch request Issue an emergency patch request for the system(s) being attacked.

    Update the State field in the task as appropriate.

    If you changed the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Internal attacker? Determine if the source of this DOS attack is internal to your organization.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Isolate attacking host(s) task is executed.

    If you select No, the Notify DOS protection provider and/or ISP task is executed.

    Isolate the attacking host(s) Perform the steps necessary to isolate the internal host(s) responsible for the attack.

    Update the State field in the task as appropriate.

    After you complete this step, the Validate system integrity of attacked systems task is executed.
    Notify DOS protection provider and/or ISP Perform the steps necessary to contact your Denial of Service protection provider and/or your Internet Service Provider to notify them of the attack.

    Update the State field in the task as appropriate.

    If you changed the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Validate system integrity of attacked systems Perform the steps necessary to assess and validate the integrity of the attacked computers.

    Update the State field in the task as appropriate.

    If you changed the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Review DOS protections Conduct a review of your existing DOS protections and procedures. Make any necessary changes.

    Update the State field in the task as appropriate.

    If you changed the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Set state to review No action required. The State of the security incident is changed automatically to Review.

    The Lessons learned meeting task is executed.

    Lessons learned meeting Conduct a lessons learned meeting to triage the work performed for this Denial of Service incident.

    Update the State field in the task as appropriate.

    If you change the state of the task to Closed Complete or Cancelled, the flow ends.