Security Incident Rogue Server or Service flow template

The Security Incident - Rogue Server or Service - Template allows you to perform a series of tasks designed to handle activity from rogue servers or services affecting your network.

Before you begin

Role required: sn_si.write

About this task

This flow is triggered when the Category in a security incident is set to Rogue server or service.

Procedure

  1. Open the security incident for this potential attack, or create a new security incident.
  2. In Category, select Rogue server or service activity.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the flow to end.
    Table 1. Response tasks in Rogue Server or Service Template
    Response task Action Results
    Rogue server or service verified? Determine whether a connection with a rogue server or service has been verified on your network.

    In the task, select Yes or No in Outcome.

    If you select Yes, the following two tasks are executed in parallel:
    • Identify impacted system(s)
    • Potential data loss?

    If you select No, the flow ends.

    Identify impacted system(s) Determine the systems impacted by contact with the rogue server or service. When this task is complete, the Update system(s) - Remove rogue connections task is executed.
    Potential data loss? Determine whether the connection with the rogue server or service caused potential data loss.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Create potential data loss incident task is executed.

    If you select No, the Update system(s) - Remove rogue connections task is executed.

    Create potential data loss incident Perform the steps necessary to create a security incident for the potential data loss. When this task is complete, the Update system(s) - Remove rogue connections task is executed.
    Update system(s) - Remove rogue connections Perform the steps necessary to remove the rogue connections. When this task is complete, the Set state to review task is executed.
    Set state to review No action required. The State of the security incident is changed automatically to Review, and the Lessons learned meeting task is executed.
    Lessons learned meeting Conduct a lessons learned meeting to triage the work performed for this rogue server or service incident.

    Update the State field in the task as appropriate.

    When this task is complete, the flow ends.