Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Security Incident Unauthorized Access flow template

Security Incident Unauthorized Access flow template

The Security Incident - Unauthorized Access - Template allows you to perform a series of tasks designed to handle unauthorized access to your network.

Before you begin

Role required: sn_si.write

About this task

This flow is triggered when the Category in a security incident is set to Unauthorized access.

Procedure

  1. Open the security incident for this potential attack, or create a new security incident.
  2. In Category, select Unauthorized access.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the flow to end.
    Table 1. Response tasks in Unauthorized Access Template
    Response task Action Results
    User credentials compromised? Determine whether any users credentials have been compromised.

    In the task, select Yes or No in Outcome.

    If you select Yes, the following two tasks are executed in parallel:
    • Malicious software?
    • Deactivate user account

    If you select No, the Contact user and determine intent task is executed.

    Malicious software? Determine whether the unauthorized access resulted in the introduction of malicious software.

    In the task, select Yes or No in Outcome.

    If you select Yes, the Create malicious software incident task is executed.

    If you select No, the Set state to review task is executed.

    Create malicious software incident Perform the steps necessary to create a security incident for the unauthorized access. When this task is complete, the Set state to review task is executed.
    Deactivate user account Perform the steps necessary to deactivate the compromised user account. When this task is complete, the Set state to review task is executed.
    Contact user and determine intent Perform the steps necessary to contact the user who responsible for the unauthorized access and determine the reason for the access attempt. When this task is complete, the HR process task is executed.
    HR process Perform the steps necessary to contact human resources to implement disciplinary action if necessary. When this task is complete, the Set state to review task is executed.
    Set state to review No action required. The State of the security incident is changed automatically to Review, and the flow ends.