Contents Security Operations Previous Topic Next Topic Security Incident Response process definition ... SAVE AS PDF Selected Topic Topic & Subtopics All Topics in Contents Other Share Security Incident Response process definition Security Incident Response Process Definition replaces state flows and provides end users and service desks with the status of a problem. A process definition helps track the problem through its life cycle. Security Incident Response is a Service Management (SM) application; however, it has its own set of states. Invalid states are reported as part of Process Selection. Security Incident Response Process Definition The default process definition (NIST Stateful) defines the following incident states:Note: Available states vary based on the current state of the incident. Table 1. Security Incident process definition states State Description Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on. Analysis The incident has been assigned and the issue is being analyzed. Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist. Eradicate The issue has been contained and the security staff is taking steps to fix the issue. Recover The issue is resolved and the operational readiness of the affected systems is being verified. Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed. Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab. Security Incident task process definitions The following process definitions are used for security incident tasks. Table 2. Task process definition states State Description Ready The task is ready to be worked on once it is assigned to an agent. Assigned The task is assigned to an agent. Work In Progress The assigned agent is working on the task. Complete The task is complete. Cancelled The task was canceled. Process Definition provides the following process definitions by default: NIST Stateful NIST Open SANS Open Example (If demo data is loaded) Create a Security Incident Response process definition You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle. Before you begin Role required: sn.si_admin Procedure Navigate to Security Incident > Administration > Process Definition. Click New. Fill in the fields, as appropriate. Table 3. Creating process definitions Field Description Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list. Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used. Description Helpful information about the script include. Order Determines the position in the process definition list. Active When checked, it makes this process definition selectable from the Process Definition Selector page. Click Submit. Related ConceptsSecurity Incident Response Process Selection Security Incident Response Process Selection Process Selection lists processes with invalid states for security incidents and response tasks. An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition. Select a Security Incident Response process definition You can select the process definition to use for the appropriate states for your company security incidents and response tasks. Before you beginRole required: admin and sn_si.admin About this task Procedure Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions. Select a process definition. Click Update. Create a custom Security Incident Response process definition script include Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks. Before you beginRole required: sn_si.admin About this taskThe sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks. Procedure Navigate to System Definition > Script Includes. Click New. Fill in the fields, as appropriate. Table 4. Creating process definitions Field Description Name Name of this script include. API Name Created based on the name of the script include. Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL. Application Security Incident Accessible from Choose This application scope only. Active When checked, it makes this script include selectable from the Process Definition page. Description Helpful information about the script include. Script Defines the server-side script to run when called from other scripts.The script must define a single JavaScript class or a global function. The class or function name must match the Name field.For information on script contents, see Process Definition script include. Click Submit. Related ReferenceProcess Definition script include Process Definition script include The Process Definition script include provides methods for defining a process definition. Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example:INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getInitialIncidentState: function() { return this.INITIAL_INCIDENT_STATE; }, getInitialTaskState: function() { return this.INITIAL_TASK_STATE; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example:TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]}, {state:10, label:"Ready", choice:[10, 16]}, {state:16, label:"Assigned", choice:[16, 18]}, {state:18, label:"Work in Progress", choice:[18, 3]}, {state:3, label:"Close Complete", choice:[]}, {state:7, label:"Cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example:TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"}, {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"}, {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"}, {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"}, {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.ProcessDefinition: Return type Method summary Description String getInitialIncidentState: function() return the initial incident state numerical value String getInitialTaskState: function(): return the initial task state numerical value Array of string getIncidentStates: function(): return the incident state's array Array of string getTaskStates: function(): return the task state's array Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array Array of objects getTaskProcessFlows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary Description void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier. Correct an invalid security incident or task state with process definition An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident. Before you beginRole required: admin About this task After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution. To change states in bulk, do the following: Procedure Navigate to Process Selection. Highlight the State field for the incidents or tasks you want to change. Double-click the first one, choose the new State, and click the green check mark () to change. Click Update. On this page Send Feedback Previous Topic Next Topic
Security Incident Response process definition Security Incident Response Process Definition replaces state flows and provides end users and service desks with the status of a problem. A process definition helps track the problem through its life cycle. Security Incident Response is a Service Management (SM) application; however, it has its own set of states. Invalid states are reported as part of Process Selection. Security Incident Response Process Definition The default process definition (NIST Stateful) defines the following incident states:Note: Available states vary based on the current state of the incident. Table 1. Security Incident process definition states State Description Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on. Analysis The incident has been assigned and the issue is being analyzed. Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist. Eradicate The issue has been contained and the security staff is taking steps to fix the issue. Recover The issue is resolved and the operational readiness of the affected systems is being verified. Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed. Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab. Security Incident task process definitions The following process definitions are used for security incident tasks. Table 2. Task process definition states State Description Ready The task is ready to be worked on once it is assigned to an agent. Assigned The task is assigned to an agent. Work In Progress The assigned agent is working on the task. Complete The task is complete. Cancelled The task was canceled. Process Definition provides the following process definitions by default: NIST Stateful NIST Open SANS Open Example (If demo data is loaded) Create a Security Incident Response process definition You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle. Before you begin Role required: sn.si_admin Procedure Navigate to Security Incident > Administration > Process Definition. Click New. Fill in the fields, as appropriate. Table 3. Creating process definitions Field Description Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list. Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used. Description Helpful information about the script include. Order Determines the position in the process definition list. Active When checked, it makes this process definition selectable from the Process Definition Selector page. Click Submit. Related ConceptsSecurity Incident Response Process Selection Security Incident Response Process Selection Process Selection lists processes with invalid states for security incidents and response tasks. An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition. Select a Security Incident Response process definition You can select the process definition to use for the appropriate states for your company security incidents and response tasks. Before you beginRole required: admin and sn_si.admin About this task Procedure Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions. Select a process definition. Click Update. Create a custom Security Incident Response process definition script include Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks. Before you beginRole required: sn_si.admin About this taskThe sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks. Procedure Navigate to System Definition > Script Includes. Click New. Fill in the fields, as appropriate. Table 4. Creating process definitions Field Description Name Name of this script include. API Name Created based on the name of the script include. Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL. Application Security Incident Accessible from Choose This application scope only. Active When checked, it makes this script include selectable from the Process Definition page. Description Helpful information about the script include. Script Defines the server-side script to run when called from other scripts.The script must define a single JavaScript class or a global function. The class or function name must match the Name field.For information on script contents, see Process Definition script include. Click Submit. Related ReferenceProcess Definition script include Process Definition script include The Process Definition script include provides methods for defining a process definition. Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example:INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getInitialIncidentState: function() { return this.INITIAL_INCIDENT_STATE; }, getInitialTaskState: function() { return this.INITIAL_TASK_STATE; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example:TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]}, {state:10, label:"Ready", choice:[10, 16]}, {state:16, label:"Assigned", choice:[16, 18]}, {state:18, label:"Work in Progress", choice:[18, 3]}, {state:3, label:"Close Complete", choice:[]}, {state:7, label:"Cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example:TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"}, {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"}, {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"}, {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"}, {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.ProcessDefinition: Return type Method summary Description String getInitialIncidentState: function() return the initial incident state numerical value String getInitialTaskState: function(): return the initial task state numerical value Array of string getIncidentStates: function(): return the incident state's array Array of string getTaskStates: function(): return the task state's array Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array Array of objects getTaskProcessFlows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary Description void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier. Correct an invalid security incident or task state with process definition An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident. Before you beginRole required: admin About this task After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution. To change states in bulk, do the following: Procedure Navigate to Process Selection. Highlight the State field for the incidents or tasks you want to change. Double-click the first one, choose the new State, and click the green check mark () to change. Click Update.
Security Incident Response process definition Security Incident Response Process Definition replaces state flows and provides end users and service desks with the status of a problem. A process definition helps track the problem through its life cycle. Security Incident Response is a Service Management (SM) application; however, it has its own set of states. Invalid states are reported as part of Process Selection. Security Incident Response Process Definition The default process definition (NIST Stateful) defines the following incident states:Note: Available states vary based on the current state of the incident. Table 1. Security Incident process definition states State Description Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on. Analysis The incident has been assigned and the issue is being analyzed. Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist. Eradicate The issue has been contained and the security staff is taking steps to fix the issue. Recover The issue is resolved and the operational readiness of the affected systems is being verified. Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed. Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab. Security Incident task process definitions The following process definitions are used for security incident tasks. Table 2. Task process definition states State Description Ready The task is ready to be worked on once it is assigned to an agent. Assigned The task is assigned to an agent. Work In Progress The assigned agent is working on the task. Complete The task is complete. Cancelled The task was canceled. Process Definition provides the following process definitions by default: NIST Stateful NIST Open SANS Open Example (If demo data is loaded) Create a Security Incident Response process definition You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle. Before you begin Role required: sn.si_admin Procedure Navigate to Security Incident > Administration > Process Definition. Click New. Fill in the fields, as appropriate. Table 3. Creating process definitions Field Description Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list. Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used. Description Helpful information about the script include. Order Determines the position in the process definition list. Active When checked, it makes this process definition selectable from the Process Definition Selector page. Click Submit. Related ConceptsSecurity Incident Response Process Selection Security Incident Response Process Selection Process Selection lists processes with invalid states for security incidents and response tasks. An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition. Select a Security Incident Response process definition You can select the process definition to use for the appropriate states for your company security incidents and response tasks. Before you beginRole required: admin and sn_si.admin About this task Procedure Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions. Select a process definition. Click Update. Create a custom Security Incident Response process definition script include Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks. Before you beginRole required: sn_si.admin About this taskThe sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks. Procedure Navigate to System Definition > Script Includes. Click New. Fill in the fields, as appropriate. Table 4. Creating process definitions Field Description Name Name of this script include. API Name Created based on the name of the script include. Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL. Application Security Incident Accessible from Choose This application scope only. Active When checked, it makes this script include selectable from the Process Definition page. Description Helpful information about the script include. Script Defines the server-side script to run when called from other scripts.The script must define a single JavaScript class or a global function. The class or function name must match the Name field.For information on script contents, see Process Definition script include. Click Submit. Related ReferenceProcess Definition script include Process Definition script include The Process Definition script include provides methods for defining a process definition. Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example:INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getInitialIncidentState: function() { return this.INITIAL_INCIDENT_STATE; }, getInitialTaskState: function() { return this.INITIAL_TASK_STATE; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example:TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]}, {state:10, label:"Ready", choice:[10, 16]}, {state:16, label:"Assigned", choice:[16, 18]}, {state:18, label:"Work in Progress", choice:[18, 3]}, {state:3, label:"Close Complete", choice:[]}, {state:7, label:"Cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example:TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"}, {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"}, {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"}, {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"}, {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.ProcessDefinition: Return type Method summary Description String getInitialIncidentState: function() return the initial incident state numerical value String getInitialTaskState: function(): return the initial task state numerical value Array of string getIncidentStates: function(): return the incident state's array Array of string getTaskStates: function(): return the task state's array Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array Array of objects getTaskProcessFlows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary Description void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier. Correct an invalid security incident or task state with process definition An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident. Before you beginRole required: admin About this task After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution. To change states in bulk, do the following: Procedure Navigate to Process Selection. Highlight the State field for the incidents or tasks you want to change. Double-click the first one, choose the new State, and click the green check mark () to change. Click Update.
Security Incident Response process definition Security Incident Response Process Definition replaces state flows and provides end users and service desks with the status of a problem. A process definition helps track the problem through its life cycle. Security Incident Response is a Service Management (SM) application; however, it has its own set of states. Invalid states are reported as part of Process Selection. Security Incident Response Process Definition The default process definition (NIST Stateful) defines the following incident states:Note: Available states vary based on the current state of the incident. Table 1. Security Incident process definition states State Description Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on. Analysis The incident has been assigned and the issue is being analyzed. Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist. Eradicate The issue has been contained and the security staff is taking steps to fix the issue. Recover The issue is resolved and the operational readiness of the affected systems is being verified. Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed. Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab. Security Incident task process definitions The following process definitions are used for security incident tasks. Table 2. Task process definition states State Description Ready The task is ready to be worked on once it is assigned to an agent. Assigned The task is assigned to an agent. Work In Progress The assigned agent is working on the task. Complete The task is complete. Cancelled The task was canceled. Process Definition provides the following process definitions by default: NIST Stateful NIST Open SANS Open Example (If demo data is loaded) Create a Security Incident Response process definition You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle. Before you begin Role required: sn.si_admin Procedure Navigate to Security Incident > Administration > Process Definition. Click New. Fill in the fields, as appropriate. Table 3. Creating process definitions Field Description Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list. Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used. Description Helpful information about the script include. Order Determines the position in the process definition list. Active When checked, it makes this process definition selectable from the Process Definition Selector page. Click Submit. Related ConceptsSecurity Incident Response Process Selection Security Incident Response Process Selection Process Selection lists processes with invalid states for security incidents and response tasks. An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition. Select a Security Incident Response process definition You can select the process definition to use for the appropriate states for your company security incidents and response tasks. Before you beginRole required: admin and sn_si.admin About this task Procedure Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions. Select a process definition. Click Update. Create a custom Security Incident Response process definition script include Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks. Before you beginRole required: sn_si.admin About this taskThe sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks. Procedure Navigate to System Definition > Script Includes. Click New. Fill in the fields, as appropriate. Table 4. Creating process definitions Field Description Name Name of this script include. API Name Created based on the name of the script include. Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL. Application Security Incident Accessible from Choose This application scope only. Active When checked, it makes this script include selectable from the Process Definition page. Description Helpful information about the script include. Script Defines the server-side script to run when called from other scripts.The script must define a single JavaScript class or a global function. The class or function name must match the Name field.For information on script contents, see Process Definition script include. Click Submit. Related ReferenceProcess Definition script include Process Definition script include The Process Definition script include provides methods for defining a process definition. Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example:INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getInitialIncidentState: function() { return this.INITIAL_INCIDENT_STATE; }, getInitialTaskState: function() { return this.INITIAL_TASK_STATE; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example:TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]}, {state:10, label:"Ready", choice:[10, 16]}, {state:16, label:"Assigned", choice:[16, 18]}, {state:18, label:"Work in Progress", choice:[18, 3]}, {state:3, label:"Close Complete", choice:[]}, {state:7, label:"Cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example:TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"}, {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"}, {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"}, {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"}, {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.ProcessDefinition: Return type Method summary Description String getInitialIncidentState: function() return the initial incident state numerical value String getInitialTaskState: function(): return the initial task state numerical value Array of string getIncidentStates: function(): return the incident state's array Array of string getTaskStates: function(): return the task state's array Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array Array of objects getTaskProcessFlows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary Description void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier. Correct an invalid security incident or task state with process definition An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident. Before you beginRole required: admin About this task After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution. To change states in bulk, do the following: Procedure Navigate to Process Selection. Highlight the State field for the incidents or tasks you want to change. Double-click the first one, choose the new State, and click the green check mark () to change. Click Update.
Create a Security Incident Response process definition You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle. Before you begin Role required: sn.si_admin Procedure Navigate to Security Incident > Administration > Process Definition. Click New. Fill in the fields, as appropriate. Table 3. Creating process definitions Field Description Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list. Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used. Description Helpful information about the script include. Order Determines the position in the process definition list. Active When checked, it makes this process definition selectable from the Process Definition Selector page. Click Submit. Related ConceptsSecurity Incident Response Process Selection
Security Incident Response Process Selection Process Selection lists processes with invalid states for security incidents and response tasks. An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition. Select a Security Incident Response process definition You can select the process definition to use for the appropriate states for your company security incidents and response tasks. Before you beginRole required: admin and sn_si.admin About this task Procedure Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions. Select a process definition. Click Update.
Select a Security Incident Response process definition You can select the process definition to use for the appropriate states for your company security incidents and response tasks. Before you beginRole required: admin and sn_si.admin About this task Procedure Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions. Select a process definition. Click Update.
Create a custom Security Incident Response process definition script include Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks. Before you beginRole required: sn_si.admin About this taskThe sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks. Procedure Navigate to System Definition > Script Includes. Click New. Fill in the fields, as appropriate. Table 4. Creating process definitions Field Description Name Name of this script include. API Name Created based on the name of the script include. Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL. Application Security Incident Accessible from Choose This application scope only. Active When checked, it makes this script include selectable from the Process Definition page. Description Helpful information about the script include. Script Defines the server-side script to run when called from other scripts.The script must define a single JavaScript class or a global function. The class or function name must match the Name field.For information on script contents, see Process Definition script include. Click Submit. Related ReferenceProcess Definition script include Process Definition script include The Process Definition script include provides methods for defining a process definition. Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example:INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getInitialIncidentState: function() { return this.INITIAL_INCIDENT_STATE; }, getInitialTaskState: function() { return this.INITIAL_TASK_STATE; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example:TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]}, {state:10, label:"Ready", choice:[10, 16]}, {state:16, label:"Assigned", choice:[16, 18]}, {state:18, label:"Work in Progress", choice:[18, 3]}, {state:3, label:"Close Complete", choice:[]}, {state:7, label:"Cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example:TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"}, {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"}, {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"}, {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"}, {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.ProcessDefinition: Return type Method summary Description String getInitialIncidentState: function() return the initial incident state numerical value String getInitialTaskState: function(): return the initial task state numerical value Array of string getIncidentStates: function(): return the incident state's array Array of string getTaskStates: function(): return the task state's array Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array Array of objects getTaskProcessFlows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary Description void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier.
Process Definition script include The Process Definition script include provides methods for defining a process definition. Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example:INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getInitialIncidentState: function() { return this.INITIAL_INCIDENT_STATE; }, getInitialTaskState: function() { return this.INITIAL_TASK_STATE; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example:TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]}, {state:10, label:"Ready", choice:[10, 16]}, {state:16, label:"Assigned", choice:[16, 18]}, {state:18, label:"Work in Progress", choice:[18, 3]}, {state:3, label:"Close Complete", choice:[]}, {state:7, label:"Cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example:TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"}, {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"}, {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"}, {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"}, {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.ProcessDefinition: Return type Method summary Description String getInitialIncidentState: function() return the initial incident state numerical value String getInitialTaskState: function(): return the initial task state numerical value Array of string getIncidentStates: function(): return the incident state's array Array of string getTaskStates: function(): return the task state's array Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array Array of objects getTaskProcessFlows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary Description void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier.
Correct an invalid security incident or task state with process definition An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident. Before you beginRole required: admin About this task After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution. To change states in bulk, do the following: Procedure Navigate to Process Selection. Highlight the State field for the incidents or tasks you want to change. Double-click the first one, choose the new State, and click the green check mark () to change. Click Update.
