Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Security Incident Response process definition

Security Incident Response process definition

Security Incident Response Process Definition replaces state flows and provides end users and service desks with the status of a problem. A process definition helps track the problem through its life cycle. Security Incident Response is a Service Management (SM) application; however, it has its own set of states. Invalid states are reported as part of Process Selection.

Security Incident Response Process Definition

The default process definition (NIST Stateful) defines the following incident states:
Note: Available states vary based on the current state of the incident.
Table 1. Security Incident process definition states
State Description
Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on.
Analysis The incident has been assigned and the issue is being analyzed.
Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist.
Eradicate The issue has been contained and the security staff is taking steps to fix the issue.
Recover The issue is resolved and the operational readiness of the affected systems is being verified.
Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed.
Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab.

Security Incident task process definitions

The following process definitions are used for security incident tasks.

Table 2. Task process definition states
State Description
Ready The task is ready to be worked on once it is assigned to an agent.
Assigned The task is assigned to an agent.
Work In Progress The assigned agent is working on the task.
Complete The task is complete.
Cancelled The task was canceled.

Process Definition provides the following process definitions by default:

  • NIST Stateful
  • NIST Open
  • SANS Open
  • Example (If demo data is loaded)

Create a Security Incident Response process definition

You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle.

Before you begin

Role required: sn.si_admin

Procedure

  1. Navigate to Security Incident > Administration > Process Definition.
  2. Click New.
  3. Fill in the fields, as appropriate.
    Table 3. Creating process definitions
    Field Description
    Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list.
    Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used.
    Description Helpful information about the script include.
    Order Determines the position in the process definition list.
    Active When checked, it makes this process definition selectable from the Process Definition Selector page.
  4. Click Submit.

Security Incident Response Process Selection

Process Selection lists processes with invalid states for security incidents and response tasks.

An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition.

Process definition selector example

Select a Security Incident Response process definition

You can select the process definition to use for the appropriate states for your company security incidents and response tasks.

Before you begin

Role required: admin and sn_si.admin

About this task

Procedure

  1. Navigate to Security Incident Response > Administration > Process Selection.
  2. Çlick the search icon to list the available process definitions.
    Process definition selector
  3. Select a process definition.
  4. Click Update.

Create a custom Security Incident Response process definition script include

Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks.

Before you begin

Role required: sn_si.admin

About this task

The sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks.

Procedure

  1. Navigate to System Definition > Script Includes.
  2. Click New.
  3. Fill in the fields, as appropriate.
    Table 4. Creating process definitions
    Field Description
    Name Name of this script include.
    API Name Created based on the name of the script include.
    Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL.
    Application Security Incident
    Accessible from Choose This application scope only.
    Active When checked, it makes this script include selectable from the Process Definition page.
    Description Helpful information about the script include.
    Script Defines the server-side script to run when called from other scripts.

    The script must define a single JavaScript class or a global function. The class or function name must match the Name field.

    For information on script contents, see Process Definition script include.
    Process Definition script include form
  4. Click Submit.

Process Definition script include

The Process Definition script include provides methods for defining a process definition.

Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include.

Where to use

Use this script include to create a process definition.

Script include body

The script include body is composed of three sections:
  • Constants: initial state definitions
  • Security Incident and Response Task: process definition arrays
  • Method calls: retrieving information

Constants

Constants are used to define the initial states of security incidents and response tasks.

The use of constants is optional but encouraged for readability. For example:
INITIAL_INCIDENT_STATE: 10,
INITIAL_TASK_STATE: 1,

Which are later used by the following methods:

getInitialIncidentState: function() {
return this.INITIAL_INCIDENT_STATE;
},
getInitialTaskState: function() {
return this.INITIAL_TASK_STATE;
},

The next set of constants defines the states for both security incidents and response tasks.

Each array also contains the definition of which states are available when the incident or task is in a specific state.

For example:
TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]},
 {state:10, label:"Ready", choice:[10, 16]},
 {state:16, label:"Assigned", choice:[16, 18]},
 {state:18, label:"Work in Progress", choice:[18, 3]},
 {state:3, label:"Close Complete", choice:[]},
 {state:7, label:"Cancelled", choice:[]},
 ],

The example is an array of objects. Each object defines a state and possible transition states.

The order of the state's object determines the desired order for the flow.

When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process).

There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions.

The order of the attributes in the object is not important. If it makes the definition clearer, put the label first.

Attributes

Required attributes in a state definition object are:
  • state: numerical value of the state
  • label: human readable text associated with the state
  • choice: an array of state values the state can transition to (determines the content of the state dropdown)
Optional attributes are:
  • mandatory: list of field IDs that become mandatory in this state
  • readonly: list of field IDs that become read-only in this state
  • visible: list of field IDs that become visible in this state
  • notmandatory: list of field IDs that become non-mandatory in this state
  • notvisible: list of field IDs that would no longer be visible in this state
Note:

If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states.

For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used.

Process flow definition arrays

To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state.

For example:
TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"},
 {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"},
 {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"},
 {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"},
 {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"},
],

The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity).

In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^EQ'.

When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed.

Note:

States can be combined to a single formatter state.

In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar.

Method calls

The following methods must be present in the script include as they are used by sn_si.ProcessDefinition:
Return type Method summary Description
String getInitialIncidentState: function() return the initial incident state numerical value
String getInitialTaskState: function(): return the initial task state numerical value
Array of string getIncidentStates: function(): return the incident state's array
Array of string getTaskStates: function(): return the task state's array
Array of objects getIncidentProcessFlows: function(): return the incident process flow definition array
Array of objects getTaskProcessFlows: function(): return the task process flow definition array

The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions.

Return type Method summary Description
void performIncidentStateChange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it.
void performTaskStateChange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled.
The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier.

Correct an invalid security incident or task state with process definition

An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident.

Before you begin

Role required: admin

About this task

After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution.

To change states in bulk, do the following:

Procedure

  1. Navigate to Process Selection.
  2. Highlight the State field for the incidents or tasks you want to change.
  3. Double-click the first one, choose the new State, and click the green check mark () to change.
    Corrected definition example
  4. Click Update.