Home Kingston Security Incident Management Security Operations Security Incident Response Security Incident Response setup Security Incident Response process definition

Security Incident Response process definition

Security Incident Response Process Definition replaces state flows and provides end users and service desks with the status of a problem. A process definition helps track the problem through its life cycle. Security Incident Response is a Service Management (SM) application; however, it has its own set of states. Invalid states are reported as part of Process Selection.

Security Incident Response Process Definition

The default process definition (NIST Stateful) defines the following incident states:

Note: Available states vary based on the current state of the incident.

Table 1. Security Incident process definition states
State	Description
Draft	The request initiator adds information about the security incident, but it is not yet ready to be worked on.
Analysis	The incident has been assigned and the issue is being analyzed.
Contain	The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist.
Eradicate	The issue has been contained and the security staff is taking steps to fix the issue.
Recover	The issue is resolved and the operational readiness of the affected systems is being verified.
Review	The security incident is complete and all systems are back to normal function, however, a post incident review is still needed.
Closed	The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab.

Security Incident task process definitions

The following process definitions are used for security incident tasks.

Table 2. Task process definition states
State	Description
Ready	The task is ready to be worked on once it is assigned to an agent.
Assigned	The task is assigned to an agent.
Work In Progress	The assigned agent is working on the task.
Complete	The task is complete.
Cancelled	The task was canceled.

Process Definition provides the following process definitions by default:

NIST Stateful
NIST Open
SANS Open
Example (If demo data is loaded)

Create a Security Incident Response process definition

You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle.

Before you begin

Role required: sn.si_admin

Procedure

Navigate to Security Incident > Administration > Process Definition.
Click New.

Fill in the fields, as appropriate.

Table 3. Creating process definitions
Field	Description
Name	Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list.
Script include	The name (including the `sn_si`. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (`sn_si`) application scope. See Create a custom Security Incident Response process definition script include for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used.
Description	Helpful information about the script include.
Order	Determines the position in the process definition list.
Active	When checked, it makes this process definition selectable from the Process Definition Selector page.

Click Submit.

Security Incident Response Process Selection

Process Selection lists processes with invalid states for security incidents and response tasks.

An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents; no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state with process definition.

Select a Security Incident Response process definition

You can select the process definition to use for the appropriate states for your company security incidents and response tasks.

Before you begin

Role required: admin and sn_si.admin

About this task

Procedure

Navigate to Security Incident Response > Administration > Process Selection.
Çlick the search icon to list the available process definitions.
Select a process definition.
Click Update.

Create a custom Security Incident Response process definition script include

Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks.

Before you begin

Role required: sn_si.admin

About this task

The sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks.

Procedure

Navigate to System Definition > Script Includes.
Click New.

Fill in the fields, as appropriate.

Table 4. Creating process definitions
Field	Description
Name	Name of this script include.
API Name	Created based on the name of the script include.
Client callable	Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL.
Application	Security Incident
Accessible from	Choose This application scope only.
Active	When checked, it makes this script include selectable from the Process Definition page.
Description	Helpful information about the script include.
Script	Defines the server-side script to run when called from other scripts. The script must define a single JavaScript class or a global function. The class or function name must match the Name field. For information on script contents, see Process Definition script include.

Click Submit.

Process Definition script include

The Process Definition script include provides methods for defining a process definition.

Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include.

Where to use

Use this script include to create a process definition.

Script include body

The script include body is composed of three sections:

Constants: initial state definitions
Security Incident and Response Task: process definition arrays
Method calls: retrieving information

Constants

Constants are used to define the initial states of security incidents and response tasks.

The use of constants is optional but encouraged for readability. For example:

INITIAL_INCIDENT_STATE: 10,
INITIAL_TASK_STATE: 1,

Which are later used by the following methods:

getInitialIncidentState: function() {
return this.INITIAL_INCIDENT_STATE;
},
getInitialTaskState: function() {
return this.INITIAL_TASK_STATE;
},

The next set of constants defines the states for both security incidents and response tasks.

Each array also contains the definition of which states are available when the incident or task is in a specific state.

For example:

TASK_STATES: [{state:1, label:"Draft", choice:[1, 10]},
 {state:10, label:"Ready", choice:[10, 16]},
 {state:16, label:"Assigned", choice:[16, 18]},
 {state:18, label:"Work in Progress", choice:[18, 3]},
 {state:3, label:"Close Complete", choice:[]},
 {state:7, label:"Cancelled", choice:[]},
 ],

The example is an array of objects. Each object defines a state and possible transition states.

The order of the state's object determines the desired order for the flow.

When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process).

There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions.

The order of the attributes in the object is not important. If it makes the definition clearer, put the label first.

Attributes

Required attributes in a state definition object are:

state: numerical value of the state
label: human readable text associated with the state
choice: an array of state values the state can transition to (determines the content of the state dropdown)

Optional attributes are:

mandatory: list of field IDs that become mandatory in this state
readonly: list of field IDs that become read-only in this state
visible: list of field IDs that become visible in this state
notmandatory: list of field IDs that become non-mandatory in this state
notvisible: list of field IDs that would no longer be visible in this state

Note:

If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/invisible, mandatory/non-mandatory, visible/hidden, or readonly appropriately between states.

For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used.

Process flow definition arrays

To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state.

For example:

TASK_PF: [{label:"Draft", condition:"state=1^EQ", description:"<p>Security Incident Response Task is in draft</p>"},
 {label:"Ready", condition:"state=10^EQ", description:"<p>Security Incident Response Task is ready to be assigned</p>"},
 {label:"Assigned", condition:"state=16^EQ", description:"<p>Security Incident Response Task is assigned</p>"},
 {label:"Work in Progress", condition:"state=18^EQ", description:"<p>Work has started on this Security Incident Response Task</p>"},
 {label:"Closed", condition:"state=3^ORstate=4^ORstate=7^EQ", description:"<p>Security Incident Response Task is complete</p>"},
],

The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity).

In the example, the text 'Ready' is the second item displayed. It is highlighted when the task satisfied the condition 'state=10^EQ'.

When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed.

Note:

States can be combined to a single formatter state.

In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar.

Method calls

The following methods must be present in the script include as they are used by sn_si.ProcessDefinition:


Return type	Method summary	Description
String	getInitialIncidentState: function()	return the initial incident state numerical value
String	getInitialTaskState: function():	return the initial task state numerical value
Array of string	getIncidentStates: function():	return the incident state's array
Array of string	getTaskStates: function():	return the task state's array
Array of objects	getIncidentProcessFlows: function():	return the incident process flow definition array
Array of objects	getTaskProcessFlows: function():	return the task process flow definition array

The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions.


Return type	Method summary	Description
void	performIncidentStateChange: function(current, previous)	In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it.
void	performTaskStateChange: function(current, previous)	In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled.

The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier.

Correct an invalid security incident or task state with process definition

An administrator can correct the security incident or task to valid states, either manually or using a script. Available states vary based on the current state of the incident.

Before you begin

Role required: admin

About this task

After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution.

To change states in bulk, do the following:

Procedure

Navigate to Process Selection.
Highlight the State field for the incidents or tasks you want to change.
Double-click the first one, choose the new State, and click the green check mark () to change.
Click Update.

Previous topic

Next topic

Send feedback

Release version

Security Incident Response process definition