Activate Security Incident Response

Activate the Security Incident Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription.

Before you begin

Role required: admin
Important: Application administration is enabled for Security Incident Response by default. If you are upgrading from a version earlier than Jakarta, verify whether you have added custom tables to Security Incident Response. If so, and your custom tables rely on global ACLs, you may need to recreate those global ACLs in the Security Incident Response scope after the upgrade. If you added custom roles or custom ACLs, retest them after the upgrade and ensure the assignable by attribute on the roles is set correctly to allow access to application administration.

About this task

Security Incident Response activates these related plugins if they are not already active.
Table 1. Plugins for Security Incident Response
Plugin Description
Service Management Core

[com.snc.service_management.core]

Installs the core Service Management items used to allow other service-related plugins to work, such as Field Service, Facilities, HR, Legal, Finance, Marketing and the custom app creator.
Task-Outage Relationship

[com.snc.task_outage]

Allows users to create an outage from an Incident and a Problem form. Incidents and problems have a many-to-many relationship with outages.
Tree map

[com.snc.treemap]

Enables support for treemap view on any applications.
Threat Core

com.snc.threat.feeds

Observables table data from Threat Intelligence.
Security Support Orchestration

[com.snc.secops.orchestration]

Provides an integration of Security Operations with Orchestration to allow the facilitation of workflow activities within Security Incident Response, Threat Intelligence or Vulnerability Response.
Security Incident Response support

[com.snc.security_support.sir]

Provides support functionality for use within the Security Incident Response application.
WebKit HTML to PDF

[com.snc.whtp]

Enables the instance to use the service WebKit HTML to PDF.
Note: Once the plugin is activated, logout and log back in to set the default view.

To purchase a subscription, contact your ServiceNow account manager. After purchasing the subscription, activate the plugin within the production instance.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Lock down security administration (optional)

To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

Before you begin

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users.

A security role is required to have access to Security Incident Response features and records.

Role required: sn_si.admin

Procedure

  1. After the Security Incident Response plugin has been activated, a user with the admin role assigns the Security Admin (sn_si.admin) role to at least one user.
  2. The user with the admin role changes to the Security Incident scope.
  3. Navigate to System Applications > Applications.
  4. Click Downloads.
  5. Type security in the Search applications field.
    System applications
  6. Click Security Incident.
  7. Scroll down to the Related Links and click Remove from the role contained by admin.
  8. Log out and log back in.
    The admin user cannot access the Security Incident Response application.

Restricted Caller Access

The Restricted Caller Access feature enables an administrator to define cross-scope access to an application or application resource and allow or deny access requests. This feature is enabled in Security Incident Response by default so security analysts can protect sensitive security-related information.

A field called Caller access has been added to all tables and script includes in Security Incident Response, and the field defaults to Caller Tracking. This setting means that application scopes are allowed access to Security Incident Response tables and script includes. However, a tracking record is created for each record and stored in the Restricted Caller Access Privilege [sys_restricted_caller_access] table.
Note: Security administrators need to be careful before changing records from Caller Tracking to Caller Restricted. Records with this status cannot be accessed until an administrator manually allows access to it. The administrator must navigate to System Applications > Application Restricted Caller Access, locate the table or script include for which access has been requested, and change the Status field from Requested to Allowed.