Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Activate and configure SIR (pre-London Patch 5)

Activate and configure SIR (pre-London Patch 5)

For versions prior to London Patch 5: Activate the Security Incident Response [com.snc.security_incident] plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription.

Before you begin

Role required: admin

About this task

Security Incident Response activates these related plugins, if they are not already active.
Table 1. Plugins for Security Incident Response
Plugin Description
Service Management Core

[com.snc.service_management.core]

Installs the core Service Management items used to allow other service-related plugins to work, such as Field Service, Facilities, HR, Legal, Finance, Marketing and the custom app creator.
Task-Outage Relationship

[com.snc.task_outage]

Allows users to create an outage from an Incident and a Problem form. Incidents and problems have a many-to-many relationship with outages.
Tree map

[com.snc.treemap]

Enables support for treemap view on any applications.
Threat Core

com.snc.threat.feeds

Observables table data from Threat Intelligence.
Security Support Orchestration

[com.snc.secops.orchestration]

Provides an integration of Security Operations with Orchestration to allow the facilitation of workflow activities within Security Incident Response, Threat Intelligence or Vulnerability Response.
Security Incident Response support

[com.snc.security_support.sir]

Provides support functionality for use within the Security Incident Response application.
WebKit HTML to PDF

[com.snc.whtp]

Enables the instance to use the service WebKit HTML to PDF.
Note: After the plugins are activated, logout and log back in to set the default view.

To purchase a subscription, contact your ServiceNow account manager. After purchasing the subscription, activate the plugin within the production instance.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Lock down security administration (optional)

To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

Before you begin

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users.

A security role is required to have access to Security Incident Response features and records.

Role required: sn_si.admin

Procedure

  1. After the Security Incident Response plugin has been activated, a user with the admin role assigns the Scoped Admin (sn_si.admin) role to at least one user.
  2. The user with the admin role changes to the Security Incident scope.
  3. Navigate to System Applications > Applications.
  4. Click Downloads.
  5. Type security in the Search applications field.
    System applications
  6. Click Security Incident.
  7. Scroll down to the Related Links and click Remove from the role contained by admin.
  8. Log out and log back in.
    The admin user cannot access the Security Incident Response application.

Restricted Caller Access

The Restricted Caller Access (RCA) feature enables an administrator to define cross-scope access to an application or application resource and allow or deny access requests. This feature is enabled in Security Incident Response by default so security analysts can protect sensitive security-related information.

A field called Caller access has been added to all tables and script includes in Security Incident Response, and the field defaults to Caller Tracking. This setting means that application scopes are allowed access to Security Incident Response tables and script includes. However, a tracking record is created for each record and stored in the Restricted Caller Access Privilege [sys_restricted_caller_access] table.
Note: Take care when changing records from Caller Tracking to Caller Restricted. Records with this status cannot be accessed until an administrator manually allows access to it. The administrator must navigate to System Applications > Application Restricted Caller Access, locate the table or script include for which access has been requested, and change the Status field from Requested to Allowed.

Components installed with Security Incident Response

Several types of components are installed with activation of the Security Incident Response plugin, including tables, user roles, and scheduled jobs.

Note: To view all other components installed with this plugin, see the Application Files table. For instructions, see Find components installed with an application.

Demo data is available for this feature.

Roles installed

Role title [name] Description Contains roles
security admin

[sn_si.admin]

Full control over all Security Incident Response data. Also administers territories and skills, as needed.
Note: In the base system, the administrator also has access to sn_si.admin. Security Incident Response can be restricted from the administrator as long as at least one other user is assigned the security administrator role.
  • catalog_admin
  • skill_admin
  • skill_model_admin
  • sn_si.analyst
  • sn_si.manager
  • sn_si.knowledge_admin
  • sn_si.manager
  • template_admin
  • template_editor_global
  • territory_admin
  • treemap_admin
  • user_admin
security basic

[sn_si.basic]

Underlying role for basic Security access. Users with this role can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents.
  • document_management_user
  • grc_user (if the GRC: Risk plugin is activated)
  • inventory_user
  • pa_viewer
  • service_fullfiller
  • skill_user
  • sn_si.read
  • task_activity_writer
  • task_editor
  • treemap_user
ciso

[sn_si.ciso]

View and manipulate the CISO dashboard. Also, if the Vulnerability Response plugin is activated, users with this role can add vulnerability significance definition treemaps to the dashboard.
  • pa_viewer
  • sn_si.read
external

[sn_si.external]

External users can view tasks assigned to them.
  • service_fulfiller
integration user

[sn_si.integration_user]

External tools can provide new security incident records and update security incident records.
  • import_transformer
knowledge admin

[sn_si.knowledge_admin]

Manage, update, and delete the information in the Security Incident knowledge base.
  • knowledge_admin
manager

[sn_si.manager]

Same access as security analysts.
  • sn_si.basic
read

[sn_si.read]

Read security incidents.
  • grc_compliance_reader (if the GRC: Risk plugin is activated)
special access

sn_si.special_access

Provides access to specific security incidents to users outside of the Security Operations organization. N/A

Scheduled jobs installed

Scheduled job Description
Lookup Security Incident Observables Performs a lookup for observables on a user-defined schedule.

Tables installed

Table Description
News Feed Configuration

[sn_si_feed_configuration]

Configuration records used to define the content displayed in the security incident news feed.
Post Incident Review Assignment Rule

[sn_si_pir_condition]

Automates selection of participants of a post incident review survey when a security incident is closed.
Security Incident

[sn_si_incident]

Stores a security incident, the responses to the incident, all linked tasks, changes, problems, and incidents related to this security incident.
Security Incident Attack Vectors

[sn_si_attack_vector]

Attack vector options.
Security Incident Audit Log

[sn_si_audit_log]

Stores security incident enrichment audit logs.
Security Incident Calculator

[sn_si_calculator]

A calculator to set certain security incident fields when certain conditions are met.
Security Incident Calculator Group

[sn_si_calculator_group]

A grouping of security incident calculators. The order of the calculator group determines which group is evaluated first, and in each group, one calculator at most is used.
Security Incident Enrichment Firewall

[sn_si_enrichment_firewall]

Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to Palo Alto Networks Firewall.
Security Incident Enrichment Malware Results

[sn_si_enrichment_malware]

Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to malware.
Security Incident Enrichment Network Statistics

[sn_si_enrichment_network_statistics]

Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to network statistics.
Security Incident Enrichment Running Processes

[sn_si_enrichment_running _processes]

Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to running processes.
Security Incident Enrichment Running Services

[sn_si_enrichment_running_service]

Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to running services.
Security Incident Email Search

[sn_si_m2m_incident_email_search]

Maps email search records to security incidents.
Security Incident Import

[sn_si_incident_import]

Import table for security incidents. Used to create security incidents from external systems.
Security Incident Process Definition

[sn_si_process_definition]

Stores configuration for Security Incident process flows.
Security Incident Process Definition Selector

[sn_si_process_definition_selector]

Stores the Security Incident Process Definition to use for security incidents.
Security Incident Related Customer Service Case

[sn_si_m2m_incident_customerservice_case]

Maps customer service cases and security incidents
Security Incident Related Enrichment Data

[sn_si_m2m_incident_enrichment]

Maps security incidents and related enrichment data records.
Security Incident Response Task

[sn_si_task]

Manages subtasks related to handling a security incident. These tasks can be assigned to security personnel, or to people in other departments, to manage interdepartmental communication and task tracking.
Security Incident Response Task Template

[sn_si_task_template]

Used to create a Security Incident Response task. These templates are often used in catalog entries, to automatically create a set of appropriate subtasks for a particular type of security incident.
Security Incident Runbook Document

[sn_si_runbook_document]

Associates security incident conditions or filters with a knowledge article. Used to specify runbook procedures for security incident remediation.
Security Incident Template

[sn_si_incident_template]

Used to create a security incident. These templates are often used in catalog entries to create a prebuilt security incident.
Security Request

[sn_si_request]

A security-related request to the security team.
Security Scan Request

[sn_si_scan_request]

A request for a threat lookup.
Severity Calculator

sn_si_severity_calculator

Defines the severity, impact, risk, and criticality values for a security incident.
Task Affected User

[sn_si_m2m_task_affected_user]

A many-to-many table associating security incidents with affected users.
Template Workflow Activity Outcome Evaluator

[sn_si_wf_activity_outcome_evaluator]

Maps a capability with an evaluation script. A new subflow can be added to a template workflow to set a response task outcome rather than having an analyst manually set it.

Manually configure Security Incident Response

If you are an administrator in the global domain, you configure how Security Incident Response handles day-to-day operations.

Before you begin

Role required: sn_si.admin
Note:

These options are standard to many service management applications, and as such, they use service management terminology. For example, Request is used for the main task (that is, the security incident) and Task is used for subtasks or Response Tasks.

If you are an administrator in a domain lower than the global domain, you can view the Configurations screen, but cannot modify the settings.

Procedure

  1. Navigate to Security Incident > Administration > Configuration.
    The options for configuring the applications are organized under these tabs:
    • The Business Process tab contains options for setting up the request life cycle, creating catalogs and requests, and configuring notifications.
    • The Assignment tab contains options for setting up manual and auto-assignment.
    • The Add-ons tab contains options for enabling the knowledge base, managed documents, and task activities.
  2. Fill in the fields on the Business process tab.
    Table 2. Configuration screen — Business Process tab
    Field Description
    Lifecycle
    Work notes are required to close or cancel a request or task Enable this option to require the user to enter work notes before a security incident or response task can be closed or canceled.
    Copy task work notes to request Enable this option to synchronize response task work notes with the work notes on the security incident. So when work notes in the task are added, the same work notes appear in the parent security incident.
    Catalog and Request Creation
    Create or update requests by inbound email Enable this option to create or update security incidents from inbound emails.
    Requests are created using Select catalog or regular form to activate the catalog and enable automatic publishing of security incident templates to the catalog.

    Select regular form only to deactivate the catalog and disable automatic publishing of security incident templates to the catalog.

    Templates create a dedicated catalog item Enable this option to activate automatic publishing of catalog items for the application.
    Notifications
    For a request or task, when the selected field changes, send notification to recipients You can configure notifications to be sent to specific recipients when selected fields in security incidents and response tasks change.
    1. From Table, select Request (security incident or Task (response task).
    2. From Field, select the field to use for generating notifications. When a change is made to the selected field, a notification is sent to the identified recipients.
    3. From Recipients, select one or more recipients.
    4. If you select a specific user or a specific group, you are prompted to select a user or group.
    5. To define more notifications using other fields or recipients, repeat the preceding steps for the next set of notification settings.
    6. To remove a notification, click the delete notification symbol icon to the right of the notification.
  3. Click the Assignment tab and fill in the fields.
    Table 3. Configuration screen — Assignment tab
    Field Description
    Assignment method for requests Select the method for assigning security incidents:
    • using auto-assignment: Security incidents are automatically assigned.
    • using a workflow: Security incidents are assigned by the selected workflow.
    • manually: Security incidents are manually assigned.
    Use this workflow to assign requests Select the workflow for dispatching security incidents. This field appears when using a workflow is selected from the Assignment method for requests list.
    Assignment method for tasks Select the method for assigning response tasks:
    • using auto-assignment: Response tasks are automatically assigned.
    • using a workflow: Response tasks are assigned by the selected workflow.
    • manually: Response tasks are manually assigned.
    Use this workflow to assign tasks Select the workflow for assigning response tasks. This field appears when using a workflow is selected from the Assignment method for tasks list.
    Assign requests or tasks based on assignment group coverage areas Enable this option to limit the assignment of security incidents and response tasks to groups that cover the location of the task.
    Scheduling
    Auto-selection of agents consider time zone for tasks Enable this option to consider the time zone of the agent when assigning a task. This field appears when auto-assignment is selected for security incidents or response tasks.
    Additional Factors
    Auto-selection of agents consider location of agents Enable this option to give preference to agents who are closer to the task location, when assigning any tasks. This field appears when auto-assignment is selected for security incidents or response tasks.
    Auto-selection of agents for tasks requires them to have skills Select the degree to which agent skills must be matched to a task when determining auto-assignment.
    • Select all to require that an assigned agent must have all the skills to perform the task. An agent who lacks even one skill is eliminated.
    • Select some if you want agents who have most of the skills required to perform the task.
    • Select none if you want to auto-assign agents without taking skills into account.
    This field appears when auto-assignment is selected for security incidents or response tasks.
    Auto-selection attempt to assign the same agent to all tasks in a request Enable this option to auto-assign all response tasks for a security incident to the same agent.
  4. Click the Add-ons tab and fill in the fields.
    Table 4. Configuration screen — Add-ons tab
    Field Description
    Documentation
    Enable a dedicated knowledge base Enable this option to activate the knowledge base for Security Incident Response.
    Enable managed documents Enable this option to add a related list to managed documents.
    Enable task activities Enable this option to log task interactions and communications, such as phone calls and email messages.
  5. Click Save.