Prerequisites for the Playbooks
-
- UpdatedJan 30, 2025
- 1 minute read
- Yokohama
- Security Incident Response
You need the following roles and plugins to build the Playbooks.
Role required: admin.
- Enable the Process Automation Designer (PAD) [com.glide.pad.license] plugin.
- Enable the following plugins for a playbook experience:
- com.playbook_experience
- now_playbook_exp
- com.glide.playbook_experience.config
- Enable Security Operations spoke to access flows [com.snc.secops.spoke].
- Enterprise Security Case Management PAD Commons.
Make sure that you have read the platform documentation on Playbook Experience and Process Automation Designer before you start with this guide.
Related Content
- Working with Security Incident Records
The Security Incident Record consists of the following.
- Security Incident Playbook
Invoke the security incident playbook flow automatically or manually.
- Rebuilding existing playbooks in Workflow Studio
You can’t convert existing flows directly into playbooks in Workflow Studio. Each flow designer step that creates a response task to guide the analyst must be broken down into separate actions or subflows.
- Activity Definitions
The ServiceNow AI Platform provides a few activity definitions within the base system. In addition, for the playbooks that SIR Workspace base system, there are a few activity definitions defined in the base system under Enterprise Security Case Management PAD Commons application.
- Sample Playbooks for SIR Workspace
You can create or configure playbooks for SIR Workspace quickly and easily without writing complicated code. You can use these playbooks to resolve security threats in a step-by-step manner. You can invoke the security incident playbook flow automatically or manually.
- Working with MSI Records
Using the Security Incident Response workspace, you can propose, promote, or link security incidents as major security incidents when the incidents are identified as critical threat to the organization.
- Working with Form UI actions
Following are the UI actions that are displayed on the security incident form.
- Security Incident Closure workflow
Close the security incident by updating the incident state.