In addition to automatic methods for creating security incidents, you can create them manually, as needed.

This video shows a visual overview of how you could create a security incident from the Security Incident list.

Before you begin

Role required: sn_si.basic

Procedure

  1. Navigate to any security incident list (for example, All > Security Incident > Incidents > Show All Incidents).
    Security incident lists
  2. Click New.
    New security incident
  3. On the form, fill in the fields.
    FieldDescription
    Select security tag If needed, select a Security tag to add metadata to the record or identify who should have access to this security incident record. This field appears only after the security incident has been saved.
    Number [Read only] The security incident number.
    Requested by The person requesting the work to be performed.
    Configuration Item The server, computer, router, or other configuration item affected by the security issue.
    Affected user The person affected by the security issue.
    Location The location of the requester or resource. If a Configuration Item is not selected, this field is pre-filled with the location of the requester.
    Category The category that identifies the type of security issue.

    If a category is selected, a workflow for analyzing this issue is executed when the record is saved. For example, if you select Denial of Service, the Security Incident - Denial of Service - Template workflow is executed.
    Subcategory The subcategory that further defines the issue.
    Opened [Read only] Displays the date and time the incident was opened.
    State The current state of the security incident. Upon security incident creation, this field defaults to Draft.
    Substate Identifies whether the security incident includes a pending problem or change.
    Source Identifies the source of the security incident, such as email, a phone call, or network monitoring.
    Alert Sensor Security integration through which you ingest the alert or event data such as CarbonBlack, CrowdStrike, McAfee, and so on.
    Alert Rule The rule in the security product which triggered the creation of this security incident.
    Risk score Displays the risk score calculated for this security incident. The value is based on the priority of the security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator. The risk score aids in prioritizing security incident work for analysts.

    Three security incident properties allow you to further designate a color-coded dot to appear next to the risk score in list view to make them more easily identifiable.

    If you make changes to certain fields in the security incident, such as the Business impact or Priority, and save the record, the Risk score is automatically recalculated and displayed. The change is also reflected in the work notes and on the Risk Score Audits related list.
    Note: The risk score is also recalculated when affected users are associated with a security incident, affected services, or vulnerable items.
    You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated.
    Note: If you have upgraded your instance from a prior release, risk scores were calculated for all of your open security incidents. For more information, see Understanding security incident calculators.
    Risk score override Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes.
    Business impact Select the importance of this security incident to your business. The default value is Non-critical. If, after the security incident record has been saved, you change the value in the Priority fand/or Risk fields, the Business impact is recalculated.
    Priority Select the order in which to address this security incident, based on the urgency. If this value is changed after the record is saved, it can affect the Business impact calculation.
    Assignment group The group to which this security incident is assigned.
    Assigned to The individual assigned to analyze this security incident. Assignments can be performed manually or automatically. For more information, see Assigning security analysts.
    Short description

    A brief description of the security incident.
    Knowledge results As you type the short description, links to related articles from the knowledge base appear.

    Scanning the information could solve your issue.
  4. Right-click in the record header and select Save.
    If you added a new CI to the security incident, the following integration workflows are automatically executed:
  5. To view the information retrieved by these workflows, click the Show Enrichment Data related link, and then click any of the indicated tabs.
    Security Incident enrichment
    Note: Additional workflows are executed based on the third-party integrations you have activated as follows,

    Tanium Endpoint Platform integration: Tanium - Get Running Processes workflow