Test security incidents to initiate malware scan

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 3 Minuten Lesedauer

    • After you configure a profile for the malware scan, test the profile and view the security incidents that match the settings of your profile. Preview the scan results on the related lists of a ServiceNow AI Platform Security Incident Response (SIR) security incident.

    Vorbereitungen

    Role required: sn_si.admin

    Warum und wann dieser Vorgang ausgeführt wird

    As a user with the sn_si.admin role, verify that the profile with the malware scan capability is invoked and that the scan search results match what is expected with a preview of the related lists on a ServiceNow AI Platform Security Incident Response (SIR) security incident. The preview permits you to validate that scan results are returned as expected for the profile.

    Prozedur

    1. If the Test Incident page is not displayed, click Test Incident in the progress bar.
      The Test Incident page is displayed for your profile. For this example, the Initiate Malware Scan profile you created and configured in the preceding sections is displayed.
      Test Incident page of a McAfee Capability Profile.
    2. To the right of the top field, click the search icon to select a security incident to display on the preview.
      Search symbol highlighted.

      Only security incidents that match the profile criteria are displayed.

    3. In the Number column of the list that is displayed, select an item that you want to display in the preview.
      List of security incidents.
      The security incident number is displayed in the field.
      Security incident number displayed in search field.
    4. Repeat steps 2 and 3 until all the incidents that you want to preview are displayed in the fields.
      Select up to five security incidents for the preview.
    5. Click McAfee ePO Preview.
      McAfee ePO Preview button highlighted.
      The security incidents that match the event conditions of your profile are displayed. After the page has loaded, on the bottom of the page, tabs are displayed for each security incident.
      Security incident displayed on tab.
    6. Scroll to view the work notes.
      Hinweis:
      The list threat events workflow is part of the scan. For more information about creating a profile with the malware scan capability, see Create a capability profile.
      Work notes logging when capability tasks are initiated and successfully completed.
      Scans are sometimes scheduled to run during after peak working hours to minimize their impact to users on the network. The scan may not complete immediately. In this case, on the top of the security incident, a security tag is displayed indicating that the scan is scheduled. Refer to the work notes for status on the workflow. The work notes list when workflows start and are successfully completed. For this example, the work notes in the following figure show that the scan started, and that it successfully completed. The List Threat Events capability was also started and successfully completed as part of the scan.
      The following figure shows an example of a security tag on the related security incident.
      On security incident, McAfee ePO Scan Scheduled security tag.

      On the security incident, after the scan is successfully completed, the scheduled tag is automatically replaced by the completed tag.

      On security incident, McAfee ePO Scan Complete security tag.
    7. After you verify that the scan is successfully completed, on the security incident, scroll to view the Related Links and click Show all Related Lists.
      Show All Related Lists link highlighted.
      The Threat Event Results and Threat Event Details list are displayed as tabs.
    8. If the Threat Event Details list is not selected, select it to view the results.
      Threat Event Results tab with results selected.
    9. Click an item in the Source column to open a record and view the enrichment data.
      Threat Event Result record.
      The enrichment data includes the following information.
      • The CI field value that was matched during the scan.
      • Last Check-in Date with time zone. This data refers to when in local time the most current data was from pulled from the McAfee ePO console.
      • Raw data

      You have successfully verified that the scan workflow successfully completed for security incidents that matched the auto-trigger criteria that you set for this profile.

    10. Choose one to continue.
      OptionDescription
      Previous Return to the Configuration step for the profile. If you are not satisfied with the test and preview results, continue configuring the profile settings.
      Finish Complete the configuration. You are prompted to confirm activation.