Post incident review report

Washington DC Security Management

Release

washingtondc

ft:locale

en-US

ft:publication_title

Washington DC Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Post incident review report

Release version: Washingtondc

Updated February 1, 2024

7 minutes to read

Summarize

Summarized using AI

Summary of Post Incident Review Report

The Post Incident Review (PIR) reports feature enables security administrators to create, configure, and download reports after resolving security incidents. Following configuration, a PDF report is generated and attached to the incident upon closure, provided the incident's status is updated to Review state. This functionality is available from Orlando Patch 9 onwards.

Show full answer Show less

Key Features

Report Templates: Security admins can customize templates by adding timelines, branding, and other relevant fields. Options include setting page size, margins, and including custom tokens.
Branding: Branding elements like headers, footers, and images can be added, with limitations on file sizes and text lengths to avoid overlaps.
Timeline Filters: Configure activity types for report inclusion, with options to include/exclude child tasks and images.
Template Scripts: Enable inclusion of related lists and other data in the report. Scripts can be customized for various data points, with technical limitations noted for optimal performance.
Report Configuration: Admins can set conditions for applying report templates to incidents, allowing for a structured reporting process.

Key Outcomes

By utilizing the PIR reports, ServiceNow customers can systematically document the response to security incidents, ensuring a thorough review process that enhances security posture. Proper configuration enables tailored reporting that meets organizational needs while adhering to technical limitations to ensure successful report generation.

The Post Incident Review (PIR) reports feature allows you to set up and download the post incident review reports using the Post Incident Review tab.

The security admin can create and configure the report templates and map those templates to the security incident using the report configuration. A security analyst can then view or download the report after the security incident is resolved and the status is updated to Review state.

A PDF report is generated and attached to the security incident when the incident is moved to the Closed state after successful configuration.

Note:

The reports feature is applicable and supported from Orlando Patch9.

To customize your post incident review reports, you must do the following configuration.

Report Templates: Customize and configure the following report template features to add additional information on the report:
1. Timeline
2. Branding
3. Template Scripts
Report Configuration

This section describes the configuration procedure:

Report Templates

Use  the  Report  Templates  section to create primary and additional report templates that are applied  to  the security incidents  to  generate  the  Post Incident Review  report. You can format  and  configure  the report based on your requirements. The templates also helps you to include the assessment details in the template.

Following are a few optional steps that can be performed while building the template:

Configuring the branding information.
Setting up the page size and page margin.
Adding any security incident related fields (both custom and standard).
Using the following predefined custom tokens:  
1. $sessionUser: returns  the logged in username
2. $date:  returns  the current date
3. $if_not_null_start & $if_not_null_end: if these tags are used against any fields then the tags are displayed only if the value exists.  For example:  
  - ${if_not_null_start:problem}
  - Problem Category: ${problem.category}
  - ${if_not_null_end:problem}
Including the related list data using the template scripts. For more information, see the section below on Template Scripts.
Including the timeline information using the Timeline Filters. For more information, see the section below on Timeline.
Managing and formatting the template content such as attachments, tables, and images.

Note:

The enhanced report template tool bar features are available only from the Paris release version.

Report templates key points:

The images attached to the report template are displayed on the Post Incident Review report only when they are included in the  sys_attachment  table. 
Note:
Images selected from the db_image table will not be displayed on the post incident review report.
Videos are not supported in the post incident review report.
The URL's in the PDF are non-clickable. To enable the URLs non-clickable (.) is denoted as (dot).
The report is not generated if the size of the report template exceeds 50MB. 
The font family selected for the report template content will not be applied to the PDF if it is not supported by the PDF generator.
Note:
If the corresponding font is not there, PDF generator will identify the alternative closest font and then generate the PDF.
If you provide higher page margin values, generate post incident review report is failed. For example, Top and Bottom margin > 450  and Left and Right margin > 450.
If a large text is included in the report template without spaces then the text may be truncated. Preview the text and modify it accordingly.

The security admin can preview the report using the Preview Report button available on the Report Template page.

Note:

Select a Security incident to preview a report with this template option and click Preview Report.

Branding

You can add the branding template name, header  and  footer image, header and footer text, generate page numbers, and include the branding record in the report template after it is created.

Following is a sample  branding report format:

Report template branding key points:

The maximum size allowed for the header and footer image is 5MB. If the size exceeds more than the specified limit then an error message, ‘Image format cannot be recognized’ is displayed in the security incident.
The footer text length is limited to 100 characters.
1. If the footer image text and report content is overlapped while previewing, you must make changes to the branding record.
2. If the footer text contains URL link, then it may overlap on to the footer image. Preview and correct it as required.

Timeline

Timeline configuration allows you to create and modify the timeline filters as required. You can  filter  the activity types that should be included in the report, configure if the child tasks should be included or excluded in the report, and configure if the images should be included or excluded in the report.

If you want to utilize and populate any timeline configuration, you must add the tag as mentioned below: ${timeline:timeline name}. Two  sample timeline  configurations  as an example are  provided  in the set up that are used in  the  Phishing Report template and Default Report template.  You can modify and reuse the configurations. 

Template Scripts

Use the template scripts to include the related lists data, date and time stamp, and any other data that are not directly dot-walkable. Following is an example:

Construct a template script to display the related list on report template:

To prepare the related list data, call PostIncidentReportUtils.fetchRelatedListDataForReport method.
To represent the step1 data in the table format and style, call ReportTemplateUtil.constructTablefunction method.

If you want to utilize and populate any template script, then you must add the tag template script tag as ${template_script:script name}.

Following are a few sample template scripts provided to configure and modify your post incident reports.

Table 1.
Script name	Description
formatted_current_date	Returns the current local date and time in the DDMMYYYY 00.00 AM or PM format. For example, 21 Jan 2021 3:51 PM PST.
si_affected_users	Returns the affected users from the related list in a tabular form.
si_assessments	Returns the post incident assessment results in a tabular form.
si_associated_phish_emails	Returns the associated phishing emails from the related list in a tabular form.
si_associated_phish_headers	Returns the associated phishing headers from the related list in a tabular form.
si_business_criticality	Returns color coded business criticality value.
si_malicious_observables	Returns the malicious observables from the related list in a tabular form.
si_observables	Returns the observables from the related list in a tabular form.
si_priority	Returns color coded priority value.
si_response_tasks	Returns the response tasks from the related list in a tabular form.
si_time_to_identify	Returns the duration spent in Draft and Analysis state.
si_time_to_resolve	Returns the time to resolve the incident.

Report template scripts key points:

If a related list is added with more than 5 columns, the table data is truncated during the PDF generation.  Each column minimum width is set to 124px.
If a template script is unable to load the content in the report template due to technical issues, an error message is displayed on the report, ‘Error while evaluating the template script’ and the security admin must evaluate the correctness of the script to resolve the issue.
si_assessments: By default, all the assessment categories are added to report. The security admin can filter  the data by modifying the template script as required. Add the categories: sys_id1,  sys_id2; parameter to filter the data.
Time to resolve and time to identify scripts: Use the definition records that are part of the metric related list. If the definition records are unavailable  for the security incident, then create or add those definition records to populate the values for the two fields.

Note:

By default, the Security Admin doesn’t have access to view the version records  of any table. You must add admin role to access the version records and revert to the previous version.

Report Configuration

Use the Report Configuration section to set up the conditions and apply the report templates to  the  Security Incidents. You can add one primary report and one or more additional report templates to the same condition.

Following is an example condition that is provided to apply the Phishing Report template to the Phishing category incidents and  the other  one to apply the Default Report template to all the security incidents.   The Default Report template would be applied to the security incidents  if the conditions are not met.

Procedure to turn off the new implementation

Deactivate the following business rules:
1. Generate PIR PDF
2. Create Knowledge On Closure New
Activate the following business rules:
1. Generate PIR when in Review and Close
2. Create Knowledge On Closure
3. [Regen PIR on closure/cancel/delete]
Activate the UI rule, Hide PIR field when empty.
Go to form layout in the security incident form. Under Post Incident Review section:
1. Remove PIR report picker from PIR section
2. Add Post Incident Report field to PIR section

Configure Post Incident Review (PIR) report properties for child security incidents

You have an option to configure the following two PIR report properties for child security incidents:

sn_si.generate_pir_report_for_child_si
sn_si.include_child_si_timeline_in_pir

Note:

Users with the System Administrator [admin] role can view the properties. Users with the Security Administrator [sn_si.admin] role can modify them.

Table 2. Configure PIR report properties for child security incidents
Property	Usage
sn_si.generate_pir_report_for_child_si	Option to enable the generation of Post Incident Review (PIR) reports for child security incidents. Type: true \| false Default value: false Location: Navigate to All > System Properties > All Properties.
sn_si.include_child_si_timeline_in_pir	Option to include the timeline of the child security incidents in the parent Security Incident's PIR report. Type: true \| false Default value: false Location: Navigate to All > System Properties > All Properties.