Security Incident Response playbook actions

Release version: Australia

Updated March 12, 2026

4 minutes to read

Summarize

Summarized using AI

Summary of Security Incident Response Playbook Actions

This document outlines the actions available in the Flow Designer action library for managing security incidents. These actions enhance the automation and effectiveness of incident response by allowing users to manage security tags, observables, affected users, and configuration items efficiently.

Show full answer Show less

Key Features

Add a Security Tag: Automatically add security tags like IOC Detected to incidents when specific conditions are met.
Add Observables: Include observables (URLs, IP addresses, hashes) to incidents, with options to filter out allowed list observables.
Get Affected Users: Retrieve unique affected users from multiple incidents or specific incidents, aiding in communication during investigations.
Update Parent Incidents: Roll-up affected users from child incidents to parent incidents, ensuring accurate risk assessments.
Configuration Items Retrieval: Retrieve configuration items related to affected users or observables, crucial for assessing impacted assets.
Malicious Observable Check: Confirm if any observables are malicious, allowing for timely updates to incident severity.
Email Notifications: Automate email confirmations regarding user interactions, such as failed login attempts.
Password Reset: Facilitate password resets for affected users, enhancing security post-incident.
Group Identification: Identify user groups of affected users to assess the broader impact of incidents.

Key Outcomes

By utilizing these actions, ServiceNow customers can streamline their security incident response processes, improve communication with affected users, and maintain a proactive stance in threat management. This not only enhances operational efficiency but also helps in accurately assessing and mitigating risks associated with security incidents.

This section describes the actions provided in the Flow Designer action library.


Action Name	Description	Example scenario
Add a security tag to the security incident	Use this action to add a security tag automatically using flow designer logic.	If the flow detects an IOC, the IOC Detected tag can be automatically added using this action. Flow:	Input: security incident, security tag Output: not applicable
Add observables to the security incident	Use this action to add observables to a selected security incident. By default, the list of observables are separated by the comma (,) delimiter but this can be modified. You can specify another single special character as a delimiter. While adding observables, the type (URL, IP address, hash) is automatically set. When the observables are added to the security incident, the type (URL, IP address, hash) is automatically set. When the observables are being added, the Filter Allowed list Observables option identifies allowed list observables and does not add them to the security incident's observables related list. An automated system activity (response) is added to indicate that these observables have been removed.		Input: security incident observables delimiter filter allowed list observables and post activity note Output: not applicable
Get affected users (Related Lists) from multiple security incidents V1	Retrieves all the affected users listed in the Affected Users related list for the specified security incidents.	You may have parent security incidents with multiple child security incidents. Use this action to roll-up affected users from all the child security incidents to the corresponding parent security incidents. Only unique affected users are rolled-up and all duplicates are eliminated.	Input: security incidents Output: affected user count
Get affected users from multiple security incidents	Retrieves the primary affected user for the specified security incident. It does not include the affected users from the Affected User related list.	While investigating a phishing security incident, send an email to the primary affected users (who reported the phishing incident) to confirm if any of the users clicked on the malicious links in the phishing email. Update the parent security incident severity or risk score based on the count of primary affected users.	Input: security incidents Output: affected users count
Get affected users (related list) from a security incident	Retrieves all the affected users listed in the Affected Users related list for a specified security incident.		Input: security incidents Output: affected users count
Add affected users to security incident	Adds all affected users to a security incident.	Suppose you have a parent security incident with multiple child security incidents. You can use this action to roll-up affected users from all the child security incidents to the corresponding parent security incident. Only unique affected users are rolled-up and all duplicates are eliminated.	Input: security incident user Output: not applicable
Get configuration items of the affected users	Retrieves the configuration items (CIs) of all affected users.	In phishing or malware scenarios, you can use this action to update the Affected Configuration Items (CI) related list and investigate the CIs. You can then update the severity or risk score of the security incident based on the number of identified CIs.	Input: users Output: configuration items count
Get all child security incidents for a security incident	Retrieves all child security incidents related to a specific parent security incident.	Example scenario: Use this action to: Update the status of the child security incidents when their corresponding parent security incidents status get updated. Update the severity or risk score of the security incident automatically based on the number of child security incidents.	Input: security incident incident state Output: child security incident count
Get configuration items for the observables (type IP address)	Retrieves all configuration items (CIs) for observables of type IP address.	An IP address observable can be associated with a configuration item. For example, the IP address of a server. If you use this action, you can retrieve information for the server.	Input: observable ip address Output: configuration items count
Is observable malicious	Confirms the presence of one or more malicious observables in a set of observables.	After the threat lookup has been completed and you have identified the presence of malicious observables, you can increase the severity or risk score of a security incident.	Input: security incident Output: malicious (true/false)
Send email to confirm user interaction	Sends email in response to a user response.	If a user tries multiple times to login to an application and fails, it results in a failed login scenario. In this case, an email is sent to the user to confirm whether the user attempted to login or not. Depending on the user response (Yes or No), different actions can be taken. Flow: Failed Login Manual playbook
Filter out allowed list observables	Use this action to allow list observables from a given set of observables.	You can identify certain observables that can be ignored from a set of observables. These observables will not taken into account while resolving the security incident.	Input: security incident Output: allowed list observables count
Reset password for affected users	Use this action to reset password for affected users.	If a user account has been hacked or a user requests a password to be reset, an email is sent to the user to reset the password. Flow: Failed Login Manual playbook.
Get user group for affected user	Retrieves the user group details of affected users.	In an organization, if two or more users report phishing emails, you can find out the group they belong to and identify if more users have been affected	Input: user Output: user groups count