Test security incidents to initiate malware scan

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • After you configure a profile for the malware scan, test the profile and view the security incidents that match the settings of your profile. Preview the scan results on the related lists of a ServiceNow AI Platform Security Incident Response (SIR) security incident.

    Before you begin

    Role required: sn_si.admin

    About this task

    As a user with the sn_si.admin role, verify that the profile with the malware scan capability is invoked and that the scan search results match what is expected with a preview of the related lists on a ServiceNow AI Platform Security Incident Response (SIR) security incident. The preview permits you to validate that scan results are returned as expected for the profile.

    Procedure

    1. If the Test Incident page is not displayed, select Test Incident in the progress bar.
      The Test Incident page is displayed for your profile.
    2. To the right of the top field, select the search icon to select a security incident to display on the preview.
    3. In the Number column of the list that is displayed, select an item that you want to display in the preview.
      The security incident number is displayed in the field.
    4. Repeat steps 2 and 3 until all the incidents that you want to preview are displayed in the fields.
      Select up to five security incidents for the preview.
    5. Select McAfee ePO Preview.
      The security incidents that match the event conditions of your profile are displayed. After the page has loaded, on the bottom of the page, tabs are displayed for each security incident.
    6. Scroll to view the work notes.
      Note:
      The list threat events workflow is part of the scan. For more information about creating a profile with the malware scan capability, see Create a capability profile.
      Scans are sometimes scheduled to run during after peak working hours to minimize their impact to users on the network. The scan may not complete immediately. In this case, on the top of the security incident, a security tag is displayed indicating that the scan is scheduled. Refer to the work notes for status on the workflow. The work notes list when workflows start and are successfully completed.

      On the security incident, after the scan is successfully completed, the scheduled tag is automatically replaced by the completed tag.

    7. After you verify that the scan is successfully completed, on the security incident, scroll to view the Related Links and select Show all Related Lists.
      The Threat Event Results and Threat Event Details list are displayed as tabs.
    8. If the Threat Event Details list is not selected, select it to view the results.
    9. Select an item in the Source column to open a record and view the enrichment data.
      The enrichment data includes the following information.
      • The CI field value that was matched during the scan.
      • Last Check-in Date with time zone. This data refers to when in local time the most current data was from pulled from the McAfee ePO console.
      • Raw data

      You have successfully verified that the scan workflow successfully completed for security incidents that matched the auto-trigger criteria that you set for this profile.

    10. Choose one to continue.
      OptionDescription
      Previous Return to the Configuration step for the profile. If you're not satisfied with the test and preview results, continue configuring the profile settings.
      Finish Complete the configuration. You're prompted to confirm activation.