Security Incident Reconnaissance workflow template

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Reconnaissance is usually a preliminary step toward a further attack seeking to exploit a device or system. The Security Incident - Reconnaissance - Template allows you to perform a series of tasks designed to handle reconnaissance on your network.

    Before you begin

    Role required: sn_si.write

    About this task

    The workflow is triggered when the Category in a security incident is set to Reconnaissance activity. This action causes a response task to be created for the first activity in the workflow.

    Figure 1. Reconnaissance activity
    Reconnaissance workflow template

    Procedure

    1. Open the security incident for this potential attack, or create a new security incident.
    2. In Category, select Reconnaissance activity.
    3. Save the record.
    4. Scroll down and open the Response Tasks related list.
      The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be created or the workflow to end.
      Table 1. Response tasks in Reconnaissance Template
      Response task Action Results
      Reconnaissance activity verified? Determine whether any observed reconnaissance has been verified.

      In the task, select Yes or No in Outcome.

      		 If you select Yes, the Identify impacted systems task is executed.

      If you select No, the flow ends.
      Identify impacted systems Determine the systems impacted by the reconnaissance. When this task is complete, the Allow reconnaissance for law enforcement analysis? task is executed.
      Allow reconnaissance for law enforcement analysis? Determine whether you want the reconnaissance to be analyzed by law enforcement agencies.

      In the task, select Yes or No in Outcome.

      		 If you select Yes, the Law enforcement process task is executed.

      If you select No, the Update system(s) to prevent reconnaissance task is executed.
      Law enforcement process Perform the law enforcement process as defined by your company. When this task is complete, the Update system(s) to prevent reconnaissance task is executed.
      Update system(s) to prevent reconnaissance Perform the steps necessary to update the systems affected by the reconnaissance. When this task is complete, the Set state to review task is executed.
      Set state to review No action required. The State of the security incident is changed automatically to Review, and the Lessons learned meeting task is executed.
      Lessons learned meeting Conduct a lessons learned meeting to triage the work performed for this reconnaissance incident.

      Update the State field in the task as appropriate.

      		 When this task is complete, the flow ends.