Security Incident Response playbook actions
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Security Incident Response Playbook Actions
The Security Incident Response playbook actions in the Flow Designer action library enable automated responses to security incidents. These actions streamline the management of incidents, observables, and affected users, enhancing the efficiency of incident response workflows.
Show less
Key Features
- Add a Security Tag: Automatically adds tags (e.g., IOC Detected) to security incidents based on flow logic.
- Add Observables: Integrates observables into incidents, automatically categorizing them by type (URL, IP address, hash) and filtering out allowed list observables.
- Retrieve Affected Users: Gathers affected users from multiple child incidents to parent incidents, ensuring unique entries.
- Get Configuration Items: Identifies configuration items (CIs) related to affected users, assisting in incident investigation.
- Child Incident Management: Retrieves child incidents related to a parent, facilitating updates and severity adjustments.
- Malicious Observable Check: Confirms if any observables are malicious, informing severity adjustments for incidents.
- Email Confirmation: Sends emails to users for verification in scenarios like failed logins, enabling responsive actions.
- Password Reset: Automates password resets for affected users, enhancing security measures.
- Group Identification: Retrieves user group details to assess the broader impact of phishing reports.
Key Outcomes
By utilizing these actions, ServiceNow customers can effectively automate incident response processes, ensuring timely updates, improved communication with affected users, and enhanced investigation capabilities. This leads to a faster resolution of security incidents and improved overall security posture.
This section describes the actions provided in the Flow Designer action library.
| Action Name | Description | Example scenario | |
|---|---|---|---|
| Add a security tag to the security incident | Use this action to add a security tag automatically using flow designer logic. | If the flow detects an IOC, the IOC Detected tag can be
automatically added using this action. Flow: |
|
| Add observables to the security incident | Use this action to add observables to a selected security incident.
|
|
|
| Get affected users (Related Lists) from multiple security incidents V1 | Retrieves all the affected users listed in the Affected Users related list for the specified security incidents. | You may have parent security incidents with multiple child security incidents. Use this action to roll-up affected users from all the child security incidents to the corresponding parent security incidents. Only unique affected users are rolled-up and all duplicates are eliminated. |
|
| Get affected users from multiple security incidents | Retrieves the primary affected user for the specified security incident. It does not include the affected users from the Affected User related list. |
|
|
| Get affected users (related list) from a security incident | Retrieves all the affected users listed in the Affected Users related list for a specified security incident. |
|
|
| Add affected users to security incident | Adds all affected users to a security incident. | Suppose you have a parent security incident with multiple child security incidents. You can use this action to roll-up affected users from all the child security incidents to the corresponding parent security incident. Only unique affected users are rolled-up and all duplicates are eliminated. |
|
| Get configuration items of the affected users | Retrieves the configuration items (CIs) of all affected users. | In phishing or malware scenarios, you can use this action to update the Affected Configuration Items (CI) related list and investigate the CIs. You can then update the severity or risk score of the security incident based on the number of identified CIs. |
|
| Get all child security incidents for a security incident | Retrieves all child security incidents related to a specific parent security incident. | Example scenario: Use this action to:
|
|
| Get configuration items for the observables (type IP address) | Retrieves all configuration items (CIs) for observables of type IP address. | An IP address observable can be associated with a configuration item. For example, the IP address of a server. If you use this action, you can retrieve information for the server. |
|
| Is observable malicious | Confirms the presence of one or more malicious observables in a set of observables. | After the threat lookup has been completed and you have identified the presence of malicious observables, you can increase the severity or risk score of a security incident. |
|
| Send email to confirm user interaction | Sends email in response to a user response. | If a user tries multiple times to login to an application and fails, it results in a
failed login scenario. In this case, an email is sent to the user to confirm whether the user
attempted to login or not. Depending on the user response (Yes or No), different actions can
be taken. Flow: Failed Login Manual playbook |
|
| Filter out allowed list observables | Use this action to allow list observables from a given set of observables. | You can identify certain observables that can be ignored from a set of observables. These observables will not taken into account while resolving the security incident. |
|
| Reset password for affected users | Use this action to reset password for affected users. | If a user account has been hacked or a user requests a password to be reset, an email
is sent to the user to reset the password. Flow: Failed Login Manual playbook. |
|
| Get user group for affected user | Retrieves the user group details of affected users. | In an organization, if two or more users report phishing emails, you can find out the group they belong to and identify if more users have been affected |
|