Playbook for Child Security Incident Automation

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Playbook for Child Security Incident Automation

    The Child Security Incident Automation playbook is designed to streamline the management of duplicate security incidents in ServiceNow Security Operations. It automatically consolidates key information from child security incidents—such as observables, affected users, and configuration items (CIs)—into their corresponding parent security incident. This automation reduces the time needed for investigation and closure of duplicate incidents, improving operational efficiency.

    Show full answer Show less

    Key Features

    • Automates the transition of child security incidents into the Analysis stage.
    • Identifies and eliminates duplicate affected users and CIs before rolling them up to the parent security incident.
    • Transfers unique observables from child to parent security incidents.
    • Automatically closes or cancels child security incidents once the parent incident is resolved.
    • Posts automated worknotes to both parent and child incidents documenting the roll-up of data.

    Prerequisites and Setup

    • Required roles: snsi.admin and flowdesigner.
    • Required Spoke: Install the Security Operations Spoke (snsecspoke).
    • To customize, users can copy the playbook in Flow Designer, make necessary changes, and activate the modified version.
    • The playbook triggers when the parent security incident field is populated and the parent is in Draft, Analysis, Contain, or Eradicate states.

    How It Works

    When executed, the playbook:

    • Updates child incidents in Draft state to Analysis stage.
    • Retrieves and consolidates affected users and CIs from the child incident, removing duplicates before rolling them up to the parent.
    • Retrieves and consolidates observables similarly.
    • Posts automated worknotes to both incidents confirming the roll-up actions.
    • Closes or cancels the child incident automatically when the parent incident is closed.

    Benefits for ServiceNow Customers

    This playbook enables security teams to efficiently manage duplicate incidents by centralizing relevant data, reducing manual efforts, and ensuring consistent incident lifecycle management. It helps maintain a clear, consolidated view of security threats and accelerates resolution times.

    Duplicate security incidents are categorized as child security incidents and are rolled up to the parent security incidents.

    The Child Security Incident Automation playbook helps reduce the time required to investigate and close duplicate security incidents. This playbook automatically rolls up specific unique artifacts of the child security incident (observables, affected users, CIs) to the parent security incident.

    Prerequisites

    Role required:
    • sn_si.admin
    • flow_designer

    Spoke: Install Security Operations Spoke (sn_sec_spoke)

    Key capabilities

    The Child Automation playbook covers the following capabilities:

    1. Moves the security incident to the Analysis stage.
    2. Eliminates duplicates and adds (rolls up) the affected users and CIs to the parent security incident.
    3. Adds observables from the child incident to the parent security incident.
    4. Closes or cancels the child security incident when the parent security incident is closed.

    Capabilities required

    For more information, see the ServiceNow store.

    Security analyst experience

    To understand how to resolve security threats in a step-by-step manner, see Resolve security threats with the playbook.

    Deeper understanding of the Child Security Incident Automation playbook with Flow Designer capabilities

    Getting Started
    1. Login as a user with sn_si.user and flow_designer roles.
    2. Navigate to Flow Designer > Designer and click on the Failed Login playbook.
    3. Make a copy of the Child Security Incident Automation playbook and make the necessary modifications. (This is an optional step. Follow this step only if you plan to customize or make specific changes to the flow).
    4. Make the necessary modifications according to your requirement. (This is an optional step. Follow this step only if you plan to customize or make specific changes to the flow).
    5. Activate the playbook.
      • Activate the main flow to use the playbook available with the base system.
      • Activate the copied flow after making any modifications according to your requirements.
    The following image shows a copy of the Child Security Incident Automation playbook. Review the steps below to get an understanding of the various actions in the playbook.
    Child Automation Flow:Overview
    This playbook is triggered when:
    • The parent security incident field isn’t empty.
    • The parent security incident is in Draft, Analysis, Contain, or Eradicate state.

    Child Automation playbook: Trigger

    The following steps walk you through the actions and tasks that are available in the Child Security Incident Automation playbook.

    1. When the playbook starts executing, in Step 1, if the security incident is in a Draft state, it’s updated and set to the Analysis state.
      Child Automation playbook: step 1
    2. In steps 2 and 3, affected users for the security incident are retrieved and rolled up to the parent security incident. Any duplicate users are eliminated.
    3. In steps 4 and 5, configuration items associated with the child security incident are retrieved and unique CIs are rolled up to the parent security incident.
      Child automation playbook: step 5
    4. In steps 6 and 7, observables associated with the child security incident are retrieved and unique observables are rolled up to the parent security incident.
      Child automation playbook: step 7
    5. In steps 8 and 9, automated worknotes are posted to the parent and child security incidents indicating that the affected users, configuration items, and observables have been rolled up from the child to the parent security incident.