Process Mining use cases for security incidents

  • Release version: Yokohama
  • Updated March 27, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Process Mining Use Cases for Security Incidents

    Process Mining within ServiceNow provides powerful analysis methods to identify inefficiencies in the resolution of security incidents. By leveraging these use cases, customers can optimize workflows, reduce delays, and improve overall incident handling efficiency.

    Show full answer Show less

    Key Use Cases

    • Multi-hop Analysis: Identifies security incidents reassigned multiple times across teams, causing resolution delays. Customers can filter incidents with longer-than-average steps and examine their routes to pinpoint bottlenecks where incidents were held up.
    • SLA Breach Analysis: Enables analysis of security incidents that breached Service Level Agreements. By applying filters on Task SLA conditions, customers can list breached incidents and review their resolution routes for improvement opportunities.
    • Priority Analysis: Helps review incidents where priority levels changed, especially cases where critical (priority 1) incidents were downgraded. This insight supports refining priority assignment processes to maintain appropriate urgency.
    • Bottleneck Analysis: Focuses on unusual state transitions and associated delays in security incident handling. Customers can identify transitions causing delays, such as incidents moving from Closed to other states, to streamline the resolution process.
    • Long Time to Start Then Resolve: Targets incidents that remain in the Draft state for extended periods but are resolved quickly once analysis begins. Customers can filter incidents that stayed in Draft for more than two days but closed within 30 minutes after moving to Analysis, identifying areas to accelerate initial handling.

    Practical Application

    All analyses are performed within the Process Mining Workspace under the Analyst Workbench in ServiceNow. Customers can apply tailored filters and conditions to extract relevant incident records and visualize their resolution routes. This enables actionable insights to improve incident reassignment processes, SLA compliance, priority management, and overall resolution efficiency.

    The following Process Mining use cases provide various analysis methods that you can use to identify inefficiencies during the resolution of your security incidents.

    Multi-hop analysis

    Security incidents that are reassigned multiple times to different teams might result in a resolution delay. By analyzing the reasons of reassignments for such security incidents, and where the incidents are held up for longer durations, you can improve the overall efficiency.

    The following are example steps to get the list of security incidents that took the longer routes:
    1. Navigate to Workspaces > Process Mining Workspace.
    2. Select Assignment group.
    3. Open a project, and navigate to Analyst Workbench.

      When you open a mined process optimization project, by default the Analyst Workbench opens.

    4. Select Variation Analysis.
    5. Select the filter (Filter icon) icon, and set the filter similar to the following:
      • Steps greater than the average number of steps.
      • Records greater than the minimum number of records that have taken a longer route.
        Note:
        You can configure the values as per your requirement.

      Example filter settings for multi-hop analysis
    6. Select Apply.

      All the records that match the filter criteria appear. Select a record to view the closure route of the record.

    7. Select a record, and then select Show Route.

      The route traversed by the record appears. You can use this route to identify the step where the incidents were held up for a longer duration than expected.

    SLA breach analysis

    You can use process mining to analyze security incidents that have breached a certain SLA (Service Level Agreement.)

    The following are example steps to get the list of security incidents that breached the SLA:
    1. Navigate to Workspaces > Process Mining Workspace.
    2. Open a project, and navigate to Analyst Workbench.

      When you open a mined process optimization project, by default the Analyst Workbench opens.

    3. From the Advanced filters, select Conditions.
    4. Select the arrow corresponding to Related List Condition.
    5. Set the conditions similar to the following:
      • Use the Select list to select the Task SLA table.
      • Set the value of the Greater than or equal to field to 1.
      • Set the value of Has breached to True.
      • To identify security incidents which breached a specific SLA, set a SLA definition filter.

      Condition settings for SLA breach

    6. Select Apply.

      All the records that match the conditions appear. Select a record to view the route of the record for analysis.

    Priority analysis

    You can use the process mining to review and improve the existing priority assignment process to your security incidents.

    The following are example steps to get the list of security incidents for which are priority was modified:
    1. Navigate to Workspaces > Process Mining Workspace.
    2. Open a project, and navigate to Analyst Workbench.

      When you open a mined process optimization project, by default the Analyst Workbench opens.

    3. Select Priority.
    4. From the Advanced filters, select Transitions.
    5. In Advanced filter on transitions, configure the following:
      1. Set Priority is 1 - Critical.
      2. Select Eventually followed By
      3. Priority is not 1 - Critical.
      Priority analysis conditions
    6. Select Apply all chains.

      The map shows all the security incidents that were assigned a priority 1 and their priority was later lowered.

    Bottleneck analysis

    You can use the process mining to review the state transitions of your security incidents. This analysis identifies the transitions that are not usual and the time delay caused because of such.

    The following are example steps to perform the bottleneck analysis:
    1. Navigate to Workspaces > Process Mining Workspace.
    2. Open a project, and navigate to Analyst Workbench.

      When you open a mined process optimization project, by default the Analyst Workbench opens.

    3. Select Bottleneck Analysis from the Model Options.

      The screen displays the state transitions for the security incidents.

      Bottle neck analysis

    4. Select the Filter by to identify bottleneck transitions. Alternatively, use the search bar to search for bottleneck transitions. For example, to identify incidents which were moved to other states from the Closed state, use "Closed " or "Closed -".

    Long time to start than resolve

    You can use the process mining to review the incidents that take a long time to get to the Draft state, but then were closed in a relatively shorter time.

    The following are example steps to identify security incidents that were in the Draft state for more than two days and were closed within 30 minutes after moving to the Analysis state:
    1. Navigate to Workspaces > Process Mining Workspace.
    2. Open a project, and navigate to Analyst Workbench.

      When you open a mined process optimization project, by default the Analyst Workbench opens.

    3. From the Advanced filters, select Transitions.
    4. In Advanced filter on transitions, configure the following:
      1. Set State (Incident) is Draft.
      2. Select Eventually followed By
      3. Select Add constraints and set From as 2 days.
      4. Select Add next activity.
      5. Set State (Incident) is In Analysis.
      6. Select Eventually followed By
      7. Select Add constraints and set Up to as 30 minutes.
      8. Select Add next activity.
      9. Select Eventually followed By
      10. Select Add constraints and set Up to as 30 minutes.
      11. Set State (Incident) is Closed.

        Long analysis time example

    5. Select Apply all chains.
    6. Select Breakdown Filters and sort by Longest Avg Duration.