12/05/2017. Geneva ServiceNow Security Management

Size: px
Start display at page:

Download "12/05/2017. Geneva ServiceNow Security Management"

Transcription

1 12/05/2017 Security Management

2 Contents... 3 Security Incident Response...3 Security Incident Response overview... 3 Get started with Security Incident Response... 6 Security incident creation Security request creation...52 Post incident review Security incident monitoring Components installed with Security Incident Response...73 Vulnerability Response Vulnerability Response overview...84 Activate vulnerability response View general vulnerability data Define a new vulnerability integration Identify and escalate security issues in your CIs and software Update NVD and CWE records Report processor strategies Configure a vulnerability integration to use a scripted REST API Components installed with Vulnerability Response Index

3 Bring incident data from your security tools into a structured response engine that uses intelligent workflows, automation, and a deep connection with IT to prioritize and resolve threats based on the impact they pose to your organization. Security Incident Response The Security Incident Response application tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review, knowledge base article creation, and closure. Explore Set up Administer Security Incident Response Release notes Security Incident Response overview on page 3 videos Activate Security Incident Response on page 6 Create a security incident administrator group on page 11 Use Develop Security incident creation on page 40 Security request creation on page 52 Post incident review on page 53 Configure Security Incident Response on page 7 Create a security incident state flow on page 15 Create a severity calculator on page 23 Troubleshoot and get help Components installed with Security Incident Response on page 73 Ask or answer questions in the community Search the HI knowledge base for known error articles Contact Support Security Incident Response overview With Security Incident Response (SIR), track the progress of security incidents from initial analysis to containment, eradication, and recovery. Vulnerability databases can be used to proactively prevent issues and track down other systems that may also be vulnerable to attack. Additionally, a wide range of reporting and tracking systems are available for detecting trends and issues, and gauging your performance. Integrations let you use your preferred monitoring tools and link your security incidents to the related systems, users, and business services within your instance. To protect investigations and keep security incidents private, restrict system access to specific securityrelated roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry. Security incidents can be logged or created in the following ways. From the Security Incident form From events spawned internally or from external monitoring or vulnerability tracking systems Manually from alerts or automatically via alert rules All rights reserved. 3

4 From the service catalog Analysis On the Security Incident form, view incidents, changes, problems, and tasks on the affected CI. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the National Institute of Standards and Technology (NIST) database, or other third-party detection software. As security incidents are resolved, any incident can be used to create a security knowledge base article for future reference. Further analysis can be performed using the Business Service Management (BSM) map to locate other affected systems or business services that may be infected. Containment, Eradication, and Recovery While monitoring and analyzing vulnerabilities, you can create and assign tasks to other departments. Use the BSM map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth All rights reserved. 4

5 Figure 1: Sample BSM Map All rights reserved. 5

6 Review Significant incidents may need an incident resolution review, also called a post-incident review. This can take on several forms. For example, the incident manager can: Conduct a meeting to discuss the incident and gather responses. Write and distribute questions designed for each incident category or priority to those who worked on the incident, to review incident resolution. Write the report and gather information on their own. A report for incident resolution review can be automatically generated. The report includes the following: A summary of what was done The time line The type of security incident that was encountered All related incidents, changes, problems, and tasks The details of the resolution An automated survey system for reviewing security incident resolution is also available. It gathers the names of all users assigned to the security incident, and sends a survey to gather data about the handling of this incident. This data can then be made available in a generated security incident review report, which can be edited into a final draft. The following podcast offers additional information on the use of Security Incident Response. Get started with Security Incident Response Before you can use Security Incident Response to deal with security issues and threats, activate the plugin and configure how you want the application to function. You must also set up several other types of information. Groups and SLAs Knowledge base articles, as needed Security incident catalog items Severity calculators Security incident treemaps Activate Security Incident Response The Security Incident Response plugin is available as a separate subscription. Role required: admin Security Incident Response activates these related plugins if they are not already active. Table 1: Plugins for Security Incident Response Plugin Service Management Core Installs the core Service Management items used to allow other service-related plugins to work, such as Service, Facilities, HR, Legal, Finance, Marketing and the custom app creator. [com.snc.service_management.core] All rights reserved. 6

7 Plugin Governance, Risk, and Compliance (GRC) Çore Provides an integration of Security Incident Response with GRC to allow the association of security incidents with risks. [com.snc.governance_core] Task-Outage Relationship [com.snc.task_outage] Tree map [com.snc.treemap] Security Incident Response support [com.snc.security_support.sir] Allows users to create an outage from an Incident and a Problem form. Incidents and problems have a many-to-many relationship with outages. Enables support for treemap view on any applications. Provides support functionality for use within the Security Incident Response application. To purchase a subscription, contact your account manager. After purchasing the subscription, activate the plugin within the production instance. 1. Navigate to System Definition > Plugins. 2. Right-click the plugin name on the list and select Activate/Upgrade. 3. If the plugin depends on other plugins, these plugins are listed along with their activation status. Optional: If available, select the Load demo data check box. 4. Some plugins include demo data sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good policy when you first activate the plugin on a development or test instance. You can load demo data after the plugin is activated by repeating this process and selecting the check box. Click Activate. Configure Security Incident Response After you activate Security Incident Response, configure the application for the processes and needs of your organization. If you are an administrator in the global domain, you can configure how security incident response applications handle day-to-day operations. If you are an administrator in a domain lower than the global domain, you can view the Configurations screen but you cannot modify the settings. Role required: sn_si.admin 1. Navigate to Security Incident > Administration > Configuration. The options for configuring the applications are organized under these tabs: 2. The Business Process tab contains options for setting up the request lifecycle, creating catalogs and requests, and configuring notifications. The Assignment tab contains options for setting up manual and auto-assignment. The Add-ons tab contains options for enabling the knowledge base, managed documents, and task activities. On the Business Process tab, configure how requests are created, are assigned, and send notifications All rights reserved. 7

8 Table 2: Business Process tab Lifecycle Assignment method for requests Select a method for assigning requests. using auto-assignment: Requests are automatically assigned. using a workflow: Requests are assigned by the selected workflow. manually: Requests are manually assigned. Use this workflow to assign requests Select a workflow for assigning requests. This field appears when using a workflow is selected from the Assignment method for requests list. Assignment method for tasks Select a method for assigning tasks. Use this workflow to assign tasks using auto-assignment: Tasks are automatically assigned. using a workflow: Tasks are assigned by the selected workflow. manually: Tasks are manually assigned. Select a workflow for assigning tasks. This field appears when using a workflow is selected from the Assignment method for tasks list. Work notes are required to close or cancel a Enable this option to require the user to request or task enter work notes before a task or request can be closed or canceled. Copy task work notes to request Enable this option to synchronize task work notes with the work notes on the order. When work notes in the task are added, the same work notes appear in the order. Catalog and Request Creation Create or update requests by inbound Enable this option to create or update requests from inbound s. Requests are created using catalog or regular form: Activates the catalog and enables automatic publishing of request templates to the catalog. regular form only: Deactivates the catalog and disables automatic publishing of request templates to the catalog All rights reserved. 8

9 Templates create a dedicated catalog item Enable this option to activate automatic publishing of catalog items for the application. Notification For a request or task, when the selected field changes, send notification to recipients You can configure notifications to be sent to specific recipients when selected fields in requests and tasks change. 1. From Table, select Request or Task. 2. From, select the field to use for generating notifications. When a change is made to the selected field, a notification is sent to selected recipients. 3. From Recipients, select one or more recipients. 4. If you select a specific user or a specific group, you are prompted to select a user or group. 5. To define additional notifications using other fields or recipients, repeat the steps above for the next set of notification settings. 6. To remove a notification, click the delete notification icon ( right of the notification. 3. ) to the Click the Assignment tab and configure more settings for how requests are assigned. Table 3: Assignment tab Manual Assignment Assign requests or tasks based on assignment group coverage areas Enable this option to limit the assignment of requests and tasks to groups that cover the location of the task. Auto-Assignment - Scheduling Auto-selection of agents will consider time zone for tasks Enable this option to consider the time zone of the agent when assigning a task. This field appears when auto-assignment is selected for requests or tasks. Auto-Assignment - Additional Factors All rights reserved. 9

10 Auto-selection of agents will consider location of agents Enable this option to give preference to agents who are closer to the task location, when assigning the tasks. This field appears when auto-assignment is selected for requests or tasks. Auto-selection of agents for tasks requires them to have skills Select the degree to which agent skills must be matched to a task. all: Requires agents to have all of the skills to perform the task. An agent who lacks even one skill will not be assigned to the task. some: Requires agents to have most of the skills needed to perform the task. none: Assigns agents without taking skills into account. This field appears when auto-assignment is selected for requests or tasks. Auto-selection will attempt to assign the same agent to all tasks in a request 4. Enable this option to auto-assign all tasks for a request to the same agent. Click the Add-ons tab and enable more features for security incident handling. Table 4: Add-ons tab Documentation 5. Enable a dedicated knowledge base Enable this option to activate the knowledge base for the application. Enable managed documents Enable this option to add a related list to managed documents. Enable task activities Enable this option to log task interactions and communications, such as phone calls and messages. Click Save. Security incident response setup Administrators set up an administrator group and one or more security incident groups. The appropriate roles and users are then assigned to those groups. Security incident groups In Security Incident Response, groups are defined for assigning agents or teams to handle security issues raised by security incidents. Any business rules, assignment rules, system roles, or attributes that refer to All rights reserved. 10

11 the group apply to all group members automatically. Users with the user_admin role can create security incident groups, but only users with security roles can add or remove users from security incident groups. Create a security incident administrator group Set up a security incident administrator group and assign the appropriate roles and users to the group. Roles required: If you have the user_admin role, you can create security incident assignment groups. If you have the sn_si.admin role, you can create and edit security incident assignment groups. Users in a group inherit the roles of the group, so you do not have to assign roles to each user separately. It is a good practice is to create as many groups as needed in your organization. It is also a good practice to create one group for administrators and assign the admin role to this group only. When the Security Incident Response application is activated, the System Administrator user can access security features and records by default, and the System Administrator is the only administrator who can set up security groups and users. After system configuration has been completed, and security roles have been assigned to users, a user with the sn_si.admin role can revoke the System Administrator's access to Security Incident Response by setting the The security application is unlocked for admin to access property to false (uncheck the check box). 1. Navigate to User Administration > Groups Click New. Fill in the fields. Make sure that you select the security incident type for this group. a) If the Type field is not visible, configure the form to add it. b) Click the lock icon beside the Type field. c) Click the reference lookup icon ( d) ). Search for and select the security incident type. Right-click the form header and select Save. In the Roles related list, add the roles that each member of this group receives. For example, if you are making a group for Security Incident Response team members, add sn_si.agent. If you are making a group for Security Incident Response administrators, add sn_si.admin. In the Group Members related list, add users to this group. Click Update. Create a security incident response SLA Define aservice Level Agreement (SLA) for security incident response. Role required: sn_si.admin Navigate to Security Incident > Administration > SLAs. Click New. Fill in the form, as appropriate. Table 5: SLA Definition form Name An identifying name for the SLA All rights reserved. 11

12 Type The type of agreement being defined: SLA, OLA, or Underpinning contract. This is used for informational purposes and does not affect the behavior of the SLA. Table The table whose records will be tracked by this SLA. This must be a table that extends the Task table, such as Incident [incident]. Workflow The SLA workflow that determines what activities occur in response to the SLA. Workflows are typically used to create events which send off notifications. Enable logging Check box to enable logging for before and after values when updating an SLA using this definition. Duration type Whether a user-specified duration or a relative duration such as End of next business day is used to calculate the duration of the SLA. Duration The length of time the SLA runs before it is marked as breached. These fields appear when User specified duration is selected from the Duration type list. Relative duration works on Whether task or SLA records are used to calculate the relative duration. These fields appear when a relative duration is selected from the Duration type list. 4. Schedule The hours during which the SLA timer runs. The schedule can be taken from SLA definitions or from CIs, as defined on the SLA Engine properties page. Timezone Used in conjunction with the Schedule field. The time zone is used to determine when work has failed to be performed within the terms of the SLA (that is, the SLA has breached). Start condition, Stop condition, Pause condition, Reset condition Conditions for starting, stopping, pausing, and resetting the SLA. These conditions control the process flow for created SLAs. For example, when the Start condition is met, an SLA record is attached to the relevant task, and the SLA timer then starts. Click Submit All rights reserved. 12

13 2017. All rights reserved. 13

14 Security incident states and task states States and task states control the sequence in which records transition from one condition to another in Security Incident Response. Security Incident Response states The following states are available in Security Incident Response. Table 6: Security incident states State Draft The request initiator adds information about the security incident, but the incident is not yet ready to be worked on. Analysis The incident has been assigned and the issue is being analyzed. Contain The issue has been identified and the security staff is working to contain it and perform damage control. This might include taking servers offline, disconnecting equipment from the Internet, verifying that backups exist, and so forth. Eradicate The issue has been contained and the security staff is taking steps to fix the issue. Recover The issue is resolved and the affected systems are operational. Review The security incident has been completed but still requires a post incident review. Closed The incident was completed to specification. Before a security incident can be closed, information must be filled out on the Closure Information tab. Security Incident Response task states The following task states are available in Security Incident Response. Table 7: Security Incident Response task states State Draft The task initiator adds information about the request, but the request is not yet ready to be worked on. Ready The task is ready to be worked on as soon as it is assigned to an agent. Assigned The task has been assigned to an agent All rights reserved. 14

15 State Work In Progress The assigned agent has begun work on the task. Cancelled The request was cancelled. The instance creates business rules, client scripts, and UI actions that perform the transitions and field controls you specify. These programming elements remain in use while the state flow records that use them are present. When state flows on the Security Incident Response application table are deleted, the system attempts to delete any unnecessary programming elements that were created on that table. You can limit the selections for the State field to valid states for the transition, based on the starting state. State flows provide the following controls: Manual transitions: A UI action that initiates a transition. Manual transitions are created automatically by the system when you provide a condition or a script. Automatic transitions: A business rule that initiates a transition when changes are made to a request or task. Automatic transitions are created automatically by the system when you provide a condition and a script. Features available with security incident states Custom transitions: Customize the order in which states can change for requests and task records. controls: Control the behavior and visibility of specific fields when a task changes states or reaches a specified end state. Starting and Ending State choice lists: The values offered in a task record's Starting State or Ending State field are automatically filtered to show only valid states for that transition. This is the same client script that the system creates to manage field controls for state transitions. Events: Trigger events when a state transition occurs or when a record reaches a specific end state. Create a security incident state flow Create a security incident state flow for automatic or manual transitions. Role required: sn.si_admin and admin The process for creating a security incident flow and a response task flow are the same. 1. Create the state flow. Option Create a security incident flow 1. Navigate to Security Incident > State Flows > Security Incident Flows. 2. Click New. 1. Navigate to Security Incident > State Flows > Response Task Flows. 2. Click New. Create a response task flow 2. Fill in the fields, as appropriate. The system enforces the field controls with the same client script that filters the choice list for the State field All rights reserved. 15

16 Table 8: Security Incident Flow and Security Incident Response Task Flow forms Number Record number automatically generated by. Table Table on which the state flow record runs. Only tables that extend the Task [task] table are available in the list. Starting state Name of the state at the beginning of the flow. The selections in this field are filtered by the possible states for the selected table. Ending state Name of the state at the end of the flow. The selections in this field are filtered by the possible states for the table selected. Client script The client script associated with any changes made in the Controls section of the form. Event Name of an existing event to trigger when this transition occurs. Name Name of this record. Make sure the name is descriptive of the state transition or the processing that the record is performing. This name does not have to be unique. Roles Not used for any processing. Active Check box to enable this state flow record. Class The state flow class for this record. The system automatically selects one of these classes for security response state flows. 3. Security Incident Flow: Records created for state flows in the Security Incident Flow [sn_si_sf_incident] table. Security Incident Response Task Flow: Records created for state flows in the Security Incident Response Task [sn_si_sf_task] table. Override The starting value for the State field on all new records for the table named in the state flow record. Work notes Noteworthy comments about this state flow transition. Comment Details about the customized record. To create a manual transition: a) Click the Manual tab and fill in the fields as needed All rights reserved. 16

17 Table 9: Manual tab fields 4. Manual condition string Conditions that cannot be defined with the condition builder for enabling a UI action. For example, you can use this string to define UI actions for mobile devices. This condition has an [and] relationship with the condition in the Manual condition field. Manual condition Conditions for enabling a UI action, which can be defined for fields in the target table. This condition has an [and] relationship with the condition in the Manual condition string field. Manual script Script that defines what the UI action does when the conditions are true. The script runs when the user clicks a button or a related link with the name entered in the UI action field. UI action Name of the button that the system creates to enable this transition. The system creates the label using the same name as the state flow record that created it. Manual roles The minimum roles required for manually running the UI action. b) Save the state flow record. c) Click Create UI Action to create a button on the task form that enables users to execute the transition manually. The system uses the value in the Name field as the label for the UI action. The UI action executes the script in the Manual Script field when the conditions are true. For example, a manual transition can create an Activate button when an incident is in the New state that enables a user to mark the incident as active. To create an automatic transition: a) Click the Automatic tab and fill in the fields as needed. Table 10: Automatic tab fields Automatic condition string Conditions that cannot be defined with the condition builder for running the business rule, such as evaluating if the proposed transition is a valid flow. This condition has an [and] relationship with the condition in the Automatic condition field All rights reserved. 17

18 5. Automatic condition Conditions for running the business rule, which can be defined for fields in the target table. This condition has an [and] relationship with the condition in the Automatic condition string field. Automatic script Script that performs additional work when the condition is true. This script can do tasks such as update the date and time the transition occurred or someone when a specific state change occurs. Automatic state transitions occur when changes are made to the task record. Business rule Name of the business rule created for this transition. Two conditions must be satisfied before this business rule can run: the task must be on a specific starting state, and the Automatic condition must be true. If both of these conditions are satisfied, the business rule performs the requested transition, using the starting and ending states from the State Flow form. Automatic roles The minimum roles required for running the business rule. b) Save the state flow record. c) Click Create Business Rule to create the business rule. The business rule executes the script in the Automatic Script field when the conditions are true. For example, a business rule created by the system can set an incident state to Assigned when the Assigned to field is populated. Business rules are automatically deleted when the state flow record is deleted. To control how specific fields display when a task record changes states: a) Click the Controls tab and fill in the fields as needed. Table 11: Controls tab fields Mandatory fields Makes the selected fields required when this transition occurs or when the end state is the current state. Read only fields Prevents the selected fields from being edited when this transition occurs or when the end state is the current state. Visible fields Displays the selected fields when this transition occurs or when the end state is the current state All rights reserved. 18

19 b) Not mandatory Makes the selected fields optional when this transition occurs or when the end state is the current state. Not read only Makes the selected fields editable when this transition occurs or when the end state is the current state. Not visible Hides the selected fields when this transition occurs or when the end state is the current state. Save the state flow record All rights reserved. 19

20 Figure 3: Sample Security Incident Flow Security Incident Response knowledge base Your organization can create and maintain articles in the security incident knowledge base to share security information. Document the types of cyber threats that your organization faces, and provide answers and responses to these threats All rights reserved. 20

21 Benefits of the security incident knowledge base include the following. Employees have one source of information that is easy to search. Information is kept up-to-date with the defined life cycle for knowledge articles: create, review and update, publish, and retire. Users are provided with a list of relevant articles when they enter a short description to create a security incident. If an article answers the employee's question, the employee does not need to submit the request. Security agents can attach knowledge articles to SIR requests to respond to the employee request. When you set up a security incident knowledge base, also assign a knowledge manager to it. Create a security incident knowledge article Create a knowledge article to share information across your organization. Role required: none Navigate to Security Incident > Catalog & Knowledge > Knowledge. Click Create new > Article. Fill in the fields on the form, as appropriate. Table 12: Knowledge form Number The automatically-generated KB number. Knowledge base The knowledge base selected for this article. Category The category for this article. Published When this knowledge article was published. This value is set when the article is created, and updated when the article is published. Valid to When this knowledge article expires. This article will not appear in search results after this date or if a date is not selected. Image An image that appears beside the article when searching from the legacy knowledge portal. Workflow The publication state of the article, such as Draft or Published. When you insert a new article from an existing article, the state of the new article is reset to Draft. Source The task that this knowledge article was created in response to, if any. This field is set automatically when you create the knowledge article from a task record. Attachment link Check box for downloading an attached file automatically when a user accesses the article, instead of opening the article view. You must add an attachment to the article to use this option All rights reserved. 21

22 4. Display attachments Check box for displaying attachments to users viewing this knowledge article. Attachments appear below the article text. You must add one or more attachments to the article to use this option. Short description The title of the article. This title appears in results when users browse and search knowledge, and at the top of the article. Text Content for the article. Use the WYSIWYG HTML editor to create content. A preview of the content appears when browsing and searching knowledge. Click Submit. After saving the article record, you can add tags to further organize the article. Any additional steps required to publish the article, such as approvals, depend on the publishing workflow for the knowledge base. Severity calculators Severity calculators are available to help you calculate a security incident's severity based on pre-defined formulas. The base system ships with the following sample severity calculators. Table 13: Severity calculators in the base system Severity calculator name Purpose Type of calculation used Business Impacted If the affected item in the This severity calculator defines security incident is associated its selection criteria using a with the Sales, Finance, and simple condition builder. HR business units, the Severity field is elevated to 1 - High. Critical service affected If the affected item in the security incident is associated with a highly critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. This severity calculator defines its selection criteria using an advanced condition. Critical service changes If the affected item in the security incident is associated with a most critical or somewhat critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. This severity calculator defines its selection criteria using an advanced condition. If the security incident meets the conditions, a script runs to define what levels the fields should be elevated to All rights reserved. 22

23 Severity calculator name Purpose Type of calculation used Multi Attack Vectors If the affected item in This severity calculator defines the security incident is its selection criteria using a associated with web, , and simple condition builder. impersonation attack vectors, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. When you create a new security incident, the Risk, Impact, Priority, and Severity fields contain default values. When you save the incident, a business rule automatically validates the information in the security incident against conditions defined in each of your active severity calculators. The calculators are validated one at a time, in the order defined by the Order field in each calculator. If information in the security incident matches the conditions defined in one of the calculators, the severity field values are updated according to the rules set up in the calculator. For example, assume you create a security incident for an affected CI and the CI is highly critical. When the security incident is saved, the CI information is compared to the conditions defined in the severity calculators. When the security incident is validated against the Critical service affected severity calculator, the severity fields are automatically updated, and a message about the update appears at the top of the security incident. Figure 4: Updated severity based on calculator Use these severity calculators as is or edit them to more closely meet the needs of your business. For example, if you want to identify web and threats that are specific to the Finance business unit, make these changes to the conditions of the Multi Attack Vectors calculator: [Attack Vector] [contains] [Web] [Attack Vector] [contains] [ ] [Business Unit] [contains] [Finance] You can also update the severity values in an existing security incident at any time by opening the record and clicking the Calculate Severity related link. Create a severity calculator Create your own severity calculators to define new formulas for calculating a security incident's severity. Role required: sn_si.admin Note: If the The security application is unlocked for admin to access property is set to Yes, this task can be performed by an admin user Navigate to Security Incident > Severity Calculations > Active Security Calculators. Click New. Fill in the fields on the form, as appropriate. Table 14: Severity calculator Name The name of the severity calculator All rights reserved. 23

24 Risk The value that the Risk field will be set to when a security incident matches this calculation. If you select Leave Alone, the risk value will not be changed. Impact The value that the Impact field will be set to when a security incident matches this calculation. If you select Leave Alone, the impact value will not be changed. Priority The value that the Priority field will be set to when a security incident matches this calculation. If you select Leave Alone, the priority value will not be changed. Severity The value that the Severity field will be set to when a security incident matches this calculation. If you select Leave Alone, the severity value will not be changed. Application The application that contains this record. Table The Security Incident [sn_si_incident] table. Active Check box to activate this calculator. If you deactivate a calculator, you can view it by navigating to Security Incident > Severity Calculations > Inactive Severity Calculators. Order The order in which the severity calculator will run. The calculators run in ascending order. For example, a severity calculator with an order entry of 100 runs before a severity calculator with an order entry of 200. A description of this calculator. Condition Conditions to match the security incidents that you want to apply this calculator to. Use advanced condition Check box for using a script condition to determine when this severity calculator is applied. Advanced condition Conditions to determine when this severity calculator is applied. This field appears when Use advanced condition is selected All rights reserved. 24

25 4. Use script values Check box for using a script to change the security incident values, instead of using the Risk, Impact, Priority, and Severity fields on this form. Script values Script to change the Risk, Impact, Priority, and Severity fields of the security incident. The Script values field appears when Use script values is selected. Click Submit All rights reserved. 25

26 Figure 5: Sample Severity Calculator All rights reserved. 26

27 Security incident catalog The security incident catalog makes it easy for users in your organization to find and request Security Operations products and services. Users can access the catalog by navigating to Self-Service > Security Incident Catalog. For more information, see Service Catalog. Create a security incident catalog item Define a catalog item for a product or service that you want to make available in the security incident catalog. Role required: sn_si.admin Note: If the The security application is unlocked for admin to access property is set to Yes, this task can be performed by an admin user Navigate to Security Incident > Catalog & Knowledge > Maintain Catalog Items. Click New. Fill in the fields, as appropriate. Table 15: Catalog Item form Name Enter the item name to appear in the catalog. Active Select the check box to activate the catalog item. Availability Define which devices can display the item: Desktop and Mobile, Desktop Only, or Mobile Only. Note: Unsupported catalog item types are not displayed on mobile devices, even if Availability is set to show an item of this type. Catalogs Select the catalogs that this item can appear in. Category Select a category for the item. Categories can only be selected after the Catalogs field is populated. The item can only appear in catalog searches if it is assigned to a category. Workflow Select either a workflow or an execution plan (formerly named delivery plan) to define how the item request is fulfilled. If you select a workflow, the Execution Plan field is hidden. Clear the Workflow field to select an execution plan All rights reserved. 27

28 Execution Plan Select either a workflow or an execution plan (formerly named delivery plan) to define how the item request is fulfilled. If you select a workflow, the Execution Plan field is hidden. Clear the Workflow field to select an execution plan. Icon Upload a 16x16 pixel image to appear as an icon beside the item name in the catalog. If no image is uploaded, the default icon appears beside this item. To use your own default icon, upload the image. The uploaded image overwrites the default image stored in images/service_catalog/ generic_small.gif. Application Select the application affected. Price Set a price for the item and select the currency from the choice list. Recurring price Set a price that occurs repeatedly at a regular interval. For example, a printer maintenance service may have a $ monthly recurring price. Recurring price frequency Select the interval for recurring prices, such as Monthly or Annually, if the Recurring Price field has an entry. Picture Upload an image of the item. Short description Enter text that appears for this item on the service catalog homepage, search results, and the title bar of the order form. Enter a description to display in the catalog when a user selects the item or clicks the associated Preview link. Mobile Mobile picture type Select which picture to display for the item on mobile devices. Mobile picture Desktop: Displays the standard desktop picture. Mobile: Displays the image uploaded with the Mobile picture field. None: Does not display a picture. Upload the picture to display for the item on mobile devices when Mobile picture type is set to Mobile All rights reserved. 28

29 Hide price (mobile listings) Select this check box to hide the item price on mobile devices. Click Submit. Optional: Assign the item to additional catalogs and categories. To capture and pass on information about choices made by customers when they order a catalog item, define variables for the item. For more information, see Service Catalog. Create a security incident response template Security incident response templates are used to create security incident catalog items that share the same information. Role required: sn_si.admin Navigate to Security Incident > Catalog & Knowledge > Security Incident Templates. Click New. Fill in the fields on the form, as appropriate. Table 16: Security Incident Template form Request information Name Unique and descriptive name for this template. Short description Content that is copied into the Short description field of a security incident when this template is used. This content is not used if the security incident was created from an incident, problem, or change request. In these cases, the short description of the source task is used instead. More in-depth description of the purpose of the template. Checklist template An informal list of questions or tasks used as a reminder for the agent working on this task. Task information Task type The task type to be associated with the template. The task types for all installed service management applications can be selected. Name Unique and descriptive name for this task. As you start to type the description, fields for your next task appear. A description of this task All rights reserved. 29

30 Depends on The tasks that must be completed before this task can be performed. To make this selection for the first task, you must create subsequent tasks. Checklist template An informal list of questions or tasks used as a reminder for the agent working on this task. To add more fields for either the request or task sections: a) Click Edit fields in the form header. An add field choice list appears in the Request information and Task information sections. b) Select the field to add. The field is added to the form and you can add more fields, if required. Click Submit. In the Publish Template dialog box, select a category from the Category drop-down list. Categories for the security incident catalog are defined from Service Catalog > Catalog Definitions > Maintain Categories. To attach a knowledge model to the template: a) Scroll to the Model knowledges related list. b) Click New. c) Click the lookup icon beside the Knowledge field. d) Locate the knowledge article to add and click its number. e) Click Submit in the Model Knowledge form. f) Repeat these steps for every knowledge model that you want to add. Click Save. Security incident treemaps The service impact treemap and real-time treemaps that come with the base system can be configured by creating and modifying treemap categories and indicators. Create or update a treemap category Modify the predefined categories for the security incident treemaps or create new categories as needed. The treemaps use performance analytics as the data source. Performance Analytics requires a separate plugin. Role required: sn_si.admin Note: If the The security application is unlocked for admin to access property is set to Yes, this task can be performed by an admin user. In the base system, treemap categories such as Incident Risk, Denial of Service, and Incident Severity are included. You can modify these categories or define additional categories as needed. 1. Open the treemap definition that you want to configure categories for All rights reserved. 30

31 Treemap definition Action Service impact treemap Navigate to Security Incident > Administration > Service Impact Definition. Real-time treemap Navigate to Security Incident > Administration > Real-time Definition. Optional: Change the treemap definition name. In the base system, the default name for the service impact treemap definition is Security Incident. The default name for the real-time treemap definition is Security Incident - Real time Unless you are using a custom-built treemap, do not change the PA Indicator Group value. To deactivate the treemap definition, clear the Active check box. If, for example, you deactivate the Denial of Service category from the system impact dashboard, that treemap category will not be available. In the Treemap Categories related list, select a category to modify or click New to create a new category. Fill in the fields. Table 17: Treemap Category form 7. Name The name that is displayed for the category in the Categories list above the treemap. Order The order that the category appears in the Categories list above the treemap. Treemap The name of the treemap that uses this category. Color The color displayed for this category in the treemap. Active Check box to activate this category. A description of the category. Visible by all roles Check box to make this category visible to all users regardless of their role. Roles If you did not select the Visible by all roles check box, select the roles that can view this category. Click Submit or Update. Create or update a treemap indicator Modify the predefined indicators for a treemap category or create new indicators. For each indicator, configure its data source and specify how lists of security incidents are opened from treemaps that are viewed with the indicator. The treemaps use performance analytics as the data source. Performance Analytics requires a separate plugin. Role required: sn_si.admin 1. Open the treemap definition that you want to configure indicators for All rights reserved. 31

32 Treemap definition Action Service impact treemap Navigate to Security Incident > Administration > Service Impact Definition. Real-time treemap Navigate to Security Incident > Administration > Real-time Definition. In the Treemap Categories related list, select the category that you want to configure indicators for. In the Treemap Indicators related list, select an indicator to modify or click New to create a new indicator. Fill in the fields. Table 18: Treemap Indicator form Name The name that is displayed for the indicator in the Indicators list on the service impact dashboard. Short description A description that is displayed for the indicator in the Indicators list above the treemap. Result limit The maximum number of results allowed. The upper limit is 100. Result Precision The number of digits to display after the decimal point. This field is displayed for the real-time treemap definition only. Active Check box to activate this indicator. Category The treemap category name. Direction Whether the tile on the treemap is minimized or maximized. This field is displayed for the real-time treemap definition only. Unit The unit of measure to be used for the metric. This field is displayed for the real-time definition only. 5. Automatic Refresh Interval How frequently to refresh the treemap. Order The order that the indicator appears in the Indicators list above the treemap. Click the Data Source Configuration tab and configure one of the following data source options for the indicator All rights reserved. 32

33 Option Action Performance analytics Select Performance Analytics from the Data source field, and then make the following entries: Indicator: The indicator for grouping the PA data. Default breakdown: The default breakdown for breaking the selected PA indicator into multiple parts. Custom script Select Custom Script from the Data Source field. Then use the HTML editor to customize the script as needed. The result of running the script must be an array in order for the information to display in the treemap. Query conditions Select Query Condition from the Data Source field, and then make the following entries: Query table: The base table to query. Aggregate type: The type of aggregate (SUM, COUNT, AVG, MIN, MAX) to use. Aggregate field: The field to be used by the query. Group by: The field to sort the queried data. Note: To enhance the query, click Add Filter Condition and Add "OR" Clause. 6. Click the Click Through tab, and specify how lists of security incidents are opened from the treemap. a) In the Click through URL navigation type field, select whether you want the list of security incidents to open in a new window, in the same window, or in a dialog box. b) 7. Optional: In the Click through URL script field, modify the sample script if needed. Click Submit or Update. Configure the treemap data source using a custom script You can define the treemap data source using custom scripts. Role required: sn_si.admin Navigate to Security Incident > Administration > Service Impact Definition. Click the treemap category for the type of indicator you want to configure. In the Treemap Indicators related list, click New. Fill out the fields at the top. On the Data Source Configuration tab, select Custom Script from the Data Source list. Using the HTML editor, customize the script as needed. Note: The result of running the script must be an array in order for the information to display in the treemap. 7. Click Submit All rights reserved. 33

34 Configure the treemap data source using query conditions You can define the treemap data source by defining query conditions, much like other reports. Role required: sn_si.admin Navigate to Security Incident > Administration > Service Impact Definition. Click the treemap category that uses the indicator you want to configure. In the Treemap Indicators related list, click New. Fill out the fields at the top. On the Data Source Configuration tab, select Query Condition from the Data source list. 6. Enter information in the following fields. Table 19: Query condition 7. Query table Select the base table to be queried. Aggregate type Select the type of aggregate (SUM, COUNT, AVG, MIN, MAX) to be used. Aggregate field Select the field to be used by the query. Group by Select the field to sort the queried data. To enhance the query, click Add Filter Condition and Add "OR" Clause All rights reserved. 34

35 8. Click Submit. Configure the performance analytics data source Next, you need to identify the data source for your treemaps. Role required: sn_si.admin The Performance Analytics data source allows you to use treemap information acquired via the performance analytics module. Note: The Performance Analytics (PA) module requires a separate plugin. Contact for details Navigate to Security Incident > Administration > Service Impact Definition. Click the treemap category that uses the indicator you want to configure. Click the treemap indicator that you want to configure the PA data source for. From the Data Source Configuration tab, select Performance Analytics from the Data source list. Select the Indicator that will be used to group the PA data. Select the Default breakdown that will be used to break down the selected PA indicator into multiple parts. 7. Click Update. Configure the real-time treemap You can configure the real-time security dashboard to change its appearance. As needed, you can also add treemaps and performance analytics indicator groups for quickly searching for indicators. 1. Navigate to Security Incident > Administration > Real-time Definition All rights reserved. 35

36 2. 3. If you are defining a new real-time treemap, enter a Name. The base system defaults to Security Incident Real time. If you are using performance analytics as a data source, you can further constrain the metrics reported in the dashboard by entering the PA Indicator Group. Note: The Performance Analytics module requires a separate plugin You can activate or deactivate the real-time treemap definition using the Active check box. To change the color for incidents, click Security Incidents in the Treemap Categories related list and select a different color. If you want to use other treemaps from different sources, click New in the Treemap Categories related list, define the parameters you want to use, and click Submit. Click Update. Configure service impact treemaps You can configure the service impact treemaps that come with the base system, and you can add other indicators as needed.the types of configuration you can perform include defining treemap dimensions, dimension metrics, data sources, and treemap tile click-through behaviors. 1. Navigate to Security Incident > Administration > Service Impact Definition All rights reserved. 36

37 2. If you are defining a new treemap, enter a Name. The base system defaults to Security Incident All rights reserved. 37

38 3. If you are using performance analytics as a data source, you can further constrain the metrics reported in the dashboard by entering the PA Indicator Group. Note: The Performance Analytics module requires a separate plugin. Contact for details You can activate or deactivate the treemap definition using the Active check box. To modify a dashboard dimension, click the treemap dimension you want to change. The metrics for the selected dimension display. 6. To create a new treemap dimension, click New and enter information in the following fields. Table 20: Treemap dimension Name The name of the dimension displayed in the Dimensions drop-down list in the Service Impact dashboard. Order The order the dimension appears in the Dimensions drop-down list in the Service Impact dashboard. Treemap The treemap name entered on the previous screen. Color The color this dimension displays in the selected treemap. Active You can activate or deactivate this dimension All rights reserved. 38

39 A description of the dimension. 7. When you have completed your entries, click Submit. 8. To modify the metrics displayed in the maptree, click the treemap dimension you want to modify. The metrics for the selected dimension display All rights reserved. 39

40 9. When you have completed making changes, click Update. Security incident creation Security incidents can be created in numerous ways, some manually and others automatically. If you have any security role, you can use any of the following methods for manually creating security incidents. Table 21: Methods for manually creating security incidents Method Manually created from the Self-Service Security Incident catalog You can create SIRs by selecting from categories of security threats defined in the security incident catalog. Manually created from incidents On the Incident form in incident management, click Create Security Incident to create a new security incident. Manually converted from a security request On the Security Request form, click Convert to Security Incident button to create a new security incident. Manually converted from an existing alert On the Event Management Alert form, click Create Security Incident to create a new security incident. Manually created from the Security Incident form New Security Incident Response (SIR) records can be created using the Create New module on the navigation bar. Manually converted from a vulnerability record On the Vulnerability Items form, while viewing a CVE record, click Create Security Incident button to create a new security incident. Automatic creation of security incidents Generally, security admins will be responsible for setting up alert rules used to automatically generate security incidents. Table 22: Security admin method for creating security incidents Method Automatically created using alert rules Security incidents can be created based on alert rules defined in the Event Management application. Manually create a security incident You can create a new security incident from the Security Incident form, as well as from several other forms All rights reserved. 40

41 Role required: sn_si.admin You can create security incidents from the following forms: Incident form Event Management Alert form Vulnerable Items form Security Request form You can also create security incidents using these methods: Selecting Security Incident > Create New. Selecting a security incident from the Security Incident Catalog. Security incidents can also be automatically created from alerts via alert rules. Navigate to Security Incident > Incidents > Create New. Fill in the fields on the form, as appropriate. Table 23: Security incident Number [Read only] The automatically-generated security incident number. Requested by The person requesting the work to be performed. Location The location of the caller or service. If an Affected CI is not selected, this field is prefilled with the requester's location. Category The category that identifies the type of security issue. Subcategory The subcategory that further defines the issue. Affected CI The configuration item affected by the security issue. Opened [Read only] Displays the date and time the incident was opened. State The current state of the security incident. Upon security incident creation, this field defaults to Draft. Substate Identifies whether the security incident includes a pending problem or change. Contact type Identifies the method used to log the security incident. Assignment group The assignment group from which the assigned worker will be selected. Assigned to The individual assigned to perform the work All rights reserved. 41

42 Short description A description of the security incident. As you type the short description, links to related articles from the knowledge base appear. It is recommended that you scan the information, because it may solve your issue. 3. Select the following tabs and complete the information, as appropriate. Table 24: Security incident tabs General Attack Vector Click the lock icon to select attack vectors. After the field is unlocked, options are available for adding or removing multiple attack vectors and viewing attack vector details. When you have completed your entries, click the lock icon to lock the field. Business Unit Click the lock icon to select the affected business units. Impact Select the level that describes the criticality level of the attack. Priority Select the order in which this attack needs to be addressed, based on the urgency. Risk Select the risk level to the business unit. Severity Select a severity for the security incident. Enter a description for the security incident. Related Records Problem Select a Problem (PRB) record related to the underlying issue that caused this security incident to be created. The PRBs for this were created by right-clicking in the security incident form header and selecting Create Problem. Change request Select a Change (CHG) record related to the underlying issue that caused this security incident to be created. The CHGs for this were created by right-clicking in the security incident form header and selecting Create Change. Parent Select an Incident (INC) record related to the underlying issue that caused this security incident to be created. Post Incident Review All rights reserved. 42

43 Post incident review required Select this check box to indicate that the post-incident review is required for this security incident. Post incident review assignees Click the lock icon to add users who will participate in the post-incident review. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Post incident report Using the text editor, create the post incident report with the results of the postincident review. Activities 4. Watch list Click the lock icon to add users who will be notified when changes to the security incident occur. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Work notes list Click the lock icon to add users who will be notified when new work notes are added. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Additional comments Enter comments that will be visible to the requesting user. Work notes Enter work notes that will be visible to the security users. When you have completed your entries, click Submit. Note: You can make manual entries to the Impact, Priority, Risk, and Severity fields. If you have active severity calculators, the information in the security incident will be validated against the conditions defined in the calculators and the severity fields may be updated. After the security incident has been created, you can click the Calculate Severity related link to update the fields any time the information in the security incident changes. To view or make changes to the rules that dictate how these fields are set, navigate to Security Incident > Severity Calculators. 5. After you have created security incidents, you can view them using any of the following applications under Security Incident > Incidents: Created by me Open Security Incidents All Security Incidents Assigned to me All rights reserved. 43

44 Open - Unassigned Security incidents created from events and alerts When the Event Management application is activated, internal and external alert monitoring tools, such as Splunk, can be used to send security events to the security incident response system. The events are first processed by Event Management, then they are grouped into alerts, and then used to create security incidents based on predefined alert rules. In the Alert Rules module of the Event Management application, the Create security incidents from critical alerts alert rule triggers the automatic creation of security incidents when critical security-related events are received from within or from third-party monitoring applications. After the security incident has been created, it will be updated as new events are received. The task template for this alert rule can be modified to change the conditions that must be met to create security incidents. Alternatively, if you are a user with the Security Admin role, you can manually create a security incident by clicking the Create Security Incident button on the Event Management Alerts form. It is important that the events received from the external tool include the following information: The node set to the name of the affected CI. The event classification must be set to Security to distinguish them from other IT events. The event description, which populates the description of the security incident. The additional information in the event must include a string that identifies field names along with their expected values, using the following JSON format: { "fieldname" : "fieldvalue", "fieldname" : "fieldvalue" } Note: If a field with a value is identified in the event string, and the associated field in the security incident is empty, the value will populate that field. If the field in the security incident is not empty, the current value in that field will be used (that is, it is not overwritten with the value in the event). In either case, the event and all the fields and values encoded in the additional information are recorded in a work notes entry describing the event. If nothing is changing in the security incident, a work note entry is not created. View related events and alerts in security incidents As a security incident is being worked on, it is sometimes useful to view events and alerts associated with the CIs affected by the security incident. For events received, you can view the details of the events. For alerts, you can view and acknowledge these events, and create incidents or security incidents from them as needed. You must have the Security Incident Response Event Management support plugin activated. Role required: sn.si_admin or si.sn_agent Navigate to Security Incident > Incidents > Open Security Incidents. If the CIs affected by the security incident you are viewing have received alerts or events within the previous 24 hours, one or both of the following related lists appear. 3. Security Incident CI Alerts Security Incident CI Events Click the related list you want to view All rights reserved. 44

45 Related list Security Incident CI Alerts You can view details for alerts received within the previous 24 hours, and you have the option of clicking Acknowledge to indicate that you are aware of the alert and it is being handled, or Close to indicate that the alert is not important. Security Incident CI Events You can view details for event received within the previous 24 hours. Create response tasks After a security incident has been created, response tasks are then created to identify what actions must be performed to respond to the security issue. Role required: sn_si.admin 1. Navigate to the appropriate application to open the security incident for which you want to create tasks. For example: To locate a security incident you created, select Security Incident > Incidents > Created by me. To locate a security incident assigned to you, select Security Incident > Incidents > Assigned to me. To view a list of all security incidents that are not yet assigned, select Security Incident > Incidents > Open - Unassigned. Click Add Response Task. Fill in the fields on the form, as appropriate. Table 25: Security incident Number [Read only] The automatically-generated security incident response number. Parent [Read only] The number of the related security incident. Configuration item The configuration item affected by the security issue. Note: To save time, you can also click the Copy CI from Incident button to bring the CI information from the related security incident. Priority Select the priority used to determine when this task should be performed All rights reserved. 45

46 4. 5. State The current state of the security response task. Upon task creation, this field defaults to Draft. Skills Click the lock icon and select the skill required to perform this task. After you have completed your selections, click the lock icon again. Assignment group The assignment group from which the assigned worker will be selected. Assigned to The individual assigned to perform the task. Short description A description of the Security Incident Response task. Enter a description for the selected task. Work notes Enter work notes that will not be visible to the customer. When you have completed your entries, click Submit. After you have created Security Incident Response tasks, you can view them using any of the following applications under Security Incident > Response Tasks: All Security Incident Tasks Assigned to me Open - Unassigned Agent assignment Depending on your settings in the SM application configuration screen, you can assign agents manually or using auto-assignment. If you have a limited number of agents for completing requests or you simply do not want to auto-assign agents, you can use manual assignment. Auto-assignment allows you to define criteria by which agents can be automatically selected to satisfy requests entered in service management applications. Based on the needs of your organization, you can configure the criteria for agent auto-assignment in the following ways. When auto-assignment is enabled and a task is qualified or marked as Ready for Work, the following actions occur: Available agents are evaluated based on the criteria defined in the configuration. An appropriate agent is automatically assigned to the task. The task is moved to the Assigned state. If the configuration is set up to consider more than one set of criteria, such as location and skills, the agents are evaluated based on the weighting property settings in addition to other criteria. If the task cannot be auto-assigned, a user with the dispatcher role must adjust the values in the request or task form and then save the record All rights reserved. 46

47 Manually assign agents to active requests Use this procedure to assign agents to active requests in service management (SM) applications. 1. Navigate to one of the following: [SM application] > Open - Unassigned for a list of requests that no one is assigned to. [SM application] > All [SM application] Requests for a list of all open requests, regardless of their current assignment. Open the request you want to assign. In the Assignment group field, enter the group that handles this kind of request. If no groups are available, leave this field blank. To look up the assignment group, click the look up using list icon ( field. ) beside the Assignment group Note: You do not have to select an assignment group, but doing so limits the users you can assign the request to. 4. In the Assigned to field, enter the agent to handle this request. To look up an agent, click the look up using list icon ( ) beside the Assigned to field. Note: The users in the search results are limited to the users in the Assignment group, if one was selected. 5. Click Update. An notification is automatically sent to the assigned agent if notifications are set up for the instance. Agent auto assignment using rating-based criteria Rating-based methods, such as location, skills, and time zones, help you auto assign agents based on configuration settings and optional properties. The calculated ratings are used to determine the best agent to perform the task. Any combination of rating-based methods can be enabled in the application configuration screen. When a task is created, a rating for each type of enabled selection criteria is calculated for each available agent. The agent whose average rating is highest is considered for auto-assignment. The settings for the auto-assignment weighting properties, found in [SM application] > Administration > Properties, are included in the rating calculations. These values help you prioritize which auto-assignment selection criteria is more important to your organization. The priority values should be [1, 10] and they are factored between 1 and 0. That is, 10 is a factor of 1, 5 is a factor of.5, and so on. For an example of how the weighting properties affect agent ratings, see Agent auto assignment using multiple selection criteria on page 51. Agent auto assignment using location Agents can be auto assigned based on the location defined in their user record and the location of the tasks. Auto assignment by location can be performed in a task- or request-driven processing environment, if the Auto-selection of agents will consider location of agents configuration is enabled. When a task is created, agent locations are compared to the following ranges to determine each agent's location rating All rights reserved. 47

48 Table 26: Location rating calculation Distance (mi.) from agent to task Rating 0 to to to to to to to to >100 0 When a task is qualified or marked as Ready for Work, the agent closest to the task location will be considered for the task. If the application is configured so that only location is considered, the closest agent will be auto-assigned to the task. If the application is configured to use other selection criteria such as skills, time zone, or schedule the ratings of all selection criteria are averaged, and the agent with the highest overall rating is auto-assigned for the task. See Agent auto assignment using multiple selection criteria on page 51 for details. Agent auto assignment using skills Agents can be auto assigned based on the agent's skills and the skills required to perform the task. Assign skills to an agent's user records using Skills > Users. Auto assignment by skills can be performed in either a task- or request-driven processing environment if the Auto-selection of agents for tasks requires them to have skills configuration option must be set to all or some for the application. When a task that includes skills is qualified or marked as Ready for Work, each agent's skills are compared with the skills required to perform the task and a rating is calculated based on the skills configuration option. If the option is set to some, the agent with the closest skills match is auto-assigned the task. If the option is set to all, only agents who possess all of the required skills will be considered. If no agents possess all of the skills required to perform the task, none are auto-assigned. An agent's skills rating is calculated as: Skills_agent/Skills_task where: Skills_agent is the number of skills possessed by the agent that match the skills required for the task. Skills_task is the total number of skills required for the task. For example, if a task requires 4 skills, and Agent A possesses three of them and Agent B possesses two of them: Agent A's skill rating = 3/4 or 0.75 Agent B's skill rating = 2/4 or 0.5 If the application is configured to use other selection criteria, such as location or time zone, the ratings of all selection criteria are averaged, and the agent with the highest overall rating is auto-selected for the task. See Agent auto assignment using multiple selection criteria on page 51 for details All rights reserved. 48

49 Agent auto assignment using time zones Agents can be auto assigned based on the time zone defined in their user records and the time zone of the tasks. Auto assignment by time zone can be performed in either a task- or request-driven processing environment if the Auto-selection of agents will consider time zone for the task configuration option must be enabled for the application. When a task is qualified or marked as Ready for Work, agents in the time zone closest to the task time zone will be considered for the task. If the application is configured so that only time zone is considered, an agent in the same time zone will be auto-assigned the task. Note: It is important that the time zones for the agent and the task be set correctly. When a task is created, agents are rated based on the time zone of the task and the agent's time zone using the following formula: 1 - [abs(task_tz Agent_tz) 12] where: abs is the mathematical function to compute the absolute value. Task_tz is the offset between the time zone of the task and GMT. Agent_tz is the offset between the time zone of the agent and GMT. For example, a task is created in New York City (GMT-4), and two agents are available to perform the task, one in Los Angeles (GMT-7) and one in Paris, France (GMT+1). The rating of the agent in Los Angeles is calculated as: 1 - abs((-4) - (-7)) 12 or 0.75 The rating of the agent in Paris is calculated as: 1 - abs((-4) - (+1)) 12 or 0.58 So if the auto assignment of the task is based on the time zone alone, it will be assigned to the agent from Los Angeles. If the application is configured to use other selection criteria, such as skills or location, the ratings of all selection criteria are averaged, and the agent with the highest overall rating is auto-selected for the task. See Agent auto assignment using multiple selection criteria on page 51 for details. Agent auto assignment using time-based criteria Time-based methods, such as schedules and priority assignment, help you auto assign agents based on configuration settings and optional properties. The calculated ratings are used to determine the best agent to perform the task. Any combination of time-based methods can be enabled in the application configuration screen. When a task is created, the schedule of the agent and the task to be performed are combined with ratingbased criteria to auto-assign an agent. Agent auto assignment using schedules Agents can be auto assigned based on the agent or the task schedule. Auto assignment by schedule can be performed only in a task-driven processing environment, and the Auto-selection of agents will consider agent or task schedules configuration option must be enabled for the application. If this option is turned off, only the agent ratings will be used for auto-assignment. When a task is qualified or marked as Ready for Work, agents ratings are evaluated, and the schedules of qualified agents are compared against the schedule of the task to determine the agent with the best matching schedule All rights reserved. 49

50 Note: If the task includes specific time entries in the Window start and Window end fields, and no agent's schedule falls within that task window, no agents will be assigned. Also be aware that if the customer wants a task to be performed at or near a specific time, the Window start time should be set as close to that time as possible. If, for example, the Window start and Window end fields are set to 1:00 pm and 8:00 pm, respectively, and the customer prefers the job to be started at 4:00 pm, it is possible that an agent will be dispatched at 1:00 pm. So setting the Window start closer to 4:00 can help ensure that the work is performed when the customer prefers it to be done. If the application is configured to use other selection criteria, such as skills or time zone, the ratings of all selection criteria are averaged, and the agent with the highest overall rating is auto-selected for the task. See Agent auto assignment using multiple selection criteria on page 51 for details. Agent auto assignment using priority assignment The priority assignment feature enables you to configure auto assignment so that agents can be assigned to perform tasks or provide services on a continual, 24x7x365 basis. Priority assignment is triggered when the priority of a task matches the priority set in the application configuration page. Priority assignment can be used in conjunction with location and skills settings; however, it can also operate independently. To use priority assignment, you must set the following configuration options for the application. Table 27: Priority auto-assignment configuration options Process lifecycle Set to task driven (subtasks are required). Assignment method for tasks Set to auto-assignment. Auto-selection of agents will consider agent or task schedules Enabled. Enable priority assignment Enabled. Select priorities for assignment Select one or more priorities. Only tasks of the selected priority or priorities will trigger auto-assignment based on priority assignment. When a task is qualified or marked as Ready for Work, and the priority of the task matches a priority selected for the application, the agent that best matches the schedule of the task will be auto-assigned. If the location and skills options are enabled, agents are first evaluated on their physical proximity to the location of the task, and then on how their skills match the skills required to perform the task. The agent whose location, availability, and skills best match the requirements of the task will be auto-assigned. When a task has a priority that matches a priority in the priority assignment list, the Location Rating and Timezone Rating are ignored, even if they have been enabled. If the priority of a task matches a priority selected in the Select priorities for assignment option, and no agents in the assignment group are available to be auto-assigned, the task is assigned to the group manager, regardless of whether the manager is available. It is the responsibility of the manager to locate an agent to perform the task. Note: If no agent is located in the same time zone as the task, priority assignment will fail All rights reserved. 50

51 Agent auto assignment using multiple selection criteria At its simplest, auto assignment involves identifying a set of selection criteria and automatically assigning the task to the agent who most closely meets the criteria. You can, however, select multiple sets of criteria, including both rating-based and time-based criteria. When a task is qualified or marked as Ready for Work, the following evaluations are performed: 1. The agents' ratings are calculated. If the Auto-selection of agents will consider agent or task schedules configuration option is disabled for the application, the agents' ratings are used exclusively for auto-assigning an agent. For more information on how the ratings are calculated, see: 2. Agent auto assignment using location on page 47 Agent auto assignment using skills on page 48 Agent auto assignment using time zones on page 49 If the Auto-selection of agents will consider agent or task schedules configuration option is enabled, the schedules of the agents whose ratings are acceptable for auto-assignment are compared to the schedule for the task, and the agent with the best match is auto-assigned. For more information on time-based methods for auto-assigning agents, see: Agent auto assignment using schedules on page 49 Agent auto assignment using priority assignment on page 50 Auto assignment is based on the following calculation: (Criteria_1 rating x Criteria_1 weight) + (Criteria_2 rating x Criteria_2 weight) + (Criteria_3 rating x Criteria_3 weight) / Number of criteria types used where: Number of criteria types used = 1, 2, or 3 depending on the location, skill, and time zone settings used. This example calculates agent auto-assignment based on location and skills. The example is based on the following assumptions. The Auto-selection of agents will consider location of agents configuration option is enabled for the application. The Auto-selection of agents requires them to have some of the required skills for the task configuration option is enabled for the application. The Skills Weight property is set to 10 for the application. The Location Weight property is set to 5 for the application. Agents A and B are available to perform a task, and the task requires four specific skills. Agent A's location is 5 miles from the site of the task and he possesses three of the four required skills. Agent B's location is one-quarter mile from the site, and she possesses two of the required skills. Auto assignment for the agents uses this calculation: [(Location rating x Location weight) + (Skills rating x Skills weight)]/ 2 The auto assignment calculation for Agent A is: [(0.7 x 0.5) + (0.75 x 1)]/ 2 = 0.55 The auto assignment calculation for Agent B is: [(0.9 x 0.5) + (0.5 x 1)]/ 2 = In this example, Agent A is auto assigned the task All rights reserved. 51

52 Create a change or problem from a security incident After you have created and saved a security incident, you can create a change (CHG) or problem (PRB) record from it. Role required: sn.si_agent 1. Open a security incident using one of these methods. 2. Open an exiting security incident by navigating to Security Incident > Incidents > Open Security Incidents. Create a new security incident by navigating to Security Incident > Incidents > Create new, fill out the form, and save the record. Right-click in the security incident's header bar and click one of the following: Create change Create problem The change or problem is created. Security request creation You can use the Requests module to create requests for low impact security demands, such as changing a password or requesting a new badge. However, you can open a security incident when a breach occurs. After you have created security requests, you can view them using any of the following applications under Security Incident > Requests: Open Security Requests All Security Requests Assigned to me You can also view security requests you created under Self-Service > My requests. Create a security request Security requests are similar to security incidents, except for their severity. Roles required: You can view security requests that you created or if you have the sn_si.basic role or higher. You can convert a security request to a security incident only if you have the sn_si.basic role or higher. Navigate to Security Incident > Requests > Create New. Fill in the fields on the form, as appropriate. Table 28: Security request Number [Read only] The automatically-generated security request number. Company The location of the requester s company All rights reserved. 52

53 3. 4. Location The CI's location, if applicable. This field is pre-filled when the CI is selected. Configuration item The configuration item affected by the request. Priority The priority of the request. Opened [Read only] The date and time that the request was opened. State The current state of the security request. Upon security request creation, this field defaults to Draft. Assignment group The assignment group from which the assigned worker will be selected. Assigned to The individual assigned to perform the work. Short description A description of the security request. The description of the request, which will be visible to the requester. Work notes Work notes that are not visible to the requester. When you have completed your entries, click Submit. If you must escalate the request to a security incident, click Convert to Security Incident. Post incident review Based on the requirements of your business, a review of the origins and handling of certain security incidents may be required. The Post Incident Response functionality in provides many tools for automating and simplifying this process, including: a method for flagging a security incident for post incident review dynamic post incident questionnaires for collecting information about the incident an automatically-generated first draft of the post incident report that can be edited before it is finalized Optimal post incident review workflow If you are an agent or manager, you may decide anytime during the process of handling a security incident--through analysis, containment, eradication, and recovery--that the security incident requires additional review before it can be closed. Reasons for doing so might include: it involves legal action it requires public relations attention it requires review by the next level up in management, or even board action it may need to be documented for auditing reasons All rights reserved. 53

54 So you flag the security incident for security incident review. The security incident now cannot be closed until a post incident report has been generated. If you want the security incident review to include a set of questions about the security incident to be sent to a specific group of users who worked on it, you should create the list as the security incident transitions to the Review state. The questionnaire can be a helpful tool for gathering information about the handling of the security incident from a number of sources, without having to chase people down or hold meetings. But if you'd rather gather the information yourself, simply leave the user list empty. After the security incident has been resolved, it moves into the Review state. If you selected users to receive a questionnaire, each user is sent a notification with a link to the dynamic post incident questionnaire. The questions are filtered to apply to the security incident you are dealing with. During the course of the review, you can add more users to the list or remove existing users from the list, unless they have already started filling out the questionnaire. When you save the security incident, the new users receive the list of questions. When all of the users have responded, the post incident report is automatically generated. If you decided to dispense with the questionnaire, ensure that all users have been removed from the list and click the Format Post Incident Report button to generate the first draft of the report. You can edit the report using the HTML editor until it reflects the level of information required, then transition the security incident to the Closed state. The report is complete and cannot be changed. Post incident report The final product of the post incident review is the post incident report. The post incident report is required to record the actions performed, the reasons for doing them, and lessons learned. The post incident report compiles all of the information related to the security incident, as well as all assessment responses if one is performed, into an initial draft that you can then edit. If the report was generated by clicking the Format Post Incident Report button without sending out a questionnaire, an initial post incident report is assembled. If a questionnaire was sent out, those results are included, along with the percentages of users who provided each answer. But even if a questionnaire was not used, the post incident report provides valuable data, including: the initial incidents that caused the security incident changes, problems, and vulnerabilities created or linked to the security incident a description on the security incident the entire activity log with all work notes, response tasks, and activities The following table describes the components of the security incident report and identifies where the information originated All rights reserved. 54

55 Table 29: Security incident report Section This section identifies the security incident number, as well as other summary information. This information comes from the Short description and Assigned to fields in the security incident, and the Close notes and Lessons Learned fields under the security incident's Closure Information tab. This section identities the individuals who were assigned to and/or updated the security incident, along with their titles or departments All rights reserved. 55

56 Section This section lists, in chronological order, all events recorded for the security incident, from creation (in this example, it was created from an Incident) to the review state. All subtasks created in the resolution of the issue are also lists. This information comes directly from the security incident's work notes entered in the Activities tab. This section lists the questions sent out, along with answers from each user All rights reserved. 56

57 Section This section describes how the issue was resolved, lists the vulnerability records that were referenced, and identifies the change or problem created during the handling of this security incident. Perform a questionnaire-based post incident review Either during security incident creation or when you are working with an existing security incident, you may decide that a review of the security incident is needed to describe what happened, to help determine why the incident occurred, and identify how it can be avoided or handled in the future. Before you can actually perform a post incident review, you must change the state of the security incident to Review, and the Close code and Close notes fields under the Closure information tab must be completed. Role required: sn_si.admin, sn_si.manager, sn_si.agent Note: Any user can participate in a post incident review questionnaire, regardless of role. A post incident review helps to automate the collection of information from everyone involved with a given security incident. When the review is complete, the post incident report is automatically generated to compile all of the information related to the security incident, as well as all responses to the post incident review, into an initial draft that you can edit and complete Create a security incident, or open an existing one by navigating to Security > Incident, and selecting Created by me, Open, All, and so forth. Click the Post Incident Review tab, and fill in the fields, as appropriate. Post incident review required Select this check box to indicate that a post incident review is required for this security incident All rights reserved. 57

58 Post incident review assignees The reviewer list defaults to the individual in the Assigned to field, but you can click the lock icon to add other users to the review list. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Post incident report Leave the text editor box empty for now. Any text you enter prior to the report being generated will be lost after the report is generated. 3. Click Update. Each of the users in the review list receives an initial notification, as well as reminders as the due date nears. When each user opens the questionnaire, the questions shown are drawn from all categories that fit this security incident. If new users are added to the review list before the due date is reached, they are sent notifications when the security incident is saved. 4. When the last of the users in the review list have completed the questionnaire, the Post incident report box is automatically populated with the post incident report. You can edit the report using the text editor. 5. Note: If, for any reason, you need to re-generate the report, you can do so by clicking the Format Post Incident Report button. Be aware, however, that any edits you manually made in the report will be overwritten. All edits should be performed prior to closing the security incident. 6. When you have completed your edits, change the state of the security incident to Closed. This locks the security incident, including the post incident review, preventing further changes. Post incident review questionnaires If you decide to use a questionnaire as part of a post incident review, a list of questions relevant to the security incident is sent to a user-defined list of users, and their responses are automatically formatted into a post incident report. While an initial list of questions is provided with the base system, they are customizable. You can create new categories and add new questions to them, or you can change individual questions within existing categories. You can also define when certain questions should be asked. There may be questions you ask only for your Unix servers for example, or only when there is criminal activity. You can define questions that are asked depending on the answer to another question or on the value in a field on the form. There can even be questions that are filled in entirely by querying the database. Create post incident review questionnaire categories You can use the questionnaire categories that come with the base system or create your own categories. Role required: sn.si_admin To create a new category of questions: Navigate to Security Incident > Post Incident Review > Review questions. Click New All rights reserved. 58

59 A list of categories is displayed, along with their order and filters that define under what conditions the questions are asked (for example, only when the security incident category is Criminal activity). Each category is a section in the post incident review questionnaire and the questions in each category are included only when the security incident matches the Condition filter. For example, for a category of questions applying only to Linux servers, you would set up a filter that selected security incidents where the CI type was Linux Server. In that category, you would then create all questions needed when a security incident was on a Linux Server. You use one of the categories supplied in the base system or creating a new category. The procedure below assumes you need want to create a new category before defining questions. Enter a Name for the new category. The name appears on security incident questionnaires. In the Filter area, enter the condition that determines when questions in this category should be used. If a security incident record matches this filter, the questions will be included in a post incident review for that security incident. Filters can use any data on the record, or on other records linked to this record; for example, the department of the requesting user s manager. If desired, enter a that will appear on security incident questionnaires. Click Submit to save the category. Compose post incident review questions You can use the questions that come with the base system or create your own questions. Role required: sn.si_admin The methods for gathering post incident review information can be in the form of questions or as data automatically collected using scripts. Questions can be dependent on the answers to other questions. For example, you might ask if all necessary logs were available. If the answer is No, you ask a follow-up question to ascertain which of the needed logs were not enabled. Scripted data collection, also called script metrics, gather data related to the security incident via scripts you write. This can go well beyond the data in the security incident record itself. For example, a script metric could gather the recent outage time for a server affected by this security incident. Finally, you can mix the two types. Questions can have default values taken from a script, or simply from a field in the security incident record. When you use a default value type of metric, you can choose if you want the user to always answer the question with the default value providing them an initial value or if you want the user to only be asked the question if the script or field comes up empty. To create a new question: Navigate to Security Incident > Post Incident Review > Review questions. Click the category for which you want to create a new question. Click the Assessment Metrics tab. Click New. You can also click an existing question to modify it. Fill in the fields on the form, as appropriate. Table 30: Metric form Name Name of the metric (question or script). If the metric is a scripted data collection, this name appears on the post incident report All rights reserved. 59

60 Category The category that the metric belongs to. The system automatically populates this category if you create a new metric from the Metric Category form. Note: You cannot change the category if the Depends on field is set or if another metric depends on this metric All rights reserved. 60

61 Method Indicates the type of metric, as follows: Assessment: A question that has no default value. There are several data types that can be defined in the Data Type field on the Type tab, such as check boxes, choice lists, text input, and so forth. Script: Scripted metric. Obtain values by writing a custom script. The Script method is compatible with the Duration, Number, and Percentage data types. Default answer from field: A question where the default response comes from a selected field in the security incident. Selecting this option will add two fields to the General tab: Default answer: Select the field in the security incident that will contain the default answer for the question. For example, for the question: "Who initially reported this incident?," the Requested by field would be a likely choice. Ask question: Specifies when to ask the question: always or only if the Default answer field is empty. Using the example above, the question would be asked if the Requested by field is empty. Default answer from script: A question where the default answer comes from a script. The answer may be a number, string, or percentage. The General tab adds a field: Ask question: as the Specifies when to ask the question: always or only if the script does not provide a default answer. The script is defined on the Type tab. Note: If you select a Data type that is incompatible with the selected Method, the system automatically changes the Method to a compatible value All rights reserved. 61

62 Weight [Required] Numeric value that represents the importance of this metric relative to other metrics in the same category. By default, the weight is 10. This field is visible and required unless the Data type is Date, Date/Time, or String. These data types are not included in results calculations. Order [Required] Numeric value that determines the order of the metric question on assessment questionnaires, relative to other metric questions in the same category. The metric with the smallest order value appears as the first question in the category's section. By default, the order is 100. Note: It does not matter which order value you use for metrics with the Script method, as they do not appear on questionnaires. Active Check box that determines whether this metric is used. If the check box is not selected, it is as if the metric record does not exist. Mandatory Check box that makes the metric question mandatory (selected) or optional (cleared) on assessment questionnaires. Users cannot submit questionnaires until they provide valid responses to all mandatory questions, which are denoted by a red field status indicator. This field is visible only if the Depends on field is empty, and the data type is not Checkbox. 6. Click the General tab and fill in the fields, as appropriate. Table 31: General tab Question Text to use as the question on security incident review questionnaires. Enter a clear, straightforward question that is easy to answer, such as How did we contain the incident All rights reserved. 62

63 Information about the metric and what it evaluates. If the Method is Assessment, include details that help users understand how to answer the question, as this text appears as a hint when a user points to the question text on the questionnaire. Depends on and Displayed when Select a question in the Depends on field that the current question should depend on. For example, the question, "What additional logs were needed?" depends on the question "Were all needed logs available?" Next, use the Displayed when field to identify when you want the dependent question to appear in questionnaires. For example, if you want the dependent question to be asked only when the user answers No to the "Were all needed logs available?" question, select No in the Displayed when field. Note: The system prevents the creation of recursive dependencies between metrics. For example, if Metric A depends on Metric B, Metric B cannot depend on Metric A. 7. Click the Type tab and fill in the fields, as appropriate. Table 32: Type tab Data type The data type of the expected response the list of types available depends on for the selected method. If the method is Assessment, the data type determines how users answer the corresponding question on questionnaires. If the method is Script, the data type determines how the system calculates assessment results. Note: You cannot change the data type if another metric depends on this metric All rights reserved. 63

64 Randomize answers Check box that determines whether to present the answer options for this metric question in a random order each time a user opens an assessment questionnaire that contains the question. Answer preference is sometimes influenced by the order in which answer options appear, which can result in biased results. Randomizing answer options can help prevent this bias. This field is visible only if you select Likert scale or Choice in the Data type field. Dependent plugin [Required if the Method is Script.] Plugin that contains the tables queried in the script. The system executes the metric script only if the plugin is active. The default available values are Asset Management, CMDB, Core, Cost Management, Procurement, and Software Asset Management. This field is visible only if the Method is Script. Note: If the Core default value is used, the script is always run. Note: If you are an administrator, you can add more choices of plugins to the field. Scale definition Setting that determines whether lesser or greater numerical values equate to a good score in assessment result calculations. Select Low if lesser numerical values are better, such as for a metric that measures the number of defects for a vendor. Select High if greater numerical values are better, such as for a metric that measures user satisfaction on a scale of one to five. The default value is High. This field is visible and required unless the Data type is Date, Date/Time, or String. The results for these data types are not included in results calculations All rights reserved. 64

65 Min Lowest numerical value to be used as an answer option on assessments or as a scaled value in a scripted metric. This field is visible and required only if certain data types are selected. If the data type is Choice or Likert Scale, this field is read-only and is set automatically based on the smallest metric definition Value. Max Highest numerical value to be used as an answer option or scaled value. This field is visible and required only if certain data types are selected. If the data type is Choice or Likert Scale, this field is read-only and is set automatically based on the largest metric definition Value. Script Script that obtains the desired system information. The script has one input variable, set with the ID of the security incident (primary) and three possible output variables to be set by the script, string_result, scaled_result, and actual_result. When the data type is String, only the string_result is required. This field is visible and required when the Method is Script, or the default value comes from a script. Template A predefined set of common answers to use for the question. For example, a frequency template would likely start with a value of "Never," and go up to the top value of "Always." This field is visible and required only if the Data type is Template. Note: You cannot change the template if another metric depends on this metric. 8. Optional: When you have completed your entries, click Update. Generate a post incident report without performing an assessment You can generate a post incident report without first performing an assessment. Before you can generate a post incident report, the security incident must be in the Review state All rights reserved. 65

66 Role required: sn_si.admin Create a security incident, or open an existing one by navigating to Security > Incident, and selecting Created by me, Open, All, and so forth. Click Format Post Incident Report. The report is generated in the Post Incident Review tab of the security incident. 3. You can edit the report using the text editor All rights reserved. 66

67 4. When you have completed your edits, change the state of the security incident to Closed. Note: Be careful not to click the Format Post Incident Report button after making manual edits to the report. If you click the button to re-generate the report, your changes will be lost. All edits should be performed immediately prior to closing the security incident. Security incident monitoring You can monitor the security incidents on your system using security dashboards that display gauges and reports for incident handling. You can also monitor affected CIs by viewing the BSM map. The dashboards show the impacts of security incidents with treemaps and other types of charts that automatically update in real-time, based on incident categories such as counts, severities, and priorities. You can view operational trends, incident analytics, incidents that affect your business services, and P1 and P2 incidents logged within the previous 24 hours. Data in the charts is driven by Performance Analytics All rights reserved. 67

68 Figure 6: Sample Open Security Incident Dashboard For more information, see Performance Analytics concepts All rights reserved. 68

69 View impacted business services You can use the service impact dashboard to monitor impacted business services. The dashboard displays a treemap of incidents affecting business services. You can select different categories of incidents to display. Treemap data is driven by Performance Analytics. Role required: sn_si.admin The treemap displays different combinations of incident data calculated using performance analytics metrics. The visual display of data depends on the type of data being drawn into the map. For example, when viewing the Incident Count category, the size of the rectangles and the associated number reflect the number of incidents for each business services. So you can tell at a glance which business services are most impacted. You can click inside a rectangle to view the security incidents for that business service Navigate to Security Incident > Security Dashboards > Service Impact. In the header bar, select the category for the metrics you want to display for each impacted business service. For some categories, you can also select an indicator to filter the information further. Metric Action Denial of service incidents Select the Denial of Service category. Total number of incidents logged Select the Incident Count category. Incidents by their impact level Select the Incident Impact category and one of the following indicators: Incidents by their priority Select the Incident Priority category and one of the following indicators: Incidents by their risk level All: Displays an average of Impact 1 and Impact 2 incidents. Incidents by Impact 1: Displays metrics for only impact 1 incidents. Incidents by Impact 2: Display metrics for only impact 2 incidents. All: Displays an average of priority 1 and priority 2 incidents. Incidents by Priority 1: Displays metrics for only priority 1 incidents. Incidents by Priority 2: Displays metrics for only priority 2 incidents. Select the Incident Risk category and one of the following indicators: All: Displays an average of Very High, High, and Moderate risk incidents. Very High Risk: Displays only Very High Risk incidents. High Risk: Displays only High Risk incidents. Moderate Risk: Displays only Moderate Risk incidents All rights reserved. 69

70 Metric Action Incidents by their severity level Select the Incident Risk category and one of the following indicators: 3. All: Displays an average of severity 1 and severity 2 incidents. Incidents by Severity 1: Displays metrics for only severity 1 incidents. Incidents by Severity 2: Displays metrics for only severity 2 incidents. To view records for the security incidents affecting a business service, click the treemap tile for the business service. To tailor data on the service impact dashboard, you can modify and create the treemap categories and indicators. For details, see Security incident treemaps on page 30. Use the security incident overview The security incident overview dashboard displays various security incident gauges. These gauges help security administrators and staff members track and manage aspects of the security incident fulfillment processes Navigate to Security Incident > Security Dashboards > Operations. You can configure how often the dashboard is refreshed. Figure 7: Dashboard refresh control 3. You can also change the layout of the gauges by clicking the Change Layout button. View security incident analytics You can use the analytics dashboard to view analytics reports on security incidents. Reports are organized under tabs for incidents that are open, new, and closed, as well as incidents that have been tracked based on the average number of days since they were logged All rights reserved. 70

71 Role required: sn_si.admin 1. Navigate to Security Incident > Security Dashboards > Analytics. The dashboard includes several reports of security incident information. 2. Select the tab for the state or duration of the security incidents that you want to view reports on. 3. Tab Overview Displays basic information about incidents, such as open incidents, basic indicators, and the number of new security incidents by priority. Open, New, or Closed Display reports for security incidents in the selected state. Daily, 7d Running, or 28d Running Display reports for security incidents that were logged today, up to 7 days ago, or up to 28 days ago. Perform any of the following actions. Option See the information represented by a chart segment Point your cursor to the segment. A tooltip appears with details about the segment. View more details for a chart segment Click a segment to see more details about the element. You may need to scroll up to view the information. Information is organized under the following tabs, depending on the selected element. Save the chart as an image file Chart: The detail of the element displayed in a chart. You can use the controls on the upper right to add or change comments, targets, and thresholds. Breakdowns: The breakdown of the buckets used in the report. Select a chart type from the choice list on the upper right to see the data in another format. Records: The records that comprise the element you selected. You can view the detail of each record. Scores: The number of records for each week in the report. Comments: Comments entered for this report. The tab is disabled unless comments exist. More info: A description of the logic that generates the report, how often the job runs, and when the data was last collected. If a menu icon appears when you point your cursor to a chart, you can click the icon to export the chart to an image file All rights reserved. 71

72 Use the security real-time dashboard The Real-time security dashboard presents counts of priority 1 and 2 security incidents in real-time. The dashboard can be configured as needed Navigate to Security Incident > Security Dashboards > Real-time. Click inside any of the treemap tiles to view the details of the selected incident category. Identify all CIs affected by a security incident If you know which configuration item (CI) is behind a security incident and want to identify other CIs that might be affected, you can use the Business Service Management (BSM) map. The BSM map displays the upstream and downstream dependencies for a selected root CI. Role required: sn_si.admin or admin You have these options for viewing the BSM map for a CI: 1. From the security incident form, if you want to view CIs from the context of a task. From the application navigator, if you do not want to view CIs from a task viewpoint. Open the BSM map using one of these methods: Option Action From the security incident form In the Security Incident record form, populate the Affected CI field and click the show CI map icon ( ). The system displays the CI and all its dependent CIs in the map All rights reserved. 72

73 Option Action From the application navigator Navigate to Security Incident > Incidents > View BSM. The BSM map is created for the last incident you accessed in Incident Management or the last security incident you accessed in Security Incident Management. 2. Click the icons next to a CI to view different kinds of details about the CI. For example, click the alert icon ( ) to view alerts associated with the CI. Note: If you want to view a list of all of the available icons, click Filters above the BSM map and expand Filter Task Types To rearrange the map, select any of the formats listed above the map (Vertical, Horizontal, Radial, and so forth). To filter the map for specific CIs, click Filters and configure the filter settings. If you opened the BSM map from the security incident form, you can add a dependent CI to the security incident by right-clicking the CI and selecting Add Affected CIs. You can also add multiple CIs at a time. Drag a box around the CIs you want to add, right-click the box, and select Add Affected CIs. The CIs are added to the Affected CIs related list of the security incident. Components installed with Security Incident Response Several types of components are installed with Security Incident Response. Activating the Security Incident Responseplugin adds or modifies several tables, user roles, and other components. Demo data is available with Security Incident Response. Tables installed with Security Incident Response Security Incident Response adds the following tables. Table 33: Tables for Security Incident Response Table Security Incident Security incidents. These are the main records that store a security incident, the responses to the incident, and all linked tasks. Changes, problems, and incidents related to the security incident are also stored. [sn_si_incident] All rights reserved. 73

74 Table Security Incident Response Task Security incident response tasks that manage subtasks related to handling a security incident. These tasks may be assigned to security personnel or to people in other departments, to manage interdepartmental communication and task tracking. [sn_si_task] Security Incident Task Template [sn_si_task_template] Security Incident Template [sn_si_incident_template] Security Incident Flow [sn_si_sf_incident] Security Incident Task Flow [sn_si_sf_task] Security Incident Attack Vectors Templates for creating a security incident response task. These are often used in catalog entries, to automatically create a set of appropriate subtasks for a particular type of security incident. Templates for creating a security incident. These are often used in catalog entries to create a prebuilt security incident. Security incident state flows that handle state transitions for the security incident table. These determine which state transitions are valid, as well as what UI actions and business rules apply to each state. Security incident response task state flows that handle the state transitions for the Security Incident Response Task table. These determine which state transitions are valid, as well as what UI actions and business rules apply to each state. Attack vector options. [sn_si_attack_vector] Risk Task [sn_si_m2m_risk_task] Security Request [sn_si_request] Severity Calculator [sn_si_severity_calculator] Links between a security incident, and the risks associated with that incident. Requests to the security team from outside the department. Rules to set the risk, impact, priority, and severity on a security incident in certain circumstances. When the Security Incident Response plugin is activated, the Tree map plugin is automatically activated. The Tree map plugin adds the following tables. Table 34: Tables for tree map Table Treemap Category Treemap categories are groupings of treemap metrics for a treemap. [treemap_dimension] All rights reserved. 74

75 Table Treemap Definition Treemap definitions are configurations that define a treemap visualization. [treemap_definition] Treemap Indicator Treemap indicators are configurations for the data that is displayed on a treemap. [treemap_metric] Properties installed with Security Incident Response Security Incident Response adds the following properties. Table 35: Properties for Security Incident Response Property Default start time for all agents when no schedule is set, formatted as 08:00 Default start time for all security agents when no schedule is set, formatted in a 24-hour clock. [sn_si.default.start.time] Type: string Default value: 08:00 Location: Security Incident > Administration > Properties Default end time for all agents when no schedule Default end time for all security agents when no is set, formatted as 17:00 schedule is set, formatted in a 24 hour clock. [sn_si.default.end.time] Admin users can access Security Incident Response The security application is unlocked for admin to access. [sn_si.unlocked] Provide admin users with write access to Security Incident Response. Type: string Default value: 17:00 Location: Security Incident > Administration > Properties Type: true false Default value: true Location: Security Incident > Administration > Properties Assignment properties for Security Incident Response All rights reserved. 75

76 Property Location Weight A rating used when calculating the criteria to use for auto-assigning an agent. If, for example, location is considered for a task, the location weight value is added to the agent's rating. [sn_si.location.weight] Skills Weight [sn_si.skills.weight] A rating used when calculating the criteria to use for auto-assigning an agent. If, for example, skills are considered for a task, the skills weight value is added to the agent's rating. Set the maximum number of agents that will be processed by auto-assignment at a time [sn_si.max.agents.processed] [sn_si.timezone.weight] [sn_si.work.spacing] Type: integer Default value: 100 Location: Security Incident > Administration > Properties A rating used when calculating the criteria to use for auto-assigning an agent. If, for example, the agent's time zone is considered for a task, the time zone weight value is added to the agent's rating. Amount of time (in minutes) to add between the end of a task and the travel start of the next. Type: integer Default value: 10 Location: Security Incident > Administration > Properties The system has an absolute limit of 300 agents and sets the value at that level if you specify more than 300. The system cannot auto-dispatch a task for a dispatch group that contains more agents than the value configured. Time Zone Weight Type: integer Default value: 10 Location: Security Incident > Administration > Properties Type: integer Default value: 10 Location: Security Incident > Administration > Properties An example of a valid time value is 10. Type: integer Default value: 0 Location: Security Incident > Administration > Properties All rights reserved. 76

77 Roles installed with Security Incident Response Security Incident Response adds the following roles. Table 36: Roles for Security Incident Response Role title [name] security admin Has full control over all Service Management data. Also administers territories and skills, as needed. sn_si.manager catalog_admin knowledge_manager skill_admin skill_model_admin template_admin sn_si.agent territory_admin Creates and updates security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents. sn_si.basic sn_si.read inventory_user service_fullfiller skill_user pa_viewer document_management_user Has the same access as security agents, with the additional ability to adjust the members of assignment groups. sn_si.basic Has read-only access to security incidents. sn_si_cmdb_read Role for external users, to view tasks assigned to them. None Manages, updates, and deletes information in the Security Incident knowledge base. [sn_si.admin] security agent [sn_si.agent] Contains roles Security agents are tier 1 and 2 agents who work on security incidents. security basic [sn_si.basic] Creates and updates security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents. Security basic is the underlying role for basic security access. security manager [sn_si.manager] security read [sn_si.read] security external [sn_si.external] security knowledge admin [sn_si.knowledge_admin] knowledge_admin The sn_si.admin role inherits this role All rights reserved. 77

78 When the Security Incident Response plugin is activated, the Tree map plugin is automatically activated. The Tree map plugin adds the following roles. Table 37: Roles for tree map Role title [name] Contains roles treemap_admin Manages tree map configuration details, such as categories and indicators. treemap_user pa_power_user treemap_user Has read-only access to tree map configuration details and access to tree map visualizations. pa_viewer Client scripts installed with Security Incident Response Security Incident Response adds the following client scripts. Table 38: Client scripts for Security Incident Response Client script Table Copy Closure info to Work Notes Security Incident When closing an incident, this client script copies the closure information to the work notes, for documentation purposes, as well as to prevent any messages if the configuration is set to require work notes. Change None to Leave Alone Severity Calculator [sn_si_incident] Changes the default value for the severity calculator form. [sn_si_severity_calculator] sn_si_incident state flow Security Incident Handles the flow of permitted states. [sn_si_incident] Hide the closure tab Security Incident Hides the close code, notes, and other closure information until the security incident transitions to the Review or Closed state. There are two client scripts for this one when the form is loaded, and one to update when the state is changed. [sn_si_incident] Allow state changes Security Incident Allows the state field to be manually set. [sn_si_incident] sn_si_incident change stat Security Incident Handles state flows of all field controls. [sn_si_incident] All rights reserved. 78

79 Client script Table sn_si_task state flow Security Incident Response Task Handles flow of permitted states. [sn_si_task] When the Security Incident Response plugin is activated, the Tree map plugin is automatically activated. The Tree map plugin adds the following client scripts. Table 39: Client scripts for tree map Client script Table Clear out the default breakdown Treemap Indicator When the performance analytics indicator changes for a treemap indicator, clears out the default breakdown field. Clear out the default breakdown Treemap Category Ensure Result Limit is LT 100 (submit) Treemap Indicator [treemap_metric] When the performance analytics indicator changes for a treemap category, clears out the default breakdown field. [treemap_dimension] Verifies that the result limit is less than or equal to 100. [treemap_metric] Script includes installed with Security Incident Response Security Incident Response adds the following script includes. Table 40: Script includes for Security Incident Response Script include CalculateSeverity Handles the security incident severity calculations and rules. SecurityIncidentAJAX Handles server-side security utility functions. SecurityIncidentUtils Handles utility functions for security incidents, including some handling of Event fields and creation of problems and change requests. SecurityReviewGenerator Generates a post-incident review. When the Security Incident Response plugin is activated, the Tree map plugin is automatically activated. The Tree map plugin adds the following script includes All rights reserved. 79

80 Table 41: Script includes for tree map Script include TreemapQueryConditionProcessor Data processor for Treemap Metric Query Condition. TreemapClickThroughProcessor AbstractAjaxProcessor implementation to delegate the parameters to a treemap definition script that builds a URL for redirecting users who click a specific tile in a treemap. TreemapUtils Utility script for treemap, primarily to provide backing for indicator and breakdown reference qualifiers. AbstractTreemapDataProcessor Abstract script include that defines the structure that concrete data processors should follow, such as TreemapQueryConditionProcessor and TreemapScriptDataProcessor. Treemap360 AbstractAjaxProcessor for providing report data for a metric to a treemap implementation. TreemapScriptDataProcessor Data processor for custom script entered for the metric. TreemapClickThroughUrlFactory A factory script that builds the URL of the web page that is opened when a treemap tile is clicked. Business rules installed with Security Incident Response Security Incident Response adds the following business rules. Table 42: Business rules for Security Incident Response Business rule Tables Add extended info into SI Alert When an alert creates a security incident or has additional information for a security incident, pulls that information into the security incident. [em_alert] Assigned Auto business rule for Assessments Security Incident [sn_si_incident] Security Incident Response Task [sn_si_task] Security Incident Stores the time when an incident was assigned. Handles creation of assessable records for security incidents when ready for review. Supports Post Incident Report. [sn_si_incident] All rights reserved. 80

81 Business rule Tables Auto deletion rule for Assessments Security Incident Handles deletion of assessable records for security incidents when no longer needed Post Incident Report support. Calculate Severity on Creation Security Incident [sn_si_incident] Calculates the severity of a new security incident. [sn_si_incident] Cancel Cleanup Security Incident Response Task When a task is canceled, this business rule does the following: [sn_si_task] Cancellation Security Incident When a security incident is canceled, cancels all tasks for the incident. [sn_si_incident] Check if all are closed Assessment Instance As each assessment (postincident review questionnaire) is completed, checks for any outstanding post incident review questionnaires. If all questionnaires are completed, generates the post incident report. [asmt_assessment_instance] Copy location Security Incident Response Task Copies the location from the security incident Location field to the new task. [sn_si_task] Create Knowledge On Closure Security Incident If Knowledge is selected on a security incident form, creates a knowledge base article when the incident is closed. [sn_si_incident] Generate Assessments Security Incident Creates, removes, and adds post-incident review questionnaires when a security incident is in review. [sn_si_incident] Messages Verifies if the cancellation will change the state of the security incident. Cancels any requested part transfers. Eliminates dependencies. Severity Calculator Stores the "Leave alone" message for the severity calculator client script. [sn_si_severity_calculator] All rights reserved. 81

82 Business rule Tables Prevent non-security roles reading Application Menu [sys_app_application] Product Model [cmdb_model] Risk Task [sn_si_m2m_risk_task] Security Incident Attack Vectors [sn_si_attack_vector] Severity Calculator [sn_si_severity_calculator] State Flow [sf_state_flow] Task [task] Prevents system administrator and other roles from viewing any part of the Security Incident Response data. Contained Role [sys_user_role_contains] Group Role [sys_group_has_role] Risk Task [sn_si_m2m_risk_task] Security Incident [sn_si_incident] Security Incident Attack Vectors [sn_si_attack_vector] Security Incident Flow [sn_si_sf_incident] Security Incident Response Task [sn_si_task] Security Incident Response Task Flow [sn_si_sf_task] Security Incident Template [sn_si_incident_template] Severity Calculator [sn_si_severity_calculator] System Property [sys_properties] User [sys_user] User Role [sys_user_has_role] Prevents system administrator and other roles from viewing any part of the Security Incident Response data. Prevent non-security roles updating Ready for approval Security Incident If approvals are enabled in the Security Incident configuration, starts the approval workflow. [sn_si_incident] Reassign Security Incident Response Task If a task with parts on order is reassigned to someone else, reroutes the parts to the new assignee. [sn_si_task] All rights reserved. 82

83 Business rule Tables Refresh impacted services on CI change Security Incident When the CI changes, updates the list of affected services. Require reviews Security Incident [sn_si_incident] If a post incident review is required, ensures the security incident cannot be closed until a post-incident report has been created. [sn_si_incident] Review required for priority one Security Incident When a priority 1 security incident is created, a postincident review is required before the incident can be closed. [sn_si_incident] State Flow Notes for sn_security_incident Security Incident Store assignee Security Incident Handles any work notes added by state flows. [sn_si_incident] When an incident is reassigned, adds the newly assigned agent to the list of people who must complete any post-incident response questionnaire that is created for the incident. [sn_si_incident] Store external url in scratchpad Security Incident Stores the external URL for use when drilling down to the originating data for a security incident created by an external event. [sn_si_incident] Update related incident Security Incident As additional comments (not work notes) are added to a security incident, updates the originating incident, if there is one. [sn_si_incident] Update security incident As updates are made to the change request, updates the originating security incident. Change Request [change_request] Incident [incident] Problem [problem] When the Security Incident Response plugin is activated, the Tree map plugin is automatically activated. The Tree map plugin adds the following business rule All rights reserved. 83

84 Table 43: Business rule for tree map Business rule Table Update metric values with PA values Treemap Indicator When the Performance Analytics data source is used, this business rule updates the Treemap Indicator with information from the PA Indicator, such as unit, precision, and direction. [treemap_metric] Vulnerability Response The National Vulnerability Database (NVD) and many other sources collect information about known vulnerabilities, such as weaknesses in software, operating systems that can be exploited by malware, and other attacks. The Vulnerability Response application aids you in tracking, prioritizing, and resolving these vulnerabilities. What's new Set up Vulnerability Response release notes Vulnerability Response overview on page 84 videos Use Administer Activate vulnerability response on page 85 Develop Identify and escalate security issues in your CIs and software on page 92 Perform an NVD on-demand update on page 94 View general vulnerability data on page 85 Configure the scheduled job for updating NVD records on page 95 Configure the scheduled job for updating CWE records on page 96 Integrate Report processor strategies on page 98 Components installed with Vulnerability Response on page 102 Define a new vulnerability integration on page 87 Configure a vulnerability integration to use a scripted REST API on page 101 Custom report processor scripts on page 99 Troubleshoot and get help Ask or answer questions in the community Search the HI knowledge base for known error articles Contact Support Vulnerability Response overview You can use the Vulnerability Response module to compare security data pulled from internal and external sources, such as the National Vulnerability Database, to vulnerable CIs and software identified in the All rights reserved. 84

85 Asset Management module. If CIs or software are found to be affected by a vulnerability, you can create changes, problems, and security incidents from those vulnerable items. You can also view common weakness enumeration (CWE) records from the NVD to understand how they relate to the vulnerabilities (CVEs) identified in Vulnerability Response. Knowledge articles associated with the CWEs are included for reference. As needed, you can update your system from the vulnerability databases on an on-demand basis or by running user-configured scheduled jobs. Activate vulnerability response The Vulnerability Response plugin is available as a separate subscription. Role required: admin Vulnerability Response activates these related plugins if they are not already active. Table 44: Plugins for Vulnerability Response Plugin Software Asset Management Core Provides the base tables for software asset management. Includes software installations, usages, suite calculations, and discovery models. [com.snc.sam.core] Vulnerability Response Support [com.snc.security_support.vul] Provides support functionality for use within the Vulnerability Response application. To purchase a subscription, contact your account manager. After purchasing the subscription, activate the plugin within the production instance Navigate to System Definition > Plugins. Right-click the plugin name on the list and select Activate/Upgrade. 3. If the plugin depends on other plugins, these plugins are listed along with their activation status. Optional: If available, select the Load demo data check box. 4. Some plugins include demo data sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good policy when you first activate the plugin on a development or test instance. You can load demo data after the plugin is activated by repeating this process and selecting the check box. Click Activate. View general vulnerability data You can use the vulnerability overview module to graphically present relevant vulnerability information for security incident handling. Role required: sn_vul.vulnerability_read, sn_vul.vulnerability_write The vulnerability overview gauges show various aspects of vulnerability that affect your systems. You can click in each gauge to view detailed information for each gauge Navigate to Vulnerability > Overview. Various gauges of vulnerability information are displayed. You can click in any gauge to view detailed information for each gauge All rights reserved. 85

86 2017. All rights reserved. 86

87 Define a new vulnerability integration A vulnerability integration is a process that can pull report data from a third-party system, generally to retrieve vulnerability data, and process that reporting data using data sources or a custom processor. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > Integrations. Click New. Fill in the fields, as needed. Table 45: Vulnerability integration Name A descriptive name for the integration. Active Whether the integration is currently active. You can set up the parameters you want to use and deactivate the job if you do not want it to run for a specific time period. Run The frequency you want the integration to run, Daily, Weekly, Periodically, etc. As noted below, subsequent fields are displayed or not based on your setting in this field. Day The day you want the integration to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the integration to start. Application ]Read only] The name of the application for which this integration was created. Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the integration runs again. Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates. Conditional Select this if you want to add conditional parameters. Condition If you selected the Conditional check box, enter the conditions here. Integration Details All rights reserved. 87

88 Integration script Select the script include for managing the integration's logic flow. You can also click the magnifying glass icon, click New, and define your own script include. Integration factory script Enter a script that defines how to construct the script include selected for the Integration script. Report processor strategy Select the strategy you want to use to handle the data returned by the integration script when the integration runs. 4. Select Data Source Attachment if you want to process data using a data source. Select Custom Report Processor to select a custom processor. Report processor If you selected Custom Report Processor in the Report processor strategy field, select the script include that extends the VulnerabilityReportProcessorBase script include to be executed when the integration runs. Processor factory script Enter a script that defines how to construct the script include selected for the Report processor. Click Submit. About the vulnerability integration script On the Vulnerability Integration form, the integration script is a reference to a script include that extends the VulnerabilityIntegrationBase script include. The functionality contained in this script is called by the VulnerabilityIntegrationController to manage the integration s logic flow. Each subclass of VulnerabilityIntegrationBase will have access to contextual information about the calling process. That information is available through the following member variables: integrationgr - a GlideRecord of the vulnerability integration record that requested the integration to run. integrationprocessgr - a GlideRecord that provides contextual information for the current process of an integration. The vulnerability process contains special parameters to be used within an integration, generally for pagination purposes. Each run of a vulnerability integration (called a Vulnerability Integration Run) will have at least one associated vulnerability integration process. For mulit-call integrations, there will be one or more vulnerability integration process records for each Vulnerability Integration Run. The script include must provide an implementation for the retrievedata() method and return an object that will then be processed by the report processor script. The object returned by retrievedata should a simple object with properties for content, contenttype, and extension. Here is a screenshot of VulnerabilityIntegrationBase.retrieveData(): All rights reserved. 88

89 Figure 8: VulnerabilityIntegrationBase.retrieveData() The logic in the retrievedata() is dependent on the interface required for retrieving the data. For example, if the source of the data being pulled has a REST API, the body of this method could be calling the REST endpoint, likely via RESTMessageV2. The response of the call can then be parsed or put into an attachment, and the details could be used to construct the return object. Integration factory script fields The Vulnerability Integration form contains the integration factory script and, if the Custom Report Processor report processor strategy is selected, the Processor factory script. These fields are used to provide the logic to actually instantiate the object defined by the script include reference fields, Integration script, and Report processor, respectively. When the script include is selected both fields are pre-populated with a no-argument constructor call. In many cases, this will be sufficient, but there may be occasions where additional logic is required to instantiate the script object. The integrationprocessgr record is exposed to the constructor so process-specific information can be used, as needed. Single call integrations Single call (single page) integration scripts are the simplest types of integrations. They require one call, often to an external source of data, to retrieve data. Only retrievedata() is required to be implemented for single page/single call integrations. Below is a sample that demonstrates a simple single call integration script. It creates a RESTMessageV2 and executes it. It then returns an object using the response body as the contents, along with an assumed contenttype and extension All rights reserved. 89

90 Figure 9: Single call integration script Multiple call integrations Multiple call (or multiple page) integration scripts are a bit more complicated. They require multiple calls to a data source to retrieve data. Like a single call integration, a multiple call integration must also have retrievedata() implemented. In the body of retrievedata(), the integration will need to make use of the hasmoredata() and setnextrunparameters() methods provided by VulnerabilityIntegrationBase. The hasmoredata() method accepts a single boolean to flag the VulnerabilityIntegrationController that additional data needs to be retrieved and additional processes should be started to get more data. When passing true to hasmoredata(), a call to setnextrunparameters() should be made to provide context to the next process. The setnextrunparameters() method accepts a single object that provides context information to be used by the next call to retrievedata(). This object is used to pass state to subsequent calls to retrievedata(). An example use case might be to pass an object that indicates the current page number and page size to a web service. For multiple call integrations, each retrievedata() call should first check the current process parameters. The _getprocessparameters() method is provided to all VulnerabilityIntegrationBase as a convenience to get the parameters set by the previous process. If there are no parameters, it would indicate that it is the first process. Below is a screenshot of a sample multiple call integration script. Extending on the single call integration example, this demonstrates making calls to a REST endpoint that has basic pagination support. It shows how we can get a single page of data, recognize that there is more data to retrieve, and then tell the next process which page to retreive All rights reserved. 90

91 Figure 10: Multiple call integration script Attachments as retrievedata() return values In some cases, it may be preferable be return an attachment from retrievedata(). The logic to create and/ or retrieve an attachment will be implementation specific, but after the attachment is known, its information can be returned. To provide an attachment, retrievedata() should return an object along the lines of: { contents: "attachment-sys-id", contenttype: "sys_attachment" } Below is an example that extends on the previous example, but saves the response body of the REST Message to the integration process record, and then returns that attachment identifier as the contents of the return object All rights reserved. 91

92 Figure 11: Return attachment from retrievedata Manually running a vulnerability integration A vulnerability integration is configured to run on a scheduled basis. However, you can run them manually when needed. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Administration > Integrations. Open the integration you want to run. Click Execute. Identify and escalate security issues in your CIs and software You can use the Vulnerability Response module to compare security-related data pulled from internal and external sources, such as the National Vulnerability Database, to vulnerable CIs and software identified in the Asset Management module. If CIs or software are found to be affected by a vulnerability, you can escalate the vulnerabilities by creating changes, problems, and security incidents (if the Security Incident Response plugin is activated). Role required: sn_vul.vulnerability_write All rights reserved. 92

93 The following menu options under the National module can be used to view records in the NVD and compare them with vulnerable items in your system. The information in these options can be used for deciding whether vulnerabilities should be escalated: Entries Software Common Weakness Note: In addition to National Vulnerability Database Entries, you can integrate with other thirdparty vulnerability monitoring software packages. When you view the detail for a third-party vulnerability entry using the Third-party > Entries option, you can see vulnerability references and vulnerability items. From the vulnerability references, you can view external references to better understand the vulnerability. From the vulnerable items, you can create change requests, problems, or security incidents (if the Security Incident Response plugin is activated) as needed Navigate to Vulnerability > National. View vulnerability information pulled from the National Vulnerability Database using any of the following options. Option Action Entries Select this option to view a list of Common Vulnerability Entries (CVE) records that were identified using third-party security monitoring tools. Click any CVE record to view: 3. a summary information for the CVE record. a reference to a Common Weakness Enumeration (CWE) record, if applicable. the record's score on the Common Vulnerability Scoring System (CVSS). For more information on the CVSS, go to the National Vulnerability Database website. Software Select this option to view software vulnerabilities returned from the NVD entries. You can use this information to match the NVD software to an Asset Management discovery model. Common Weakness Select this option to view Common Weakness Enumeration (CWE) records downloaded from the CWE database that you can use for reference when deciding whether a vulnerability needs to be escalated. Each CWE record also includes an associated knowledge article that describes the weakness. You cannot escalate a vulnerability from the Common Weakness Enumerations screen, it is for reference only. Each of these menus options provides information you can use to decide whether a given vulnerability warrants escalation. On the National Vulnerability Database Entries and Vulnerable Software screens, you can click the following tabs to obtain additional information for identifying vulnerabilities. As indicated in the table, you can click the following buttons to escalate the record: Create Change: to create a CHG. Create Problem: to create a PRB All rights reserved. 93

94 Create Security Incident: to create an SR. Option Action Vulnerable Items Click this tab to view a list of vulnerable items, which consist of pairings of potentially vulnerable CIs and software for the selected CVE record (if applicable). You can click any of the buttons at the top of the screen to escalate the CVE record to the appropriate team. You can also click the "i" icon for any vulnerable item to view additional information about the CI/software pairing. Vulnerability Entries (on Vulnerable Software screen only) Click this tab to view a list of CVE records for the selected software record. Click a CVE record to view its details. Then you can click any of the buttons at the top of the screen to escalate the CVE record to the appropriate team. Vulnerable Software (on National Vulnerability Click this tab to view software vulnerabilities Database Entries screen only) returned from the NVD entries. You can use this information to match the NVD software to an Software Asset Management discovery model. Vulnerability References (on National Vulnerability Database Entries screen only) Click this tab to view vulnerability reference information for the selected CVE record. Common weaknesses Common Weakness shows Common Weakness Enumeration (CWE) records identified in the National Vulnerability Database that you can use for reference. You can also reference knowledge base articles for the CWE records from the CWE database. Update NVD and CWE records There are two methods you can use to update national vulnerability database records on your system and one method available for updating common weakness records. NVD records can be updated on your instance by executing an on-demand update or by running a scheduled job that updates the repositories you select. CWE records can be updated using the scheduled job method. Perform an NVD on-demand update The On-Demand Update allows you to selectively update NVD repositories. Upon import, the NVD screen shows the total number of entries updated, the last refresh date, the number of entries updated the last time a refresh was run, and the current status of the repository. Role required: sn_vul.vulnerability_read Navigate to Vulnerability > National > On Demand Update. Select the check boxes for the repositories you want to update. Click Import. The Status field transitions through Ready > Queued > Downloading > Importing > Ready All rights reserved. 94

95 Note: In addition to on-demand updates, you can also configure a scheduled job to perform updates on a user-defined schedule. For example, the scheduled job could update the NVD records every Monday at 1:00 a.m. Configure the scheduled job for updating NVD records You can identify the repositories you want updated on a regular basis and then execute scheduled jobs to update national vulnerability database records on a nightly or weekly basis. You can also update the script or write your own scripts, as needed. Roles required: If you have the admin role, you can add repositories to the scheduled job. If you have sn_vul.vulnerability_read, you can execute the scheduled job. If you have sn_vul.vulnerability_write, you can edit the details of the scheduled job. Navigate to Vulnerability > National > Repositories. For each NVD repository that you want to be automatically updated, change the Automatically update field to true. Navigate to Vulnerability > Administration > Integrations. Select the NIST National Vulnerability Database scheduled job. If a message appears at the top of the Scheduled Script Execution screen asking you to Switch to Vulnerability, click the link to do so. Modify the fields as needed. Table 46: Scheduled Script Execution - NIST National Vulnerability Database screen Name The name of the scheduled job. Active Whether the scheduled job is currently active. You can set up the parameters you want to use and deactivate the job if you do not want it to run for a specific time period. Run The frequency you want the job to run, Daily, Weekly, Periodically, etc. As noted below, subsequent fields are displayed or not based on your setting in this field. Day The day you want the scheduled job to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the scheduled job to start. Integration script Select the script for pulling data from the data sources specified on the Vulnerability Integration Data Sources related list All rights reserved. 95

96 Application ]Read only] The name of the application for which you are running the scheduled job. Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the scheduled job runs again. Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates. Conditional Select this if you want to add conditional parameters. Condition If you selected the Conditional check box, enter the conditions here. Report Processor Strategy Select the strategy you want to use to pull data and process the scheduled job. Report Processor script Select Data Source Attachment if you want to pull data from the data sources specified on the Vulnerability Integration Data Sources related list using the script selected in the Integration script field. Select Custom Report Processor to select a custom processor in the Report Processor script field. If you selected Custom Report Processor in the Report Processor Strategy field, select the script to be executed when the scheduled job runs. To save your changes, click Update. To run the scheduled job immediately, click Execute Now. Configure the scheduled job for updating CWE records You can identify the repositories you want updated on a regular basis and then execute scheduled jobs to update common weakness enumeration records. For example, common weakness records can be updated from the Common Weakness Enumeration database on a regularly scheduled basis. You can also update the script or write your own scripts, as needed. Roles required: If you have the admin role, you can add repositories to the scheduled job. If you have sn_vul.vulnerability_read, you can execute the scheduled job. If you have sn_vul.vulnerability_write, you can edit the details of the scheduled job. sn_vul.vulnerability_write 1. Navigate to Vulnerability > Administration > Integrations All rights reserved. 96

97 2. 3. Select the CWE Comprehensive 2000 Integration scheduled job. Modify the fields as needed. Table 47: Scheduled Script Execution - CWE Comprehensive 2000 Integration screen Name The name of the scheduled job. Active Whether the scheduled job is currently active. You can set up the parameters you want to use and deactivate the job if you do not want it to run for a specific time period. Run The frequency you want the job to run, Daily, Weekly, Periodically, etc. As noted below, subsequent fields are displayed or not based on your setting in this field. Day The day you want the scheduled job to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the scheduled job to start. Integration script Select the script for pulling data from the data sources specified on the Vulnerability Integration Data Sources related list. Application [Read only] The name of the application for which you are running the scheduled job. Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the scheduled job runs again. Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates. Conditional Select this if you want to add conditional paramaters. Condition If you selected the Conditional check box, enter the conditions here All rights reserved. 97

98 Report Processor Strategy Select the strategy you want to use to pull data and process the scheduled job. Report Processor script Select Data Source Attachment if you want to pull data from the data sources specified on the Vulnerability Integration Data Sources related list using the script selected in the Integration script field. Select Custom Report Processor to select a custom processor in the Report Processor script field. If you selected Custom Report Processor in the Report Processor Strategy field, select the script to be executed when the scheduled job runs. 4. To save your changes, click Update. 5. To run the scheduled job immediately, click Execute Now. View the vulnerability data source import queue For third-party integrations that are configured to use the Data Source Attachment report processing strategy, you can use the Import Queue module to view a list of queued import entries. You can also change the status of import entries if you observe that they have been in the Processing state too long (that is, the import is "stuck"). You must have a third-party integration with the Data Source Attachment set as the report processor strategy, and with at least one data source added to the integration. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Administration > Import Queue. As a scheduled job runs, an entry is added to the Vulnerability Data Source Import Queue Entries screen for each page of data returned by the integration script defined in the selected integration. Entries in the import queue are processed in the order that they were added to the queue. Queue entries are processed by taking the data from the import queue entry, attaching it to the integration s data source, and running the data source s configured transform map. If you observe that one or more scheduled jobs have been in the Processing status for an unusually long time, you can open the record and change the Status field to Queued or Retry. Report processor strategies The Report processor strategy field on the Vulnerability Integration form is used to select the method to process the data returned by the vulnerability integration script when the vulnerability integration process is executed. The default value is Data Source Attachment. This is the baseline implementation that will take the retrieved data and pass it to a data source to be imported into the system. Selecting Custom Report Processor will allow you select a custom processor script for processing the data All rights reserved. 98

99 Use the data source attachment report processor strategy The Data Source Attachment report processor strategy should be used to pass data retrieved by the integration script to configured data sources. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > Integrations and create a new integration. In the Report processor strategy field, select Data Source Attachment. Right-click in the form header, and click Save In the Vulnerability Integration Data Sources related list, click New. Define the data source to be used. Click Submit. Repeat steps 4 through 6 if you require additional data sources. Be sure to specify the order that the multiple data sources should send information in the Order field. Click Update. 8. Integration factory script fields The Vulnerability Integration form contains the integration factory script and, if the Custom Report Processor report processor strategy is selected, the Processor factory script. These fields are used to provide the logic to actually instantiate the object defined by the script include reference fields, Integration script, and Report processor, respectively. When the script include is selected both fields are pre-populated with a no-argument constructor call. In many cases, this will be sufficient, but there may be occasions where additional logic is required to instantiate the script object. The integrationprocessgr record is exposed to the constructor so process-specific information can be used, as needed. Custom report processor scripts On the Vulnerability Integration form, the Report processor is a reference to a script include that extends the VulnerabilityReportProcessorBase script include. The functionality contained in this script is called by the VulnerabilityIntegrationController to manage the integration s logic flow. Each subclass of VulnerabilityReportProcessorBase will have access to contextual information about the calling process. That information is available through the following member variables: integrationgr - a GlideRecord of the Vulnerability Integration record that requested the integration to run. integrationprocessgr - GlideRecord of the Vulnerability Process that provides contextual information for the current process of an integration. The script include must provide an implementation for the processreport() method. The object passed to processreport() should be the object that was returned by retrievedata, and as such, should be a simple object with properties for content, contenttype, and extension. The actual logic in processreport() will be implementation specific and dependent of the report data provided. Here is a screenshot of the VulnerabilityReportProcessorBase.processReport(): All rights reserved. 99

100 Figure 12: Custom report processor script View the import queue If you are using the data source attachment report processor strategy, you can view import jobs that have not yet run. As needed, you can also change the status of a data import Role required: sn_vul.vulnerability_read, sn_vul.vulnerability_write Navigate to Vulnerability > Administration > Import Queue. You can sort the jobs using the Go to box. Modify the fields as needed. Table 48: Scheduled Script Execution - NIST National Vulnerability Database screen Name The name of the scheduled job. Active Whether the scheduled job is currently active. You can set up the parameters you want to use and deactivate the job if you do not want it to run for a specific time period. Run The frequency you want the job to run, Daily, Weekly, Periodically, etc. As noted below, subsequent fields are displayed or not based on your setting in this field. Day The day you want the scheduled job to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the scheduled job to start. Integration script Select the script for pulling data from the data sources specified on the Vulnerability Integration Data Sources related list All rights reserved. 100

03/05/2018. Istanbul ServiceNow Security Management

03/05/2018. Istanbul ServiceNow Security Management 03/05/2018 Security Management Contents Contents... 5 Security Incident Response...5 Security Incident Response overview... 5 Set up Security Incident Response...7 Security Incident Response monitoring...31

More information

12/05/2017. Customer Service Management

12/05/2017. Customer Service Management 12/05/2017 Contents...3 Get started with... 3 Activate Customer Service... 5 Set up associated entities... 6 Set up communication channels... 16 Track and analyze Customer Service case data... 40 Create

More information

08/13/2018. Jakarta Service Management

08/13/2018. Jakarta Service Management 08/13/2018 Contents Contents...4 Activate...4 Activate other applications... 4 Service management states...6 State flow customization...6 State flow example... 11 Implications of disabling SM state flows...

More information

11/14/2018. Istanbul Governance, risk, and compliance (GRC)

11/14/2018. Istanbul Governance, risk, and compliance (GRC) 11/14/2018 Governance, risk, and compliance (GRC) Contents Contents... 4 Policy and Compliance Management...5 Activate Policy and Compliance Management... 6 Dependency modeling and mapping...13 Compliance...

More information

12/05/2017. Customer Service Management

12/05/2017. Customer Service Management 12/05/2017 Contents Contents...5 Customer Service case management... 5 Activate...6 Additional plugins for... 8 for Orders... 11 integration with Field Service Management...13 Integration with Financial

More information

Dynamics 365 for Customer Service - User's Guide

Dynamics 365 for Customer Service - User's Guide Dynamics 365 for Customer Service - User's Guide 1 2 Contents Dynamics 365 for Customer Service - User's Guide...9 Improve customer service with better automation and tracking...9 Create queue and route

More information

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. SM Reports help topics for printing

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. SM Reports help topics for printing HP Service Manager Software Version: 9.41 For the supported Windows and UNIX operating systems SM Reports help topics for printing Document Release Date: September 2015 Software Release Date: September

More information

Fulfillment User Guide FULFILLMENT

Fulfillment User Guide FULFILLMENT Fulfillment User Guide FULFILLMENT TABLE OF CONTENTS I. System Requirements II. Logging In III. Launchpad a. Home b. Profile c. Settings IV. Dashboard Tab a. Actionable Insights b. Open Orders V. Transactions

More information

Service Desk user guide. FAQ document

Service Desk user guide. FAQ document FAQ document Table of contents Introduction... 4 I. Cockpit IT Service Manager... 4 II. Some definitions... 4 Interface presentation... 5 I. Navigation... 5 A. Homepage... 5 B. Hamburger menu... 6 C. Badges...

More information

12/05/2017. Geneva ServiceNow Custom Application Development

12/05/2017. Geneva ServiceNow Custom Application Development 12/05/2017 Contents...3 Applications...3 Creating applications... 3 Parts of an application...22 Contextual development environment... 48 Application management... 56 Studio... 64 Service Creator...87

More information

2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows,

2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows, 2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows, Windows Server, and other product names are or may be registered

More information

Configuring isupport Change Functionality

Configuring isupport Change Functionality Configuring isupport Change Functionality Change functionality is available if you have the Service Desk version of isupport. Use Change functionality to record and track requests related to services and

More information

Learning Series. Volume 8: Service Design and Business Processes

Learning Series. Volume 8: Service Design and Business Processes Learning Series Volume 8: Service Design and Business Processes NOTICES ServicePRO Learning Series Edition November 2014 HelpSTAR and ServicePRO are registered trademarks of Help Desk Technology International

More information

Sourcing - How to Create a Negotiation

Sourcing - How to Create a Negotiation Martin Baker Secure Source-To-Pay Sourcing - How to Create a Negotiation December 07 Contents To Create a Project... To Create a Negotiation... 5 Attachments... 7 Private File Archive... 7 Creating Lines,

More information

IBM emessage Version 9 Release 1 February 13, User's Guide

IBM emessage Version 9 Release 1 February 13, User's Guide IBM emessage Version 9 Release 1 February 13, 2015 User's Guide Note Before using this information and the product it supports, read the information in Notices on page 471. This edition applies to version

More information

Administrator Quick Guide

Administrator Quick Guide 1 Administrator Quick Guide Login Screen The first page employees will see when visiting their training site is the login screen. This is where employees must enter their username and password to access

More information

rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version 1.1.120318 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo EDR...3 1.1 Purchase

More information

Interstage Business Process Manager Analytics V12.1 Studio Guide

Interstage Business Process Manager Analytics V12.1 Studio Guide Interstage Business Process Manager Analytics V12.1 Studio Guide Solaris April 2013 Studio Guide Trademarks Trademarks of other companies are used in this documentation only to identify particular products

More information

McAfee MVISION Mobile epo Extension Product Guide

McAfee MVISION Mobile epo Extension Product Guide McAfee MVISION Mobile epo Extension 1809 Product Guide September 11, 2018 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator,

More information

Oracle Utilities Smart Grid Gateway Adapter for Echelon

Oracle Utilities Smart Grid Gateway Adapter for Echelon Oracle Utilities Smart Grid Gateway Adapter for Echelon User's Guide Release 2.0.0 Service Pack 9 E23539-04 May 2013 Oracle Utilities Smart Grid Gateway Adapter for Echelon User's Guide Release 2.0.0 Service

More information

ForeScout Extended Module for Qualys VM

ForeScout Extended Module for Qualys VM ForeScout Extended Module for Qualys VM Version 1.2.1 Table of Contents About the Qualys VM Integration... 3 Additional Qualys VM Documentation... 3 About This Module... 3 Components... 4 Considerations...

More information

Detector Service Delivery System (SDS) Version 3.0

Detector Service Delivery System (SDS) Version 3.0 Detector Service Delivery System (SDS) Version 3.0 Detecting and Responding to IT Security Policy Violations Quick Start Guide 2018 RapidFire Tools, Inc. All rights reserved. V20180112 Contents Overview

More information

Administering isupport

Administering isupport Administering isupport Tracking and Monitoring isupport Usage Agents perform tasks in the background that are an integral part of isupport functionality. See Enabling and Scheduling Agents on page 2 for

More information

Nimsoft Service Desk. Agent User Guide. Version 6.2.4

Nimsoft Service Desk. Agent User Guide. Version 6.2.4 Nimsoft Service Desk Agent User Guide Version 6.2.4 Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and is subject to being

More information

Standard System Documentation

Standard System Documentation Standard System Documentation SD-6Dec2017 CONTENTS 1. Standard Knowledgebase Guide.......................................... 4 1.1 Overview.......................................................... 5 1.2

More information

Oracle. Service Cloud Knowledge Advanced User Guide

Oracle. Service Cloud Knowledge Advanced User Guide Oracle Service Cloud Release November 2016 Oracle Service Cloud Part Number: E80589-02 Copyright 2015, 2016, Oracle and/or its affiliates. All rights reserved Authors: The Knowledge Information Development

More information

User Guide. Version R95. English

User Guide. Version R95. English Software Management User Guide Version R95 English September 22, 2017 Copyright Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept

More information

The Guide. A basic guide for setting up your Samanage application

The Guide. A basic guide for setting up your Samanage application The Guide A basic guide for setting up your Samanage application Table of Contents Introduction.............................................................. 3 Contacting Samanage for Assistance.........................................

More information

Episerver CMS. Editor User Guide

Episerver CMS. Editor User Guide Episerver CMS Editor User Guide Episerver CMS Editor User Guide 17-2 Release date 2017-03-13 Table of Contents 3 Table of contents Table of contents 3 Introduction 11 Features, licenses and releases 11

More information

Entitlement Management Implementation Guide

Entitlement Management Implementation Guide Entitlement Management Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: October 16, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered

More information

Vector Issue Tracker and License Manager - Administrator s Guide. Configuring and Maintaining Vector Issue Tracker and License Manager

Vector Issue Tracker and License Manager - Administrator s Guide. Configuring and Maintaining Vector Issue Tracker and License Manager Vector Issue Tracker and License Manager - Administrator s Guide Configuring and Maintaining Vector Issue Tracker and License Manager Copyright Vector Networks Limited, MetaQuest Software Inc. and NetSupport

More information

07/20/2018. Helsinki Governance, risk, and compliance (GRC)

07/20/2018. Helsinki Governance, risk, and compliance (GRC) 07/20/2018 Governance, risk, and compliance (GRC) Contents Contents... 5 Activate GRC: Policy and Compliance Management... 6 Configure Policy and Compliance... 7 Components installed with GRC: Policy

More information

Managing System Administration Settings

Managing System Administration Settings This chapter contains the following sections: Setting up the Outgoing Mail Server, page 2 Working with Email Templates, page 2 Configuring System Parameters (Optional), page 5 Updating the License, page

More information

BMC FootPrints 12 Integration with Remote Support

BMC FootPrints 12 Integration with Remote Support BMC FootPrints 12 Integration with Remote Support 2003-2019 BeyondTrust Corporation. All Rights Reserved. BEYONDTRUST, its logo, and JUMP are trademarks of BeyondTrust Corporation. Other trademarks are

More information

cc: Discover QA Coaching Manual, v5.1 R1

cc: Discover QA Coaching Manual, v5.1 R1 cc: Discover QA Coaching Manual, v5.1 R1 March 2013 Reference Guide callcopy.com Security Classification: CallCopy Confidential. Distribution: Approved internal CallCopy staff only and licensed CallCopy

More information

Quick Reference Guide: Working with CommVault Customer Support

Quick Reference Guide: Working with CommVault Customer Support Quick Reference Guide: Working with CommVault Customer Support Contents Creating Maintenance Advantage Accounts for your Organization... 4 Accessing the Maintenance Advantage Site... 8 Logon... 8 Issues

More information

Release 6.0E. Support Package 4. Summary of New Features and Enhancements

Release 6.0E. Support Package 4. Summary of New Features and Enhancements Release 6.0E Support Package 4 Summary of New Features and Enhancements Contents Introduction... 5 Information Sources... 5 Social Media... 5 Disclaimer and Liability Notice... 6 SAP ECC Version Requirements...

More information

Case Management Implementation Guide

Case Management Implementation Guide Case Management Implementation Guide Salesforce, Winter 18 @salesforcedocs Last updated: November 30, 2017 Copyright 2000 2017 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification

Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification Service Description Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification The services described herein are governed by the terms and conditions of the agreement specified

More information

Policy Manager in Compliance 360 Version 2018

Policy Manager in Compliance 360 Version 2018 Policy Manager in Compliance 360 Version 2018 Policy Manager Overview 3 Create a Policy 4 Relate a Policy to Other Policies, Departments, and Incidents 8 Edit a Policy 10 Edit a Policy by Using the Edit

More information

LMIS on cloud V2.3.1

LMIS on cloud V2.3.1 UNIRITA INC. LMIS on cloud V2.3.1 Operations Guide Duplication of this document or reprinting of the included images and text is not permitted. LMIS on cloud is a trademark of UNIRITA Inc. Force.com and

More information

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC

More information

Managing System Administration Settings

Managing System Administration Settings This chapter contains the following sections: Setting Up the Outgoing Mail Server, page 1 Working with Email Templates, page 2 Configuring System Parameters (Optional), page 5 Updating the License, page

More information

IBM. Administration Guide. IBM Emptoris Contract Management SaaS

IBM. Administration Guide. IBM Emptoris Contract Management SaaS IBM Emptoris Contract Management IBM Administration Guide 10.1.2 SaaS IBM Emptoris Contract Management IBM Administration Guide 10.1.2 SaaS ii IBM Emptoris Contract Management: Administration Guide Copyright

More information

Customer Relationship Management Software Version 1.0. Administrator Guide Guide Version ITarian 1255 Broad Street Clifton, NJ 07013

Customer Relationship Management Software Version 1.0. Administrator Guide Guide Version ITarian 1255 Broad Street Clifton, NJ 07013 Customer Relationship Management Software Version 1.0 Administrator Guide Guide Version 1.0.111218 ITarian 1255 Broad Street Clifton, NJ 07013 Table of Contents 1. Introduction to CRM...5 1.1.Open the

More information

Nimsoft Service Desk

Nimsoft Service Desk Nimsoft Service Desk User Guide Agent 6.2.0 Legal Notices Copyright 2011, Nimsoft Corporation See the third-party applications section for additional legal information. Warranty The material contained

More information

cc: Discover QA Coaching Manual, v5.2 R1

cc: Discover QA Coaching Manual, v5.2 R1 cc: Discover QA Coaching Manual, v5.2 R1 August 2013 Reference Guide callcopy.com Security Classification: CallCopy Confidential. Distribution: Approved internal CallCopy staff only and licensed CallCopy

More information

Managing recording controls from Dashboard 1. On the Avaya Workforce Optimization Select Home

Managing recording controls from Dashboard 1. On the Avaya Workforce Optimization Select Home Avaya Workforce Optimization Select Quick Reference for Contact Center Agents Release 5.2.2 Issue 1 September 2018 2016-2018, Avaya, Inc. All Rights Reserved. Avaya Workforce Optimization Select Home page

More information

Web logs (blogs. blogs) Feed support BLOGS) WEB LOGS (BLOGS

Web logs (blogs. blogs) Feed support BLOGS) WEB LOGS (BLOGS Web logs (blogs blogs) You can create your own personal Web logs (blogs) using IBM Lotus Notes. Using the blog template (dominoblog.ntf), you create a blog application, such as myblog.nsf, which you can

More information

Customer Relationship Management Software Version 1.0

Customer Relationship Management Software Version 1.0 Customer Relationship Management Software Version 1.0 Administrator Guide Guide Version 1.0.111218 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1. Introduction to CRM...5

More information

08/10/2018. Istanbul Now Platform User Interface

08/10/2018. Istanbul Now Platform User Interface 08/10/2018 Contents Contents...5 UI16... 9 Comparison of UI16 and UI15 styles... 11 Activate UI16... 15 Switch between UI16 and UI15...15 UI16 application navigator... 16 System settings for the user

More information

Oracle. Service Cloud Knowledge Advanced User Guide

Oracle. Service Cloud Knowledge Advanced User Guide Oracle Service Cloud Release May 2017 Oracle Service Cloud Part Number: E84078-03 Copyright 2015, 2016, 2017, Oracle and/or its affiliates. All rights reserved Authors: The Knowledge Information Development

More information

Oracle Utilities Smart Grid Gateway Adapter Development Kit

Oracle Utilities Smart Grid Gateway Adapter Development Kit Oracle Utilities Smart Grid Gateway Adapter Development Kit User's Guide Release 2.1.0 Service Pack 2 E41628-02 April 2014 Oracle Utilities Smart Grid Gateway Adapter Development Kit User's Guide Release

More information

The following topics describe how to work with reports in the Firepower System:

The following topics describe how to work with reports in the Firepower System: The following topics describe how to work with reports in the Firepower System: Introduction to Reports Introduction to Reports, on page 1 Risk Reports, on page 1 Standard Reports, on page 2 About Working

More information

HP Project and Portfolio Management Center

HP Project and Portfolio Management Center HP Project and Portfolio Management Center Software Version: 9.30 HP Demand Management User s Guide Document Release Date: September 2014 Software Release Date: September 2014 Legal Notices Warranty The

More information

Global Support Software. User Guide

Global Support Software. User Guide Global Support Software User Guide Table of Contents Contacting Global Support Software Corp... 3 Log into the Site... 5 Changing your password...5 Self Registration...6 About Issues...6 The Home Page...

More information

Reporter User Guide RapidFire Tools, Inc. All rights reserved Ver 4T

Reporter User Guide RapidFire Tools, Inc. All rights reserved Ver 4T Reporter User Guide 2017 RapidFire Tools, Inc. All rights reserved 20171102 Ver 4T Contents Overview... 3 Components of the Reporter... 3 Reporter Appliance... 3 Network Detective Application... 3 Diagnostic

More information

Comodo One Software Version 3.26

Comodo One Software Version 3.26 rat Comodo One Software Version 3.26 Service Desk Staff Guide Guide Version 4.16.101018 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Service Desk Module...3

More information

Version 2.38 April 18, 2019

Version 2.38 April 18, 2019 Version 2.38 April 18, 2019 in Qualys Cloud Suite 2.38! AssetView Azure Instance State search token and Dynamic Tag Support Security Assessment Questionnaire New Search Option for Template Selection Web

More information

ZENworks 2017 Audit Management Reference. December 2016

ZENworks 2017 Audit Management Reference. December 2016 ZENworks 2017 Audit Management Reference December 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights,

More information

USER GUIDE Spring 2016

USER GUIDE Spring 2016 USER GUIDE Spring 2016 Copyright and Disclaimer This document, as well as the software described in it, is furnished under license of the Instant Technologies Software Evaluation Agreement and may be used

More information

Service Desk Staff Guide. Software version 4.16 Guide version ITarian 1255 Broad Street Clifton, NJ 07013

Service Desk Staff Guide. Software version 4.16 Guide version ITarian 1255 Broad Street Clifton, NJ 07013 Service Desk Staff Guide Software version 4.16 Guide version 4.16.110618 ITarian 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Service Desk Module...3 1.1 Quick Start...5 1.2

More information

ForeScout Extended Module for Splunk

ForeScout Extended Module for Splunk Version 2.8 Table of Contents About Splunk Integration... 5 Support for Splunk Enterprise and Splunk Enterprise Security... 6 What's New... 6 Support for Splunk Cloud... 6 Support for Batch Messaging...

More information

IBM Security Identity Manager Version Administration Topics

IBM Security Identity Manager Version Administration Topics IBM Security Identity Manager Version 6.0.0.5 Administration Topics IBM Security Identity Manager Version 6.0.0.5 Administration Topics ii IBM Security Identity Manager Version 6.0.0.5: Administration

More information

Work 365 Help. User Guide IOTAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Work 365 Help. User Guide IOTAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Work 365 Help User Guide IOTAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

More information

ForeScout App for Splunk

ForeScout App for Splunk How-to Guide Version 2.0.0 Table of Contents About Splunk Integration... 3 Use Cases... 3 Data Mining and Trend Analysis of CounterACT Data... 4 Continuous Posture Tracking Based on a Broad Range of CounterACT

More information

SCP Embraer Supplier Guide

SCP Embraer Supplier Guide SCP Embraer Supplier Guide Revised 1 Contents Introduction... 5 Getting Started... 5 How to Log In to SCP... 5 Steps to Complete First Time Login... 6 Steps to Log-in to SCP... 7 General Navigation and

More information

What's Different in Backup Exec 2012

What's Different in Backup Exec 2012 What's Different in Backup Exec 2012 What's different in Backup Exec 2012 This document includes the following topics: Changes to the user interface for Backup Exec 2012 Changes to terminology for Backup

More information

Angus AnyWhere. Tenant Service Request User Guide J U L Y

Angus AnyWhere. Tenant Service Request User Guide J U L Y Angus AnyWhere Tenant Service Request User Guide J U L Y 2 0 1 7 L o g i n t o A n g u s A n y W h e r e a t : w w w. n g 1. A n g u s A n y W h e r e. c o m Angus Systems Client Support All web interfaces

More information

Adobe Document Cloud esign Services. for Salesforce Version 17 Installation and Customization Guide

Adobe Document Cloud esign Services. for Salesforce Version 17 Installation and Customization Guide Adobe Document Cloud esign Services for Salesforce Version 17 Installation and Customization Guide 2015 Adobe Systems Incorporated. All rights reserved. Last Updated: August 28, 2015 Table of Contents

More information

Kaseya 2. User Guide. Version 1.3

Kaseya 2. User Guide. Version 1.3 Kaseya 2 Kaseya Service Desk User Guide Version 1.3 November 15, 2012 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations.

More information

Sophos Mobile Control Administrator guide. Product version: 5.1

Sophos Mobile Control Administrator guide. Product version: 5.1 Sophos Mobile Control Administrator guide Product version: 5.1 Document date: June 2015 Contents 1 About Sophos Mobile Control...5 1.1 Sophos Mobile Control on premise and as a Service...5 1.2 About this

More information

Episerver CMS. Editor User Guide

Episerver CMS. Editor User Guide Episerver CMS Editor User Guide Episerver CMS Editor User Guide 17-6 Release date 2017-12-04 Table of Contents 3 Table of contents Table of contents 3 Introduction 11 Features, licenses and releases 11

More information

Working with Reports

Working with Reports The following topics describe how to work with reports in the Firepower System: Introduction to Reports, page 1 Risk Reports, page 1 Standard Reports, page 2 About Working with Generated Reports, page

More information

Table of Contents RURO, Inc. All Rights Reserved

Table of Contents RURO, Inc. All Rights Reserved Table of Contents ABOUT THIS GUIDE... 7 Purpose of this Guide...7 ACCESSING THE SYSTEM AS A CLIENT PORTAL USER... 7 Navigating the Client Portal...7 Creating and Submitting a New Requisition...8 Accepting

More information

ServiceNow Release Notes

ServiceNow Release Notes ServiceNow Release Notes Release Number: RLSE0010066 - SN 1.1 Release Date: 2/20/14 Feature Category: Change FETR0010642 Improve integration between Change Management module and Configuration Management

More information

VMware AirWatch Books Deployment Guide Distribute and deploy books

VMware AirWatch Books Deployment Guide Distribute and deploy books VMware AirWatch Books Deployment Guide Distribute and deploy books AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Kaseya 2. User Guide. for VSA 6.3

Kaseya 2. User Guide. for VSA 6.3 Kaseya 2 InfoCenter User Guide for VSA 6.3 September 25, 2013 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULA as updated

More information

PlusPortals Manager User Guide. Get Started Managing Your School's Portals. Integrated School Management Software

PlusPortals Manager User Guide. Get Started Managing Your School's Portals. Integrated School Management Software PlusPortals Manager User Guide Get Started Managing Your School's Portals Integrated School Management Software Copyright 2018 Rediker Software. All rights reserved. Information in this document is subject

More information

Administrator Manual

Administrator Manual Administrator Manual CURA Technical Support Email: cura_support@mindscope.com Phone: 1.888.322.2362 x 55 Administrator Manual Page 1 Table of Contents The Setup Module... 3 Skills... 3 Adding or Modifying

More information

ForeScout Extended Module for Tenable Vulnerability Management

ForeScout Extended Module for Tenable Vulnerability Management ForeScout Extended Module for Tenable Vulnerability Management Version 2.7.1 Table of Contents About Tenable Vulnerability Management Module... 4 Compatible Tenable Vulnerability Products... 4 About Support

More information

release notes effective version 10.3 ( )

release notes effective version 10.3 ( ) Introduction We are pleased to announce that Issuetrak 10.3 is available today! 10.3 focuses on improved security, introducing a new methodology for storing passwords. This document provides a brief outline

More information

ClientNet Admin Guide. Boundary Defense for

ClientNet Admin Guide. Boundary Defense for ClientNet Admin Guide Boundary Defense for Email DOCUMENT REVISION DATE: Feb 2012 ClientNet Admin Guide / Table of Contents Page 2 of 36 Table of Contents OVERVIEW... 3 1 INTRODUCTION... 3 1.1. AUDIENCE

More information

VEDATRAK CRM 3.0. User Guide

VEDATRAK CRM 3.0. User Guide VEDATRAK CRM 3.0 User Guide 2 (C) 2006-2012 SUI SOLUTIONS Ltd. All rights reserved. 3 Contents Overview...9 System Requirements...12 Installation Notes...13 Vedatrak Basics...14 User Roles...14 System

More information

Task Management User Guide

Task Management User Guide Task Management User Guide Version 18 April 2018 Contents About This Guide... 5 Tasks Overview... 5 Create a Project for Task Management... 5 Project Templates Overview... 5 Add a Project Template...

More information

Oracle. Engagement Cloud Using Service Request Management. Release 12

Oracle. Engagement Cloud Using Service Request Management. Release 12 Oracle Engagement Cloud Release 12 Oracle Engagement Cloud Part Number E73284-05 Copyright 2011-2017, Oracle and/or its affiliates. All rights reserved. Author: Joseph Kolb This software and related documentation

More information

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Primavera Portfolio Management 9.0 What s New Copyright 1999-2011, Oracle and/or its affiliates. The Programs (which include both the software and documentation) contain proprietary information; they are

More information

Chatter Answers Implementation Guide

Chatter Answers Implementation Guide Chatter Answers Implementation Guide Salesforce, Spring 16 @salesforcedocs Last updated: April 27, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

The Resilient Incident Response Platform

The Resilient Incident Response Platform The Resilient Incident Response Platform Accelerate Your Response with the Industry s Most Advanced, Battle-Tested Platform for Incident Response Orchestration The Resilient Incident Response Platform

More information

Lookout Mobile Endpoint Security. Deploying Lookout with BlackBerry Unified Endpoint Management

Lookout Mobile Endpoint Security. Deploying Lookout with BlackBerry Unified Endpoint Management Lookout Mobile Endpoint Security Deploying Lookout with BlackBerry Unified Endpoint Management June 2018 2 Copyright and disclaimer Copyright 2018, Lookout, Inc. and/or its affiliates. All rights reserved.

More information

Selectica Contract Lifecycle Management. Release Notes. Selectica CLM Release 6.1. January 2014 v3.0

Selectica Contract Lifecycle Management. Release Notes. Selectica CLM Release 6.1. January 2014 v3.0 Selectica Contract Lifecycle Management Release Notes Selectica CLM Release 6.1 January 2014 v3.0 Selectica CLM R.6.1 Release Notes Introduction... 3 Notable Changes... Error! Bookmark not defined. Certification

More information

Entropy Software General Administration & Configuration

Entropy Software General Administration & Configuration Entropy Software General Administration & Configuration V1.02 1 of 34 Contents 1. Customising your Entropy system... 4 1.1 Entering or editing your Organisation s name into Entropy... 4 1.2 Adding a Watermark...

More information

Service catalog: Showcase your IT servcies

Service catalog: Showcase your IT servcies Q: Is it possible to have the template called New Incident for both requesters and technicians? Currently for requesters it is called New Issue. A: Only in the professional edition of ServiceDesk Plus

More information

ForeScout Extended Module for Splunk

ForeScout Extended Module for Splunk ForeScout Extended Module for Splunk Version 2.7.0 Table of Contents About Splunk Integration... 5 Support for Splunk Enterprise and Splunk Enterprise Security... 7 What's New... 7 Support for Splunk Cloud...

More information

GlobeNewswire. GlobeNewswire, User s Guide USER S GUIDE. Version: 1.16 Issued: By: Global Corporate Services 12/06/

GlobeNewswire. GlobeNewswire, User s Guide USER S GUIDE. Version: 1.16 Issued: By: Global Corporate Services 12/06/ GlobeNewswire USER S GUIDE Version: 1.16 Issued: 2011-06-12 By: Global Corporate Services 12/06/2011 1.16 1 (31) Table of Contents 1. INTRODUCTION... 4 1.1 Document Objectives... 4 1.2 Document conventions...

More information

KYOCERA Net Admin User Guide

KYOCERA Net Admin User Guide KYOCERA Net Admin User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable

More information

BeetleEye Application User Documentation

BeetleEye Application User Documentation BeetleEye Application User Documentation BeetleEye User Documentation 1 Table of Contents Welcome to the BeetleEye Application... 6 Overview... 6 Navigation... 6 Access BeetleEye... 6 Update account information...

More information

Chatter Answers Implementation Guide

Chatter Answers Implementation Guide Chatter Answers Implementation Guide Salesforce, Summer 18 @salesforcedocs Last updated: July 26, 2018 Copyright 2000 2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

Oracle Utilities Smart Grid Gateway Adapter for Itron OpenWay

Oracle Utilities Smart Grid Gateway Adapter for Itron OpenWay Oracle Utilities Smart Grid Gateway Adapter for Itron OpenWay User's Guide Release 2.1.0 Service Pack 2 E41627-02 April 2014 Oracle Utilities Smart Grid Gateway Adapter for Itron OpenWay User's Guide Release

More information

Salesforce Enterprise Edition Upgrade Guide

Salesforce Enterprise Edition Upgrade Guide Salesforce Enterprise Edition Upgrade Guide Salesforce, Spring 16 @salesforcedocs Last updated: February 11, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered

More information