Automation and Standard Processes Flashcards
Before performing Splunk Integration setup procedures, what roles would the integration user need?
sn_si.integration_user and sn_si.analyst
in addition, to perform imports you need the import_transformer role to obtain read and write permission to security tables. The sn_si.integration_user role should be defined with the import_transfomrer portion of the role.
What are the Automation Capabilities?
Existing solutions that require advanced skills Workflow Orchestration Scheduled Jobs Business Rules
New innovations
Flow Designer
Integration Hub
What is SOAR?
Security Orchestration, Automation, and Response
What roles can activate a Security incident response flow?
sn_si.admin
action_designer
flow_designer
T or F The flows baseline for Security Incident Response are active once download
False
must download Security Operations Spoke - Search flow designer for Security operational applications for flows
then Copy flow
then hit activate button
How do you navigate to Runbooks?
Security Incident > Manual Runbook > View Runbook Documents
What are Runbooks?
knowledge bases contains articles that provide users with information such as self-help, Troubleshooting, and Task resolution.
what can Knowledge Articles do for Runbooks?
Provide detailed steps a Security Analyst should take under specific circumstances
can be related to Runbook Records where criteria for their use is defined
can be incorporated into a Playbook
What role is do you need to create, read, open for Security Incident Runbooks?
sn.si.knowledge_admin
what is the process of a playbook processing chain to end with a Runbook?
New Security Incident is created
Workflow is triggered by new records created in the sn_si_incident table
Workflow begins once triggered
Certain Workflow have been created to address “Playbooks” containing tasks used to resolve a specific type of threat.
As the workflow progresses new Security Incident Tasks are generated
Runbooks evaluates new Incident Response Tasks on the sn_si_task table
If the Incident Response Task matches with the criteria set in the Runbook then it creates an association between a KB article and the SIR task.
The new Security Incident response task with the KB article is then displayed to the user in new Security Analyst UI with the playbook.
How does a Playbook work within an Security analyst UI?
Resolves certain types of security threats in a step by step manner. Each group of tasks (analysis, Contain, Eradicate, Recovery, Review and closed) leads you through a series of questions and other activities for resolving the threat.
How does a Playbook work within an Security analyst UI?
Resolves certain types of security threats in a step by step manner. Each group of tasks (analysis, Contain, Eradicate, Recovery, Review and closed) leads you through a series of questions and other activities for resolving the threat.
What happens when a user reports a phishing Email in the User Reported Phishing Version 2.0?
Emails are captured in Sys_Emails table in ServiceNow.
Inbound actions and email ingestion rules identifies phishing email to creat Phishing Email Records
Aggregation logic applied on Phishing Email Records to find duplicates
Create Security Incidents with Parent - child association
Where is the Child Aggregation system property located?
User Reported Phishing properties module
What happens when the Child Aggregation system property is set to true?
All other phishing emails are up as child incidents to the first (parent) phishing email.