Take a look at the Major Security Incident Management Bootcamp

Eliz Skogquist · ‎06-06-2024

We would like to invite you to review the Major Security Incident Management (MSIM) Bootcamp.

On June 27, Tim Boswell, Sr. Outbound Product Manager, SecOps, Antonio Challita, Sr. Principal Product Manager and MSIM Product Engineering reviewed setting up and usage of the MSIM solution.

This session presents insightful information for getting started and using the solution, which includes hands-on experience for both administrators and end users. Get instruction for getting the solution active and integrated with your organization's communication applications, and hands-on time for completing these steps on your organization's sub-prod instance.

To maximize the value of this bootcamp it is recommended:

Install MSIM and all dependent applications on a sub-prod instance
Obtain MSIM Admin role, if you do not have Admin rights in the system
Obtain credentials for the collaboration integration you would like to complete during the bootcamp

PDIs are not acceptable, as some MSIM dependencies do not work on PDIs.

Agenda, with recordings included:

Overview of MSIM and new features from 2024

Hands-on: Main steps to configuring collaboration features in MSIM

Teams, Zoom, WebEx, SharePoint, Slack
Resources to share with your Microsoft Azure admins for configuring MSIM

Hands-on: Using MSIM (as Incident Commanders)

The 3 ways to create MSIs (SIR, VR, or Manually)
Launching Conference Calls from MSIM
Updating the MSI Executive Summary
Using the MSIM Timeline (How events are added Manually & Automatically)
Creating and assigning Tasks to Incident Responder
Managing Tasks in the Visual Task Board
Managing Chat Channels (Teams & Slack)
Using the Legal Request Playbook (for SEC disclosures or other).
Create and Sharing Status Reports

Hands-on: Using MSIM (as Incident Responders)

How Incident Responders view MSI Tasks assigned to them
Interacting with Incident Managers on Chat Channels (MS Teams or Slack)
Leveraging the SharePoint integration for uploading files

Hands-on: A deeper dive into status reports, notifications, and configurations

Updating the OOTB MSIM Categories
Enforcing Restriction (of MSIs within MSIM)
Updating the Status Report Templates (To match your company templates)
Overview of the MSIM out-of-the-box notifications
Changing the reminder duration for "Next Update"

Resources shared for additional details:

ServiceNow Documentation

MSIM Quick Start Guide (pdf attached)
Product Documentation

Blog Posts

YouTube

How ServiceNow MSIM Helps Streamline Collaboration When Dealing With Major Security Incidents:

This is the biggest MSIM event of 2024 – You want to see it!

Our focus is education for new MSIM users, so this bootcamp will be best suited for those configuring and ultimately using MSIM for their major security incidents. Please share with others, including your organizations' end users, which could benefit from this bootcamp, simply forward this url for them to review.

Question	Answer
Are the users only able to using the MSIM Workspace or they can also work in the backend on a MSI ?	MSIM only provides the MSIM Workspace for users.
Are these features are not available in the regular MIM?	Similar features are available in MIM. However MIM is built for IT personas and major IT incidents. MSIM is built for Security personas, and Major Security Incidents. MSIM is also natively linked to incidents from SIR, vulnerabilities from VR, and Threat Intel records.
When you are in teams, can you access and use documents from the sharepoint to share/display in teams? Where would you see that?	File shared in teams chat will be captured as an activity on the MSI and from our MSI activity we can navigate to the file posted in teams, which actually navigate us to the Sharepoint directory created for that chat channel/team.
Can one Link records manipulated to manually created timeline events too ?	Linking is supported only between two manual/custom events.
what will happen to the recording once we are done with the call. Generally we have a policy in the organisation after 7 days (if recording is not downloaded and store at separate location)	Recordings will not be downloaded or saved in our instance. we just have a navigation link to the teams.
Are the folder permissions independent of the SharePoint permissions on a folder?	Yes, folder permissions in the MSIM module is to further restrict users from being added to the folders. Only users that you specify in the folder templates will have access to the folders (if these users already have the relevant SharePoint access privileges).
Is it the chat (teams) after the collaboration ends and the MSIM ticket closed be added as evidence to the ticket? Or can be recorded within the ticket chats or calls? Possible retention policy can delete the evidence. Thank you.	All chat conversations are copied in MSIM workspace in realtime and shown under Collaboration tab. and when MSI is closed, we archive chat channels on the Microsoft because all chat conversations are already captured in to MSIM workspace.
For a SIR Task, the role u_sit_external is needed, does this work for the MSIM tasks or can any servicenow user view MSIT? (This could be a security issue if we don’t control access to those tasks)	To create a MSI task, you need the sn_msi.workspace_manager (MSI Manager) role.;external role exist in SIR will not work here if any non MSI user who just has the role sn_msi.msi_task_read then they could just open the task with link from their email notification and they cannnot access anything on the MSI or other MSITs too
Can you confirm what version we are in for this demo?	This bootcamp uses MSIM V3.1.2 (Latest on ServiceNow Store)
Can we customise this overview UI of workspace, for example if customer wants to show some more information in the Overview/Impact UI of workspace, can we add that?	Yes, you customize the Overview UI of the workspace through UI Builder. Please note that you’d need an admin role to make any edits.
Starting a conference call in teams, does this require notify which I believe comes with a cost	Notify connector for Teams application is required. It is part of Integration hub enterprise pack;Below two are dependent applications: Notify connector for Microsoft teams - Free Microsoft Teams Communications Spoke - Pad and it is part of integration hub enterprise pack
Is integration with AWS S3 Bucket yet?	AWS S3 Bucket is not currently supported.
If a Teams channel/SharePoint directory was deleted after an incident had been worked to completion, how much of the Teams/SharePoint data would still be available in the associated MSI record? I’m assuming it would keep all data that had been ingested so far (Teams chats, etc.) but only surface data (names/text/links) would be available since the backend file/data repository has been removed. Is this line of thinking correct? Happy to clarify further if this question isn’t clear. Thanks!	When SN instance capture the chat it just store it in our tables . so deleting a team wont delete the chat content in our instance. Also if the MSI gets closed, we will archive the teams and channel too
If sharing reports to external parties via email interface is there an encryption function available through your interface ?	SN Platform allows encrypting Emails. Reference doc: https://docs.servicenow.com/bundle/washingtondc-platform-administration/page/administer/notification...
Can the recording we stored or moved to the teams channel or sharepoint site?	We don’t store recording in the SN instance. We only provide a link to Teams call page.
Do you have to have the same channel names for each MSIM event or can you dynamically create them or add additional channels once the MSIM is going? Say you don’t have a legal team by default but once the MSIM gets going, you realize that legal needs to be involved so you want to create legal team and add the right people.	You can define different set of channels based on the type of MSI using channel configurations. You can also create any number of channel later initial creations;** Yes, You can create new channels from collaboration tab in MSIM workspace after initial channels are created.
How time elapsed and resolution time data comes in on the workspace view? Is it from SLA?	We are generating it based on created time and estimated resolution fields on MSI.
Are the new categories available in vancouver?	Yes, all the new changes which are released till now are available from Utah platform.
Can you sync SIR Categories with MSIM? Having different ones could confuse reporting	You have the opportunity to define the MSIM categories to be what works best for your organization.
Can you expand on the recording part? we aren't allowed to record meetings	We don’t require recording any meeting. The “View Recording” button only links to the Teams call page. If there is no recording, it will have no effect.
Are these attachments saved within slack/teams or on the sys_attachment table in SN?	These are saved in the MSI attachment table in SN.
Do we have the ability to report/export the Timeline within the Overview tab or Activity within the Details tab?	Reporting/exporting the timeline within the Overview or Activity within the Details tab is not supported.
Can a responder user be dynamically switched to more access rights to avoid bouncing tasks back and forth in case of urgency (of course recorded and rolled back after MSI closure ) ?	The roles were implemented at granular level and adding a specific role will alow them to access that feature/tab.
To see anything beyond the persons unique task assigned to them, will they have to have at least MSI responder role in MSIM?	A user with sn_msi.task_read is enough to access all the tasks from MSI workspace.
If an Analyst were to “tag” a chat with the Unique Incident ID, would the text from the chat be integrated into the Incident workspace as well? Not necessarily in the Huddle Room, but perhaps an offshoot conversation that was being had with someone who may have some information related to the investigation?	If the question is, if we tag an incident in the chat then that will be shown on the tagged incident - No If the question is do we have reference to the tagged incident from the chat converasation activity - No
Can you use a preconfigured ServiceNow group or tag to restrict access?	You are able to use the preconfigured ServiceNow groups for restricting access.
Will we cover how to automatically generate tasks when MSI is created? (How to define a template of standard tasks)	Legal request playbook, presented in this session, covers generating tasks from Process automation designer.
Is this teams/sharepoint integration available within VR and SIR?	In the SecOps portfolio, Teams & SharePoint are currently available in MSIM only.
What license level is required?	MSIM is licensed under SIR Pro or SIR Enterprise licnese.
Once Sharepoint integration is complete, I assume it can also be used for other parts of the ServiceNow platform and not just MSIM?	If the SharePoint spoke is configured, it can be used with any other integration in the ServiceNow platform that uses the SP spoke.
Can you drag and drop the VTB cards to the next stage?	Drag and drop is currently not supported. Once the component supports it, we will incorporate it in the MSI workspace.;You can, however, click on the Task card and change the state of the task, and it will automatically move to the corresponding lane.
With the Email templates, can recipients respond to them and the responses automatically be ingested into the MSIM case? Attachments as well?	Replies sent from MSI, will be captured in activity section.

Dhruv Gupta1 · ‎08-09-2024

Can you put some documentation around how to configure Sharepoint if we want to use CA issued certificate instead of self signed once. I have PFX file