snow_sir_incident_manage

Unified tool for ServiceNow Security Incident Response (SIR) incident lifecycle on sn_si_incident and sn_si_task. Walks an incident through the NIST IR phases: triage, contain, eradicate, recover, close. Actions: - list — list SIR incidents, optionally filtered by state, priority, or assignment_g...

Server Serac serac-labs/serac
Category Write
Risk class Medium
Parameters 00 required

What snow_sir_incident_manage does on Serac

AI agents use snow_sir_incident_manage to create or update resources in Serac — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your Serac environment.

Why snow_sir_incident_manage needs a policy

The tool primarily creates and modifies security incident records within ServiceNow. While 'list' and 'get' are read-only, the presence of 'create' and state-transition actions (triage, contain) makes this a Write operation. It does not delete/purge incidents (Destructive), execute arbitrary code (Execute), or move money (Financial).

From the tool's definition Actions include 'create' (open a new SIR incident), 'triage' (move incident into triage phase), and 'contain' (move incident into contain phase). These modify incident state and lifecycle in ServiceNow's SIR system.

Questions about snow_sir_incident_manage

What does the snow_sir_incident_manage tool do? +

Unified tool for ServiceNow Security Incident Response (SIR) incident lifecycle on sn_si_incident and sn_si_task. Walks an incident through the NIST IR phases: triage, contain, eradicate, recover, close. Actions: - list — list SIR incidents, optionally filtered by state, priority, or assignment_group - get — retrieve a single SIR incident by sys_id or number, with its related task summary - create — open a new SIR incident (short_description and category required) - triage — move an incident into the triage phase, optionally assigning analyst - contain — move an incident into the contain phase with a containment note - eradicate — move an incident into the eradicate phase with an eradication note - recover — move an incident into the recover phase with a recovery note - close — close an incident with a close code and resolution notes - list_tasks — list sn_si_task rows linked to the incident Use when: the agent needs to drive a security incident through the SIR phase model rather than just record one. Companion tools: snow_create_security_incident (initial record only), snow_automate_threat_response (run automated actions), snow_sir_playbook_orchestrate (run a multi-step playbook), snow_sir_evidence_manage (attach forensic evidence). Plugin gating: requires com.snc.security_incident. A 404 on sn_si_incident is surfaced with the required plugin name so the caller can install it. Returns: SIR incident records with sys_id, number, state, phase, priority, category, assigned_to, and the configured workflow phase. Task listings include sys_id, number, short_description, state, and assigned_to. It is categorised as a Write tool in the Serac MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.

How do I enforce a policy on snow_sir_incident_manage? +

Register the Serac MCP server in PolicyLayer and add a rule for snow_sir_incident_manage: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Serac. Nothing to install.

What risk level is snow_sir_incident_manage? +

snow_sir_incident_manage is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.

Can I rate-limit snow_sir_incident_manage? +

Yes. Add a rate_limit block to the snow_sir_incident_manage rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block snow_sir_incident_manage completely? +

Set action: deny in the PolicyLayer policy for snow_sir_incident_manage. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides snow_sir_incident_manage? +

snow_sir_incident_manage is provided by the Serac MCP server (serac-labs/serac). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.

// THE FULL RECORD

snow_sir_incident_manage is one line of Serac's registry record.

The record carries the whole server: verified identity, auth posture, risk grade, every tool classified, recommended policy — re-checked continuously.

Teams ship this data inside their own products. See what a licence covers →

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.