Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Incident Closure Documentation

Documentation

Incident Closure Documentation

arxsec-site / library/workflows/incident-closure-docs/README.md

arxsec-site repo-root library/workflows/incident-closure-docs/README.md

Automates the generation of incident closure documentation by pulling CrowdStrike incident timelines, correlating Splunk events, and updating ServiceNow incidents with comprehensive closure reports.

Maturity: L3-4 (Enforced to Governed)  ·  See the 5-level maturity model for where this workflow fits in your program.

What It Does

  1. Queries CrowdStrike for resolved incidents missing closure documentation
  2. Pulls the full incident timeline: detections, behaviors, and containment actions
  3. Executes Splunk correlation searches for related log events across the incident window
  4. Auto-generates a structured closure report (timeline, impact assessment, root cause, remediation steps)
  5. Updates the ServiceNow incident with the closure documentation and moves it to "Resolved"

Time Saved

Before: 2 hours per incident — analyst manually reconstructs timeline from CrowdStrike, searches Splunk for correlated events, writes the closure report in ServiceNow.

After: Automated report generation. Analyst reviews the pre-built report and approves closure.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | CrowdStrike | incidents:read, detections:read | LOW | | Splunk | search:execute | LOW | | ServiceNow | incidents:update | MEDIUM |

Overall Risk: MEDIUM — ServiceNow incidents:update modifies incident records. No destructive actions.

ARX Governance

  • HITL Gate: Disabled — all operations are reads or updates to existing incidents
  • Risk Threshold: 70 — auto-approved below this score
  • Audit Trail: Every incident documented, report generated, and ServiceNow update is logged
  • Schedule: Every 2 hours (0 */2 * * *)

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export CROWDSTRIKE_CLIENT_ID="your-cs-client-id" export CROWDSTRIKE_CLIENT_SECRET="your-cs-client-secret" export SPLUNK_HOST="https://splunk.your-org.com:8089" export SPLUNK_TOKEN="your-splunk-bearer-token" export SERVICENOW_INSTANCE="your-org.service-now.com" export SERVICENOW_USERNAME="svc-arx" export SERVICENOW_PASSWORD="your-servicenow-password" ``

Run

```bash

One-time execution

arx run workflow.py

Register on schedule

arx register --config arx.yaml ```

Customization

  • Adjust the Splunk correlation search queries for your environment
  • Modify the closure report template in build_closure_report()
  • Change the incident state transitions in ServiceNow
  • Configure which CrowdStrike incident states trigger documentation