- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
What happens/what dependencies/risks to consider when SecOps Security Incident Response module licence cancelled/no longer required
Hi ServiceNow Community colleagues, I would greatly appreciate some advice/guidance on this query.
What happens if the client no longer wants to use the SecOps module and decides strategically to no longer keep the licence and stop using the module.
- Is there no longer access to the relevant Security Incident Response (SIR) tables and previous records?
- I assume any integrations built with SIR would no longer work and need to be rebuilt?
- Would there be any other considerations/dependencies anyone could help mention, that the client would need to fully consider?
- Do we have to uninstall the relevant plugins and other than the SecOps SIR functionality, what else would the client potentially lose from no longer having a license and deinstalling the plugins?
Any sort of feedback, risks, other things that need to be considered would be appreciated?
Thanks again.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi @WazzaJC,
When a ServiceNow SecOps Security Incident Response (SIR) license is canceled, the core functionalities become inaccessible. While the SIR tables and historical data within them are not deleted and remain on the platform, you will lose the ability to create new SIR records and interact with them through the specialized SecOps UI. All integrations built on the SIR module will cease to function and would need to be rebuilt or retired.
Key considerations and risks include:
Data Access: You can still access historical data through standard platform lists and reporting, but the purpose-built SecOps views, workflows, and automations will be disabled. You will not be able to create or update security incidents.
Integrations: Any integrations with security tools (e.g., SIEM, threat intelligence feeds) that rely on the SIR framework will fail.
Dependencies: Other licensed applications that may depend on SecOps, such as Vulnerability Response or Threat Intelligence, could be impacted. It is crucial to review all dependencies before decommissioning.
Plugin Uninstallation: While not mandatory, if you choose to uninstall the plugins, you risk data loss and breaking dependencies on other applications that might reference SecOps tables or script includes. It is generally recommended to leave the plugins installed but inactive.
Before cancellation, it is essential to export any required data and thoroughly audit all dependencies and integrations tied to the SIR application.
Hope this helps!
Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution and helpful so others can benefit as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Hi @WazzaJC,
When a ServiceNow SecOps Security Incident Response (SIR) license is canceled, the core functionalities become inaccessible. While the SIR tables and historical data within them are not deleted and remain on the platform, you will lose the ability to create new SIR records and interact with them through the specialized SecOps UI. All integrations built on the SIR module will cease to function and would need to be rebuilt or retired.
Key considerations and risks include:
Data Access: You can still access historical data through standard platform lists and reporting, but the purpose-built SecOps views, workflows, and automations will be disabled. You will not be able to create or update security incidents.
Integrations: Any integrations with security tools (e.g., SIEM, threat intelligence feeds) that rely on the SIR framework will fail.
Dependencies: Other licensed applications that may depend on SecOps, such as Vulnerability Response or Threat Intelligence, could be impacted. It is crucial to review all dependencies before decommissioning.
Plugin Uninstallation: While not mandatory, if you choose to uninstall the plugins, you risk data loss and breaking dependencies on other applications that might reference SecOps tables or script includes. It is generally recommended to leave the plugins installed but inactive.
Before cancellation, it is essential to export any required data and thoroughly audit all dependencies and integrations tied to the SIR application.
Hope this helps!
Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution and helpful so others can benefit as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
@M Iftikhar this is excellent, very much appreciated. Thank you for taking the time to provide this detail. 🙂
