From MITRE ATT&CK + D3FEND integration to AI-powered connector building — here are the highlights of what’s new in Security Incident Response (SIR) this quarter. Check out the release notes for more details: https://www.servicenow.com/docs/r/store-release-notes/sn-store-rn-secops-sir.html
INTELLIGENCE
MITRE ATT&CK Meets D3FEND — Attack to Defense, Automated
MITRE ATT&CK has been part of SIR for around two years, mapping real-world adversary techniques directly to security incidents. When an incident fires, analysts can immediately see which ATT&CK technique was involved and understand the mechanics of how the attack unfolded.
This quarter, that capability gets its defensive counterpart. MITRE D3FEND integration now automatically surfaces the recommended defensive techniques in response to a mapped ATT&CK technique — right inside the Security Incident workspace. Instead of pivoting to external references or relying on tribal knowledge, the analyst sees exactly what defensive actions to take, directly within the incident record.
|
|
Why it matters This closes the loop between detection and response. An incident mapped to a technique now carries its own remediation playbook — reducing time-to-action and ensuring consistency across the SOC, regardless of analyst experience level. |
QUALITY OF LIFE
Analyst Experience Improvements
None of these are headline features on their own, but together they meaningfully improve the daily analyst workflow. These are the small friction points that add up across hundreds of incidents a week — now resolved.
Duplicate User Fix
A long-standing issue causing duplicate user records has been resolved. This was creating reconciliation headaches and throwing off reporting accuracy across SIR environments.
Quick Filters with Multi-Select
Admins can now create and manage quick filters that support multi-select. Particularly impactful for teams managing large SOC queues — analysts can slice and filter incident lists far more quickly.
Bulk Incident Linking
Analysts can now link multiple incidents to a parent incident in a single action. Fifty incidents tied to the same campaign or threat? Link them all at once instead of one by one.
Read-Only Access for External Users
Specific incidents can be shared with read-only access to external parties — useful for tagging incidents that need review by external legal counsel or other third-party stakeholders.
Auto-Refresh on Incident List
Admins can configure auto-refresh intervals on the SIR incident list via a system property — every 1 minute, 5 minutes, or any interval tuned to expected incident volume.
INTEGRATION
Microsoft Sentinel — Defender Portal Compatibility
Microsoft has been migrating Sentinel from the standalone Azure portal into its unified Defender portal. That migration was impacting ServiceNow’s integration with Sentinel — and for customers relying on Sentinel as their primary SIEM, that’s a critical dependency.
This update resolves the issue. For customers already on the Defender portal or planning to migrate, incident ingestion and bidirectional sync will continue to work seamlessly. They also benefit from Microsoft’s consolidated portal experience on their end. Check out the Support KB to learn more: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2795226.
|
|
Not flashy, but essential This is a key update — not a feature launch. But for any customer with Sentinel in their stack, it’s one of the most important items in this release. Ingestion doesn’t break. Sync stays intact. Operations continue. |
NOW GENERALLY AVAILABLE
AI-Powered Integration Builder
Previously in Innovation Labs, the AI-Powered Integration Builder is now generally available as of Q1.
Building integrations into SIR has historically been a heavy lift. Someone needs to understand the target tool, read its API documentation, write a spoke, test it, and deploy it. That process can take days, weeks, or even months depending on complexity.
The Integration Builder changes this fundamentally. You point it at any security tool with documented REST APIs, and the LLM reads the API documentation, drafts the integration for you, which you then review and take live.
Point to API docs → LLM drafts spoke → Review & refine → Go live
The practical impact is significant: customers are no longer blocked waiting for ServiceNow to build a prebuilt connector for every tool in their stack. They can build it themselves — and still get the same reliability, credential management, and quality as a native integration.
Checkout the community article and demo to learn more: https://www.servicenow.com/community/secops-articles/revolutionizing-security-integration-introducin....
|
|
Days to hours What previously took days or weeks of development effort now compresses into hours. Teams get to focus on security outcomes instead of integration plumbing. |
Wrapping Up
Q1 2026 included many notable updates for SIR. The MITRE D3FEND integration brings intelligence-driven defense directly into the analyst workflow. The quality-of-life improvements address real, everyday friction. The Sentinel fix ensures continuity for a critical integration. And the AI-Powered Integration Builder — now GA — removes one of the biggest bottlenecks in security operations: getting your tools connected.
Taken together, this is a release that makes the analyst’s job faster, smarter, and less dependent on manual overhead. Stay tuned for more in upcoming community events and articles!
