The all-new Security Incident Response Workspace is now live on store!

Madhumitha Redd
ServiceNow Employee
ServiceNow Employee

‎02-02-2023 10:11 AM - edited ‎03-26-2023 11:05 PM

We heard you!!!!

 

Say bye to the classic UI and the custom new UI. The re-imagined next-gen workspace for the Security Analysts is now available on the store.

 

Preface

 

We have been hearing consistent customer feedback that the experience of working on a security incident has not been ideal. There is an imminent need to replace the classic UI experience with an analyst workspace that has a great user experience and has all the power that the ServiceNow platform provides in terms of robustness, customizability, and scalability. That is where the all-new SIR Workspace stands waiting to cater to all our users with a delightful user-experience.

 

New Security Incident Response Workspace 

 

The new Security Incident Response (SIR) workspace is built using the platform provided UI Builder that is governed by the unified experience framework that ServiceNow aims to provide our customers across platform and all applications. The workspace has been re-imagined for the complete Analyst’s user journey making each touchpoint easy and delightful.

 

Key Features

 

Overview (Landing) Page: Analysts can view security incidents and response tasks owned by self, by team and the unassigned that are presented using various visualizations. The overview page also displays security incidents and response tasks that are due SLA immediately. Quick Links provide easy access to third party systems and external websites.

Overview.png

 

Queues: The queues such as Security Incidents and Response Tasks with pre-applied filters such as Assigned to me, Assigned to team, Open and All along with Quick filters enable faster and efficient triaging.

Queues.png

 

 

Incident Overview: Incident Overview captures key snapshots associated with the security incident presenting business impact, threat intelligence, response tasks, child security incidents and similar security incidents.

Incident Overview 2.png

 

 

Details: All the security incident related information/fields are made available under the Details section with a side-by-side view of Activity stream to post worknotes as the Analyst makes edits to these information.

Details.png

 

 

Investigation: The Investigation tab presents different entry points such as Associated Observables, Configuration Items, Affected Users, Phishing Emails, and Email search on which investigation is primarily carried out. All the required information is grouped logically and presented in one place for the Analyst to perform orchestration actions such as Run Threat Lookup, view all the associated information, filter and navigate them with ease.

Investigation.png

 

 

Playbook: Interactive playbooks with activities where in-line orchestration can be performed and results viewed seamlessly. Analyst can skip and cancel steps, filter activities based on status, and add playbooks manually as might be required.

Playbook.png

 

 

Related Records: All the SIR related lists are grouped into logical sections and presented in the Related Records tab. The search enables easier navigation to the desired related list.

Related Records.png

 

 

Other Records: All collaboration records such as IT Incident, Problem, Change Request, Outage and emails are presented here to enable easy communication and collaboration.

Other Records.png

 

 

Post Incident Review: As the incident progresses to review/closure Post Incident Review becomes enabled to request/take assessments and access the reports to capture learnings.

PIR.png

 

 

Right Contextual Pane: Provides access to key utilities such as Activity Stream, Playbook, Analyst Assist (KBs), Runbooks, Templates, and Attachments throughout the incident investigation.

Right Contextual Pane.png

 

 

MITRE ATT&CK: Enables quick access to viewing and associating MITRE information to the security incident and other artifacts.

MITRE.png

 

 

Major Security Incident Management: Analyst will be able to Propose, Promote, Link/Unlink to Major Security Incident, if the incident has a greater impact.

MSIM.png

 

 

Dashboards: The Analyst Dashboards provides quick overview of how the Security Operations Center is performing.

Dashboards.png

 

Note: All Admin configurations will remain in classic UI.

 

How do I get this exciting feature?

 

Visit the store and download Security Incident Response Workspace

Plugin Name: Security Incident Response Workspace (sn_si_aw)

 

What versions of Platform are supported?

 

The SIR Workspace will be available starting San Diego. The Dashboard functionality will be available starting Tokyo.

 

Link to Product Documentation

 

Security Incident Response Workspace Product Documentation

 

Quick Demo

 

 

Frequently Asked Questions

 

Will migration from Classic UI to the new Workspace be automatic? What happens to the customization?​

 

  • Migration will not impact core business logic written using server-side scripts.​
  • Actual business data will not have any impact post migration.​
  • Any form customizations made in Classic UI need to be manually ported to the workspace sirw view (Or) the same custom view can be configured in view experience property of SIR Workspace. Any custom client scripts/ UI policies need to be tested and evaluated by the customer post migration.​
  • Any related list customizations made in classic UI need to be manually ported to workspace
  • All SIR provided Classic UI actions have been migrated to the SIR workspace that include all general actions, capability actions, non-capability actions.​
  • Any custom implemented form, related list actions need to be re-implemented in SIR workspace.​

 

What happens to the existing New UI?

 

The New UI is currently in the maintenance mode. After the new SIR workspace is fully functional, we would plan the end of life for New UI. Sufficient time and heads up will be given to customers to migrate to the new Workspace from New UI.

 

Can both Classic and New SIR Workspace co-exist together?

 

Yes. They both will co-exist together until the complete product functionality is available in the new workspace. ​

 

What else in the pipeline?

 

The following will be supported in future releases:

 

  • Crowdstrike Falcon Insight Integration for Security Operations
  • McAfee ePO Integration
  • The following dashboards
    1. Manager Overview Dashboard
    2. CISO Overview Dashboard
    3. In the Security Incident Explorer dashboard: 
      1.      Security Incident Assignment Heatmap (currently not supported by platform)
      2.      Security Incident Map (currently not supported by platform)
    4. In the  Security Incident Response Premium KPIs dashboard
      1.   Process by state - Workbench not supported by platform
      2.      Process by Age - Workbench not supported by platform
      3. Security incidents open for more than 30 days by assignment group and state - HeatMap visualisation is not supported by platform. 
      4. Security incidents not updated for more than 30 days by assignment group and state - HeatMap visualisation is not supported by platform. 
      5. Security incidents with assignee that is not active - HeatMap visualisation is not supported by platform. 
    5. In the Security Operations Efficiency dashboard: 
      1.      Security Incident stage Analysis - Workbench is not supported by Platform 

 

What are the known limitations?

 

Please refer KB1278498

 

Call to Action

 

If you have feedback that you would like to share with us directly, please feel free to reach us on the following ids:

  • 6,050 Views
Comments
Jan Spurlin
ServiceNow Employee
ServiceNow Employee
‎02-06-2023 08:40 AM

Great overview of the new features!

0 Helpfuls
DEEPAK KUMAR SI
Tera Contributor
‎10-13-2023 02:09 AM

Hi @Madhumitha Redd,

I have one confusion regarding the licensing . I have below license

Security Operations Professional - SIR

 

As of now we are using the backend view and Incident New (UI). Is it something I am eligible to use the

Security Incident Response Workspace (Id:sn_si_aw) without any extra subscription or any separate license or subscription will be required?

 

0 Helpfuls
Sarah Wood
Administrator
Administrator
‎10-13-2023 08:40 AM

Hi Deepak - Great question! The Security Incident Response Workspace is available for all existing SIR licenses, as long as you are on a supported version, so no additional licensing is required. You can access it here in the ServiceNow Store

rlatorre
Kilo Sage
‎10-13-2023 09:03 AM

Hello,

These items are listed as dependencies. Is there a way to use this Workspace without them?

 
0 Helpfuls
Sarah Wood
Administrator
Administrator
‎10-13-2023 11:59 AM

They are required dependencies as the Workspace leverages the playbook experience.

 

There is another great post about rendering flow based playbooks in the SIR Workspace here for those that are interested in checking it out!

BharathKumarA
Tera Contributor
‎02-13-2025 07:56 PM

Hello,

What is the basic role required to see the Security incident workspace ?

0 Helpfuls
Martin Dewit
Kilo Sage
‎02-14-2025 04:48 AM

@BharathKumarA according to the ACL, the roles required are:

sn_si.external
sn_si.special_access
sn_si.read

0 Helpfuls
derPoehler
ServiceNow Employee
ServiceNow Employee
‎02-14-2025 07:13 AM

FYI:
SIR Workspace plugins and roles

0 Helpfuls
Version history
Last update:
‎03-26-2023 11:05 PM
Updated by:
ServiceNow Employee
Contributors