Working with Security Incident Records
- UpdatedJul 31, 2025
- 3 minutes to read
- Zurich
- Security Incident Response
The Security Incident Record consists of the following.
| Number | Name | Description |
|---|---|---|
| 1 | Security incident number | The security incident number is available against the tab name. |
| 2 | Short description | Short description of the security incident which is displayed above the form banner. |
| 3 | Form banner | This is read-only section, which contains the key fields such as Category, Priority, Risk score, State, and the incident assignment details. Note: The regular platform tags can be applied here as
well. |
| 4 | Security tags | Displays the security tags associated with a security incident. |
| 5 | Overview | Provides a snapshot overview of the security incident such as Description, Business Impact comprising of asset details by type, affected users by criticality, Threat intelligence items comprising of observables by finding and by type, Response Tasks, Related security incidents comprising of child security incidents and similar security incidents. |
| 6 | Details | The details tab displays the security incident form. |
| 7 | Investigation | The Investigation tab displays the incident investigation experience. |
| 8 | Playbook | Playbook is triggered through Process Automation Designer (PAD). If a process is created, and if the a trigger condition is set to trigger the playbook for a security incident. Then a playbook appears. |
| 9 | Response Tasks | The Response Tasks captures all the response tasks associated with a security incident. |
| 10 | Related Records | The Related Records tab consists of all the related lists from the classic UI under this section. The related lists are grouped under various section such as business impact, threat intel, and so on for an easy navigation. |
| 11 | Other Records | Other records tab consists of IT records such as changes requests, incidents, and emails grouped and displayed in this section. |
| 12 | Post Incident Review tab | As the security incident progresses to the Review state, the Post Incident Review tab is displayed with the post incident assessments and reports within the tab. |
| 13 | Contextual menu | Provides easy access to the quick actions and is available across all the tabs for the analyst to access whenever required. The contextual menu provides easy navigation to the multiple resources such as:
|
| 14 | Form UI actions | The various security incident form UI actions are displayed on the top right of the incident form. The available form UI actions are:
For more information, see Working with Form UI actions. |
Related Content
- Security Incident Playbook
Invoke the security incident playbook flow automatically or manually.
- Prerequisites for the Playbooks
You need the following roles and plugins to build the Playbooks.
- Rebuilding existing playbooks in Workflow Studio
You can’t convert existing flows directly into playbooks in Workflow Studio. Each flow designer step that creates a response task to guide the analyst must be broken down into separate actions or subflows.
- Activity Definitions
The ServiceNow AI Platform provides a few activity definitions within the base system. In addition, for the playbooks that SIR Workspace base system, there are a few activity definitions defined in the base system under Enterprise Security Case Management PAD Commons application.
- Sample Playbooks for SIR Workspace
You can create or configure playbooks for SIR Workspace quickly and easily without writing complicated code. You can use these playbooks to resolve security threats in a step-by-step manner. You can invoke the security incident playbook flow automatically or manually.
- Working with MSI Records
Using the Security Incident Response workspace, you can propose, promote, or link security incidents as major security incidents when the incidents are identified as critical threat to the organization.
- Working with Form UI actions
Following are the UI actions that are displayed on the security incident form.
- Security Incident Closure workflow
Close the security incident by updating the incident state.