Security Incident Response release notes

  • Release version: Xanadu
  • Updated June 25, 2024
  • 6 minutes to read

    • The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and view your organization's security posture. Security Incident Response was enhanced and updated in the Xanadu release.

    Security Incident Response highlights for the Xanadu release

    • Define and calculate the risk score of security incidents through the Risk Score Calculator, which is based on user-defined criteria. The risk score is auto-calculated for the security incident records.
    • Track the handover of important work items between shifts through the Shift Handover application.
    • Automatically create dedicated Slack channels for Incident Managers to engage with Incident Responders to manage major security incidents with the MSIM Slack integration.
    • Facilitate the ability of the Incident Manager to provide a summary of a major security incident to their Legal teams by using the MSIM Legal Request playbook. The Legal team can use that summary when filing an 8K or 10K form to comply with regulatory bodies such as the SEC when disclosing security breaches.
    • Share mobile-friendly MSIM Executive Status Reports generated in email format. You can also share the Executive Status Reports with users outside your ServiceNow® instance, including third-party vendors, other entities, or email distribution lists.
    Important:
    Security Incident Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Xanadu release

    Security Incident Response integration with AWS Security Hub
    Security Incident Response supports the AWS Security Hub findings integration. This enables you to ingest AWS Security Hub findings and automatically create security incidents in Security Incident Response.
    Security Incident Response supports a bidirectional exchange of data with AWS Security Hub. SIR ingests findings from AWS Security Hub to create aggregated security incidents. Simultaneously, any change in a security incident is also updated on the related AWS Security Hub findings.
    Internet Content Adaption Protocol (ICAP) integration for DLP IR
    Internet Content Adaption Protocol (ICAP) integration helps you to track the usage and movement of sensitive data on various platforms.
    • Configure and schedule DLP alerts ingestion from the specified Amazon S3 buckets which includes the capability to perform the delta imports to ensure only new or modified data is ingested.
    • Display the ingested alerts in the DLP workspace by providing the key details on each alert such as the match content, alert severity, and relevant metadata.
    • Download associated evidence files directly from the DLP workspace for further investigation or review.
    • Enable users to apply automatic responses based on predefined criteria such as alert escalation, notifications, or enforcement policies.
    • Remediate response actions such as blocking or quarantining sensitive data, or sending out alerts to stakeholders.
    • Customize and define the severity mapping between ICAP DLP incidents with ServiceNow incidents.
    Playbook for zero-day vulnerability
    Get step-by-step procedure to address and mitigate zero-day threats—vulnerabilities in the software that are unknown to the vendor, leaving systems exposed to attacks.
    Configure Shift Handover Templates
    Provide detailed communication of critical information, tasks, and updates between outgoing and incoming personnel for a seamless transition between shifts by using the Shift Handover feature. Improve operational continuity, reduce errors, and increase overall efficiency in the workplace.
    Configure Slack chat connector for major security incidents
    View and filter collaboration chat activities on Slack to more efficiently collaborate to resolve major security incidents.
    Playbook for Legal Request
    Get step-by-step guidance on how you can inform the legal team about the latest summary of a major security incident so they can notify the SEC in the 4-day time frame that is required for material breaches.
    Add Zscaler Internet Access URL category lists
    Enable Zscaler approvers to add observables to the list of required approvals or remove them when the Require Approval option is selected.
    Configure how an automatic event is created and MISP event data
    Add security tags during automatic MISP profile configuration.
    Mapping DLP incident status with Netskope
    Provide the mappings between the DLP Incident status in your ServiceNow instance and the Netskope Object status.
    Define the new Risk Score Calculator Rules
    The Risk score configuration in the Security Incident Response workspace has been enhanced with the following capabilities:
    • Set up a Risk Score Calculator from either script or condition builders.
    • Apply multiple conditions while setting up rule-based scoring.
    • Apply weightage to each scoring line. Weights should add up to 100.
    • For rule-based scoring, select table fields and values for setting up a condition.
    • Capture conditions and scoring via scripts.
    • Manually execute risk score calculators to recalculate after making changes.
    Managing MSIM status reports
    Share mobile-friendly Executive Status Reports with users outside your ServiceNow instance, including third-party vendors, other entities, or email distribution lists.

    UI changes

    Configure how an automatic event is created
    • A new Security tags field in automatic MISP profile configuration determines which observables with the security tags will not be attached to the automatic event created using the profile.
    • Introduced local and global tags in Automatic MISP profile configuration to add the selected tags to the newly created automatic MISP event.

    Changed in this release

    Security Incident Response Orchestration
    Integration Name Integration Changes
    Security Incident Response Orchestration flows and actions Workflow is migrated to the Flow Designer in following sections:
    Security Operations common functionality
    Integration Name Integration Changes
    Security Operations Integration- Block Request capability Workflow is migrated to the Flow Designer flows in the following integrations:
    Security Operations Integration- Get Network Statistics capability Workflow is migrated to the Flow Designer in following sections:
    Security Operations Integration- Get Running Processes capability Workflow is migrated to the Flow Designer in following sections:
    Security Operations Integration- Isolate Host capability Workflow is migrated to the Flow Designer in following sections:
    Security Operations Integration- Publish to Watchlist capability Workflow is migrated to the Flow Designer in following section:
    Security Operations Integration- Sightings Search capability Workflow is migrated to the Flow Designer in following section:
    Security Incident Response integrations
    Integration Name Integration Changes
    CrowdStrike Falcon Host integration Workflow is migrated to the Flow Designer in following sections:
    Review and assign your DLP incidents
    Providing a closure code when closing a DLP incident from the DLP IR analyst workspace is now mandatory.
    DLP Incident Response Administration
    Adding users and groups is now accomplished through related lists rather than adding users from the respective configurations in the following Administration modules:
    • DLP Default Configuration
    • DLP Assignment Rules
    • DLP Response Due Date Rules
    • DLP Incident Assessment
    • DLP User Instructions Templates
    • DLP Record Level Restrictions
    • DLP Field Level Restrictions
    Install and configure the Netskope DLP integration for Data Loss Prevention
    The Netskope integration now supports DLP incident ingestion.
    Data Loss Prevention Incident Response Incident Management
    View the forensic details of DLP Incidents in both the DLP IR Analyst workspace and DLP End user workspace.
    Download evidence files
    The Netskope integration supports downloading the evidence file directly on demand.

    Activation information

    Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Security Operations common functionality
    When any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated.

    Related ServiceNow applications and features

    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
    Threat Intelligence
    The ServiceNow® Threat Intelligence application enables you to find indicators of compromise (IoC) and enrich security incidents with threat intelligence data.