Security Incident Response integration with Zscaler release notes

  • Release version: Store
  • Updated June 11, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response integration with Zscaler release notes

    The Security Incident Response integration with Zscaler for ServiceNow is a continuously enhanced application that streamlines the management of security incidents by integrating Zscaler threat intelligence and URL categorization data. It enables security analysts to perform reputation lookups, manage block and allow lists, and automate workflows related to threat observables such as URLs, IPs, and domains.

    Show full answer Show less

    This integration supports approval workflows, sandbox report lookups, and automated creation of security incidents from critical alerts ("Patient 0" alerts), enhancing incident response efficiency and accuracy.

    Key Features and Enhancements

    • Threat Reputation Lookup: Analysts can trigger reputation lookups on URLs, IPs, and domains to assess threat levels.
    • Block/Allow List Management: Add and remove URLs/IPs/domains to tenant-specific block or allow lists, with approval workflows for changes.
    • Configurable Approvers: Separate configurable approvers can be set for adding or removing observables, allowing granular control of approval processes.
    • Observable Management Enhancements: Features like automatically removing an observable from the deny list if it exists in the allow list, preventing conflicts.
    • Sandbox Report Lookup: Analysts can retrieve and store sandbox reports for MD5 hashes directly against incidents.
    • Automation and Flow Designer Integration: Migration of workflows to Flow Designer for improved automation and smoother workflow management.
    • Security Improvements: Upgraded dictionary-level fields to strict read-only to prevent unauthorized changes and fixed ACL misconfigurations to enhance data security.
    • Bug Fixes and Reliability: Resolved issues related to access permissions, observable category population, validation errors in sandbox submissions, URL validation regex problems, and UI navigation errors to improve stability and user experience.
    • Support for Expiration-Based Removal: Periodic automatic removal of entries from lists based on expiration values.

    Practical Benefits for ServiceNow Customers

    • Improved accuracy and control in handling threat observables within security incidents through automated lookups and list management.
    • Enhanced security and compliance by enforcing strict read-only fields and correcting ACL configurations.
    • Streamlined incident response workflows with Flow Designer integration and approval configurations tailored to organizational needs.
    • Increased reliability and reduced errors in integration processes, ensuring consistent data handling and smoother analyst operations.
    • Ability to leverage Zscaler threat intelligence directly within ServiceNow Security Incident Response, reducing manual effort and speeding up mitigation actions.

    Version history for the Security Incident Response integration with Zscaler on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 11.2.4 - June 2026
    • Fixed:
      • Access issues for Security Analyst while querying tables.
      • Flows reporting false failures when the Observable was already blocked or allowed.
    Version 11.2.3 - February 2026
    Fixed: Populating observable category listing from Zscaler.
    Version 11.2.2 - December 2025
    • New:
      • Upgraded dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes.
      • This update ensures the server consistently enforces read-only behavior across all UIs, scripts, and integrations.
    Version 11.1.11 - August 2025
    • Fixed:
      • Resolved an issue where the 'Zscaler Remove from URL Category' sub-flow was incorrectly left in draft state, preventing proper execution in production workflows. The sub-flow is now correctly published and active.
      • Addressed a sandbox submission failure for Zscaler integrations where the system encountered error Cannot read property "Type" from undefined, errorCode:1. Root cause was due to missing data validation in sandbox processing. The fix ensures proper error handling and data validation to prevent runtime failures during submission.
    Version 11.1.3 - February 2025
    • Fixed:
      • Resolved the issue where the 'Approval for Add to DenyList' flow was failing.
      • Corrected the duplication of Approver records for the DenyList.
    Version 11.1.1 - November 2024
    New: Migrated Workflows to Flow Designers flows. This update ensures a smoother transition and leverages the improved capabilities of Flow Designers.
    Version 11.1.0 - August 2024
    New: The Zscaler integration is improved to provide configurable options for specifying different sets of approvers for both adding and removing observables.
    Version 11.0.17 - May 2024
    New: Implemented the "Remove the observable from Denylist if present" checkbox when the same observable exists in the allow list and the analyst is trying to add the same observable to the Denylist again and vice versa.
    Version 11.0.14 - February 2024
    • Fixed:
      • Added approval for Allowlist/Denylist in the activities section for the Security Incidents.
      • The Findings field now displays all the observables.
    Version 11.0.13 - December 2023

    Fixed: Addressed the security issues related to the misconfiguration of table/field ACLs within the com.snc.secops.zscaler plugin.

    Version 11.0.12 - November 2023
    • Fixed:
      • The Zscaler URL validator regex had issues with some URLs.
      • Threat lookup runs continuously even when there are no observables.
    Version 11.0.9 - August 2023
    Fixed: Fixed an issue that prevented users from navigating to the flow designer when clicking from the security incident activity.
    Version 11.0.7 - May 2023
    Fixed: Zscalar Integration creates an entry in the Zscaler URL Category List Entries table that immediately moves to the active state is ServiceNow, even if the record in the Zsclaer app is queued for activation.
    Version 11.0.6 - February 2023
    Fixed: Zscaler integration is restricted from adding valid URL types.
    Version 11.0.3 - November 2022
    • Changed: Utah Mandate: changed app-sec-parent version to 5.0.0.77
    • Fixed:
      • Zscaler capability implementation records are not getting created in the Zscaler application scope.
      • Localization issues.
      • Filter Configurations for Zscaler capability are configured as capability-level filter conditions.
      • Improve the logging for Zscaler integration.
    Version 11.0.2 - October 2021
    • Fixed:
      • Fixed the issue with adding observables to a custom category
      • Added additional password-related policies
    Version 11.0.0 - June 2021
    • Threat Look Up Analyst will be able to trigger reputation lookup’s on URL/IP/Domain
    • Block/Allow URLs/IPs/Domain Analyst will be able to add URLs/Ips/Domain to tenant specific Block List/Allow List or other URL categories Support for periodic removal of entries from the list based on expiration value Support for Approval workflow Sandbox Report Look Up Analyst will be able to look up Sandbox report of MD5 hash and store it against the incident
    • Create Security Incident out of Patient 0 alerts Support for ingestion of patient 0 alerts and create security incidents out of them