Security Incident Response release notes

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response release notes

    The ServiceNow® Security Incident Response (SIR) application in the Australia release enhances the connection between security and IT teams to help your organization respond faster and more efficiently to security threats. Key updates focus on automating response actions, integrating with leading security platforms, and improving incident visibility through advanced timelines and analytics.

    Show full answer Show less

    Key Features

    • Integration Enhancements:
      • Automated response actions via integration with CrowdStrike Next-Gen SIEM, enabling detection retrieval and conversion into security incidents.
      • Support for fetching closed offenses from IBM QRadar, enriching incident data.
      • Microsoft Defender integration to ingest incidents, filter alerts, map fields, and synchronize status and work notes bi-directionally.
    • LLM-powered Integration Builder: Quickly create and maintain integrations using auto-generated code from public API documentation with guided setup, accelerating integration development.
    • Advanced Visualization: Ingest MITRE D3FEND data and visualize attack-defense relationships through interactive graphs within security incidents. The workspace also includes a detailed, chronological timeline of all incident activities such as state changes, task updates, approvals, and MITRE ATT&CK mappings.
    • Threat Intelligence and Severity Control: New precedence-based override mode for automated threat lookup findings allowing immediate severity upgrades and controlled downgrades, configurable via Threat Intelligence Properties.
    • Operational Technology (OT) Change Requests: Ability to create OT change requests directly from security incidents or response tasks when the relevant OT plugins are activated.
    • Security and Role Management: The Setup Assistant now requires a dedicated admin role for setup configuration with enforced read-only fields to prevent unauthorized changes.
    • Additional Usability Improvements:
      • Enhanced profile preview to identify unmatched affected users or configuration items across integrations.
      • Preservation and protection of manual security tags applied by analysts throughout the incident life cycle.
      • Ability to assign parent-child relationships among similar security incidents.
      • Quick filters and configurable auto-refresh interval for security incident lists to streamline workflow.
      • Control over external user read-only access to security incidents and customizable default landing tabs and views for analysts.
      • Email composition directly from Response Tasks and Investigation tabs.
    • New Roles and Plugin Management: Introduction of a Profile Admin role for managing ingestion profiles across key integrations and deprecation of the Security Incident Response UI plugin in favor of the Security Incident Response Workspace.

    Key Outcomes

    • Faster and More Efficient Incident Response: Automated integrations and enhanced visualization empower security teams to quickly identify, analyze, and respond to threats.
    • Improved Data Accuracy and Management: Handling unmatched users and configuration items, preserving manual tags, and controlling severity overrides ensure reliable and consistent incident data.
    • Streamlined Security Operations: Enhanced role controls, setup security, and configurable workspace settings facilitate better governance and operational efficiency.
    • Greater Integration Flexibility: Support for multiple leading security platforms and the LLM-powered integration builder enable rapid adaptation to evolving security environments.

    Activation and Additional Information

    Security Incident Response is available for installation via the ServiceNow Store. Activation requires requesting the app from the store. The Australia release also introduces AI platform licensing tiers (Foundation, Advanced, Prime) to provide varying levels of AI capabilities within Security Operations.

    Legacy plugins like Security Incident Response UI are deprecated and replaced by the enhanced Security Incident Response Workspace.

    Security Incident Response integrates closely with other ServiceNow Security Operations applications such as Vulnerability Response and Threat Intelligence to provide a comprehensive security posture management solution.

    The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and gain insight into your organization's security posture. Security Incident Response was enhanced and updated in the Australia release.

    Security Incident Response highlights for the Australia release

    • Enable automated response actions by integrating CrowdStrike Next-Gen SIEM with the ServiceNow Security Incident Response platform to retrieve detections and convert them into security incidents.
    • Fetch closed offenses from IBM QRadar into Security Incident Response.
    • Rapidly build integrations for Security Incident Response using auto-code generation through the Now Assist LLM-powered integration builder.
    • Ingest MITRE D3FEND data and visualize attack–defense relationships through an interactive graph directly within a security incident.

    See Security Incident Response for more information.

    Important:
    Security Incident Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Australia release

    Australia Patch 1
    ServiceNow product tiers
    The ServiceNow AI Platform now brings you a new AI experience with three licensing tiers available:
    • Foundation: AI basics to deliver insights
    • Advanced: AI to boost productivity across relevant use cases
    • Prime: Act autonomously with all AI assets and create your own

    Depending on your entitlements, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents.

    CrowdStrike Next-Gen SIEM integration
    As a profile admin:
    • Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents.
    • Create detection profiles.
    • Map CrowdStrike Next-Gen SIEM detection and events fields to SIR security incident fields.
    • Filter CrowdStrike Next-Gen SIEM defects.
    • Aggregate detections to existing open security incidents so you don't have to create duplicate security incidents.
    • Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response.
    • Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes.
    Components installed with Security Incident Response
    A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and enables you to create, edit, delete, and manage profiles for Splunk ES, Splunk Enterprise Event Ingestion, and Microsoft Azure Sentinel integration for Security Operations application.
    Add unmatched affected user for security incidents
    The new “Security Incident Unmatched Users” table captures unmatched affected user records for security incidents, enabling analysts to identify and address discrepancies when user records don't match existing system records.
    LLM-powered SIR integration builder
    With the latest LLM-powered integrations on the ServiceNow AI Platform, you can create product-ready integration quickly. The LLM-powered integration builder has the following capabilities:
    • Automatically generates integration code from a public API documentation
    • Provides guided setup built on existing capabilities
    • Provides easy edit and maintenance of the generated auto code
    MITRE D3FEND framework
    Security administrators can now ingest MITRE D3FEND data. Security analysts can explore MITRE ATT&CK and D3FEND techniques through an interactive, node-based visualization that maps attack techniques, defense techniques, and related artifacts within a Security Incident Response record.
    Preserve manual security tags and restrict removal
    Manual security tags applied by analysts are preserved when automatic tagging rules execute on security incidents, avoiding inadvertent tag removal during automated processes. Analysts can no longer manually remove security tags once applied to an incident, ensuring tag consistency throughout the incident life cycle.
    Assign parent relationships to similar security incidents
    Select multiple similar security incidents from the Similar Security Incidents related list and link them as children to the current security incident using the Link as children button.
    View and update Security Incident Response system properties
    View and update system properties specific to the Security Incident Response workspace directly from the workspace administration settings interface.
    Create quick filters for Security Incidents and Response Tasks lists
    Enable rapid filtering of security incident lists based on predefined criteria by creating and managing quick filters for the Security incident [sn.si.incident] and Response tasks [sn_si_task] tables within the SIR Workspace. Filters are stored in the Quick Filters [sn_si_aw_quick_filters] table.
    Configure auto refresh interval for security incident lists
    Set up refreshing of the security incident list at specified intervals by using the sn_si_incident.auto_refresh_interval system property. The default refresh rate is five minutes.
    Control external user access to security incident
    SOC users can grant read-only access to specific security incidents for defined external users through the Access to security incident field in the SIR workspace.
    Configure default landing tab for security analysts
    Customize the default landing tab for security analysts and security managers when they open a security incident.
    Compose emails from Response Tasks and Investigation tabs
    Send emails without having to switch tabs by composing them directly from the Response Tasks and the Investigation tabs of a security incident.
    Configure default view for contextual menu
    Determine whether the contextual menu panel for a security incident is expanded or collapsed by default when a security analyst opens a security incident.

    Changed in this release

    Assign groups in PIR user assignment rules
    User Assignment Rules for Post-Incident Review (PIR) assessments in the SIR module now support group-based assignment in addition to individual user selection. You can configure assignment rules using groups. The PIR automatically reflects group membership updates without requiring manual edits to the assignment rules configuration.

    Activation information

    Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store to view all the available apps, and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.

    Plugin information

    Deprecated plugin

    The following plugin is deprecated in Australia:

    Security Incident Response UI (sn_app_secops_ui): This plugin is replaced by Security Incident Response Workspace (sn_si_aw).

    Related ServiceNow applications and features

    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and provide a definitive view of your security posture.
    Threat Intelligence
    The ServiceNow® Threat Intelligence application enables you to find indicators of compromise (IoC) and enrich security incidents with threat intelligence data.