Security Incident Response release notes

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response Release Notes - Yokohama

    The ServiceNow® Security Incident Response (SIR) application in the Yokohama release enhances your organization's ability to connect security and IT teams, respond more quickly to threats, and maintain a comprehensive view of security posture. This release introduces new integrations, process optimization tools, and improved incident management features to accelerate resolution and improve efficiency.

    Show full answer Show less

    Key Features

    • Process Mining for Security Incidents: Analyze historical incident records to identify bottlenecks such as multiple reassignments, prolonged holds, or inactivity that delay incident resolution, enabling targeted process improvements.
    • CrowdStrike Next-Gen SIEM Integration: Automate real-time ingestion of correlated detections and enrichment data from CrowdStrike. Features include detection profile creation, field mapping, filtering, aggregation to existing incidents, scheduled ingestion, and synchronization of detection statuses and comments.
    • Enhanced Splunk Enterprise Security Integration: Enables bidirectional updates and synchronized closure between Splunk ES and ServiceNow SIR, with access to historical and ongoing event data including closed events.
    • Expanded Vulnerability Tracking: Support for identifying vulnerable items (VITs) indirectly linked to Common Vulnerabilities and Exposures (CVEs) via third-party entities, improving vulnerability coverage visibility.
    • On-Call and Shift Scheduling: Admins can create and manage shifts and on-call schedules for analysts, ensuring continuous incident coverage. Analysts can specify availability, preferred contact methods, and view schedules.
    • Report Template Configuration: Admins can create reusable templates for incident summaries and executive reports, while analysts can generate and share these reports easily via email.
    • Conference Call Integration: Initiate conference calls using Microsoft Teams, Cisco Webex, or Zoom directly within SIR to facilitate faster, collaborative incident resolution.
    • Relationship Graph Enhancements: Admins can define default child nodes and labels in relationship graphs; analysts can customize and save graph views and retrieve updated data to better visualize incident relationships.
    • Proofpoint Integration for Security Operations: Integrates SOAR with Proofpoint TAP to detect, block, and track email threats, and automate incident creation from email events.
    • Data Loss Prevention (DLP) Analyst Workspace: Analysts can preview evidence files directly from the DLP workspace to support incident investigation.
    • User Interface Updates: The chat feature is renamed 'Start Chat' and reorganized for better collaboration experience.

    Integration and Workflow Updates

    • Simplified setup for Microsoft Teams Chat and Microsoft SharePoint integrations with Major Security Incident Management Workspace improves collaboration and data sharing.
    • Migration of key Security Incident Response integrations and orchestration workflows to Workflow Studio enhances configuration flexibility and maintainability.
    • Expanded integration capabilities include block requests, email search and delete, enrichment of configuration items and observables, network statistics retrieval, host isolation, watchlist publishing, sightings search, and threat lookup.

    Activation and Additional Information

    The Security Incident Response application is available from the ServiceNow Store and requires installation via request. The release also activates the Security Support Common plugin when any core Security Operations applications are enabled. This setup supports seamless integration with related applications like Vulnerability Response and Threat Intelligence, which further enhance your security operations by providing threat context and vulnerability management.

    This release empowers ServiceNow customers to streamline security incident workflows, enhance integration with leading security platforms, and improve collaboration across teams, resulting in faster threat detection, analysis, and resolution.

    The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and view your organization's security posture. Security Incident Response was enhanced and updated in the Yokohama release.

    Security Incident Response highlights for the Yokohama release

    • Identify inefficiencies and optimize the resolution process of security incidents for faster closure by using Process MIning.
    • Implemented CrowdStrike Next-Gen SIEM integration enabling real-time ingestion of correlated detections, and enrichment data.
    • Enhanced Splunk ES integrations to improve incident classification and enable efficient retrieval of historical data and alerts.
    • Include the number of VITs indirectly associated with a CVE through TPEs.
    • Help managers ensure there are no gaps in coverage and analysts are always available to address security incidents by configuring shifts for analysts.
    • Define default child nodes to populate in the relationship graph, and add or remove child nodes at the parent node level.

    See Security Incident Response for more information.

    Important:
    Security Incident Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Yokohama release

    Process Mining for security incidents
    Identify factors contributing to delays in processing Security Incident Response (SIR) incidents that take a long time to close or resolve by scanning historical SIR records through Process Mining. Time-consuming factors can include multiple reassignments, prolonged hold times, and periods of inactivity.
    CrowdStrike Next-Gen SIEM integration
    As a Profile Admin:
    • Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents.
    • Create detection profiles.
    • Map CrowdStrike Next-Gen SIEM Detection and Events Fields to SIR security incident fields.
    • Filter CrowdStrike Next-Gen SIEM defects.
    • Aggregate detections to existing open security incidents so that you don't have to create duplicate security incidents.
    • Schedule ongoing detection ingestion.
    • Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response.
    • Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes.
    Create and name an event profile for the Splunk Enterprise Security event ingestion integration
    • Enables bidirectional updates and closure synchronization between Splunk ES and Splunk integrations.
    • Enables retrieval of historical, and ongoing data including closed events, with an option to pull the closed events into the ServiceNow Splunk ES instance.
    • Receive updates for the mapped fields in SIR.
    Components installed with Security Incident Response
    A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and create, edit, delete, and manage profiles for the Splunk, Splunk ES, and Azure Sentinel Integration for Security Operations application.
    Add indirectly linked VITs to CVEs
    Identify all the Third-Party Entities (TPEs) associated with a Common Vulnerabilities and Exposures (CVE) and then calculate and display the total number of vulnerable items (VITs) indirectly linked to those CVEs through the TPEs by setting the sn_ti.include_cve_vit_indirect_relation property.
    Configure on-call schedules
    As an admin:
    • Create a shift and assign or remove members to/from the shift.
    • Create/edit on-call schedules for groups.
    • View any group’s on-call schedule, including those to which they belong.

    As an analyst:

    • Specify your availability and preferred contact methods.
    • View your on-call schedule and see other members of your shift.
    Configure report templates in Security Incident Response
    As an admin, create report templates that can be used to generate an incident summary or an executive summary for analysis and sharing.

    As an analyst, use the templates to generate analyst summary or executive summary reports for a SIR incident that can be shared over email.

    Security Incident Response conference call integration
    Initiate conference calls using communication channels such as Microsoft Teams, Cisco Webex, or Zoom with customers and peer agents to resolve security incidents over a call by using the SIR conference call feature.
    Enhancements to relationship graphs
    As an admin:
    • Define default child nodes to populate in the relationship graph.
    • Configure relationship labels.
    As an analyst:
    • Add or remove child nodes at the parent node level.
    • Save the state of the relationship graph.
    • Retrieve updated data.
    Proofpoint integration for Security Operations
    Proofpoint integration for Security Operations supports integration between SOAR (Security Orchestration, Automation, and Response) and Proofpoint Targeted Attack Protection (TAP) software. This integration provides the following benefits:
    • Detect and block threats such as business email compromise and tags suspicious emails for tracking, analysis, and audit.
    • Import data to automatically create security incidents for email events that are not captured by TAP products.
    Data Loss Prevention Incident Response Analyst Workspace
    Preview the evidence file of the incident from either the Data Loss Prevention analyst workspace or the DLP end user workspace.

    UI changes

    Start a Sidebar chat in Security Incident Response
    The Discuss option has been renamed Start Chat and moved under the Collaborate option.

    Changed in this release

    Security Operations
    Integration name Integration changes
    Microsoft Teams Chat Simplified the setup of Microsoft Teams Chat integration with Major Security Incident Management Workspace. For more information, see Integrate Major Security Incident Management with Microsoft SharePoint.
    Microsoft SharePoint Simplified the setup of Microsoft SharePoint integration with Major Security Incident Management Workspace. For more information, see Integrate Major Security Incident Management with Microsoft Teams.
    Security Incident Response Integrations Workflow was migrated to Workflow Studio. For more information, see the following:
    Security Incident Response Orchestration Workflow was migrated to Workflow Studio in the section Run procdump flow.
    Security Operations common functionality Workflow was migrated to Workflow Studio. For more information, see the following:
    Other additional Security Incident Response setup tasks
    View security incidents with read access and update security incidents with write access without any defined security role.

    Activation information

    Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.

    Related ServiceNow applications and features

    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
    Threat Intelligence
    The ServiceNow® Threat Intelligence application enables you to find indicators of compromise (IoC) and enrich security incidents with threat intelligence data.