Combined Security Incident Response release notes for upgrades from Zurich to Australia

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Security Incident Response release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Zurich to Australia.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Security Incident Response to Australia

Before you upgrade to Australia, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Zurich	No updates for this release.
Australia	No updates for this release.

New features

Between your current release family and Australia, new features were introduced for Security Incident Response.


Release	Release notes
Zurich	Security Incident Response Integration with Cortex XSIAM by Palo Alto Networks As a profile admin: Create profiles for incident ingestion. Filter Cortex XSIAM incidents. Map Cortex XSIAM Incident, Alert, and Event fields to SIR security incident fields. Aggregate incidents to existing open security incidents to avoid having to create duplicate security incidents. Synchronize ServiceNow instance Work notes with Palo Alto Networks XSIAM comments. Set up Splunk environment The ServiceNow Security Operations Event Ingestion Add-on for Splunk ES enables seamless integration between Splunk and ServiceNow Security Operations, allowing you to send security-related events from Splunk ES to a ServiceNow security incident. LLM-powered SIR integration builder With the ServiceNow platform's latest LLM powered integrations, you can create product-ready integration quickly. The LLM-powered integration builder has the following capabilities: Automatically generates integration code from a public API documentation. Provides guided setup built on existing capabilities. Provides easy edit and maintenance of the generated auto code. Deny rule for phishing emails The security admin can add rules to prevent the conversion of phishing emails such as false positives or low-risk messages into security incidents. Any new phishing email is verified first with the deny rules to avoid unwanted security incidents. MITRE D3FEND framework Security administrators can now ingest MITRE D3FEND data. Security analysts can explore MITRE ATT&CK and D3FEND techniques through an interactive, node-based visualization that maps attack techniques, defense techniques, and related artifacts within a Security Incident Response (SIR) record. Update information in security incident related records The security analysts can now edit related records such as associated observables, for a security incident directly from the Related Records list view. Security analysts can quickly update the records without leaving their current context. Advanced Work Assignment for SIR Use Advanced Work Assignment (AWA) to streamline the security incident assignment process which ensure that critical incidents are handled by the most appropriate and available analysts. This improves overall response times and efficiency in security operations. As an admin, configure the following: Service channels Queues Assignment rules Presence states Rejection reasons As an analyst, do the following: Set your availability Accept or reject incoming security incidents Prevent duplicate security incidents for IT incidents Prevent the creation of duplicate security incidents when ITIL users escalate an IT incident to a security incident, the system by enabling the `sn_si.disable_duplicate_security_incident` system property. Ingest third-party risk scores Factor third-party risk scores into security incident risk calculation by ingesting and mapping those scores for better prioritization of high-risk threats. Simplified adding categories and sub-categories for security incidents Admin can create categories and subcategories in Security Incident Response Workspace based on threat types, compliance requirements, or reporting needs. Security analysts can assign these categories and subcategories to security incidents. Security incident Details tab Include the Functional Impact, Recoverability and Information Impact fields on the Details tab of a security incident to improve triage accuracy, incident handling efficiency, and executive reporting for calculating the risk score. Close multiple security incidents Close security incidents in bulk with predefined closure comments or codes to reduce the time that would be spent on manually closing individual incidents. Closure candidates might include multiple incidents with common root causes such as alert misconfiguration, duplicates, or changes in system behavior. Process Mining for security incidents Identify factors contributing to delays in processing SIR incidents that take a long time to close or resolve by scanning historical SIR records through Process Mining. Time-consuming factors can include multiple reassignments, prolonged hold times, and periods of inactivity. Use analysis methods to identify these factors such as multi-hop analysis or bottleneck analysis. Send Observables to TISC Add metadata to the observables such as confidence score, Traffic Light Protocol value, notes and TISC tags before sending them to TISC. Add indirectly linked VITs to CVEs In MITRE-ATT&CK framework, identify all third-party entities (TPEs) associated with common vulnerabilities and exposures (CVEs) and then calculate and display the total number of vulnerable items (VITs) indirectly linked to those CVEs through the TPEs by setting the sn_ti.include_cve_vit_indirect_relation system property. Configure on-call schedules As an admin, manage on-call schedules through the following activities: Create a shift and assign or remove members to or from the shift. Create and edit on-call schedules for groups. View any group’s on-call schedule. As an analyst, track your on-call responsibilities through the following activities: Specify your availability and preferred contact methods. View your on-call schedule. See other members of your shift. Users accessing the same incident When you open an incident, the initials of all the users currently accessing the same incident are displayed to avoid conflicts. Universal search field for linking observables Search across all the field values of the associated observables for an incident. CrowdStrike Next-Gen SIEM integration As a Profile Admin: Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents. Create detection profiles. Map CrowdStrike Next-Gen SIEM Detection and Events Fields to SIR security incident fields. Filter CrowdStrike Next-Gen SIEM defects. Aggregate detections to existing open security incidents so that you don't have to create duplicate security incidents. Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response. Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes. Create an event profile Enables bidirectional updates and closure synchronization between Splunk ES and Splunk integrations. Enables retrieval of historical, and ongoing data including closed events, with an option to pull the closed events into the ServiceNow Splunk ES instance. Receive updates for the mapped fields in SIR. Components installed with Security Incident Response A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and to create, edit, delete, and manage profiles for the Splunk, Splunk ES, and Azure Sentinel Integration for Security Operations application. Enhancements to relationship graphs As an admin: Define default child nodes to populate in the relationship graph. Configure relationship labels. As an analyst: Add or remove child nodes at the parent node level. Save the state of the relationship graph. Retrieve updated data.
Australia	Australia Patch 1 ServiceNow product tiers The ServiceNow AI Platform now brings you a new AI experience with three licensing tiers available: Foundation: AI basics to deliver insights Advanced: AI to boost productivity across relevant use cases Prime: Act autonomously with all AI assets, and create your own Depending on your license, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents. CrowdStrike Next-Gen SIEM integration As a profile admin: Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents. Create detection profiles. Map CrowdStrike Next-Gen SIEM detection and events fields to SIR security incident fields. Filter CrowdStrike Next-Gen SIEM defects. Aggregate detections to existing open security incidents so you don't have to create duplicate security incidents. Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response. Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes. Components installed with Security Incident Response A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and enables you to create, edit, delete, and manage profiles for Splunk ES, Splunk Enterprise Event Ingestion, and Microsoft Azure Sentinel integration for Security Operations application. Add unmatched affected user for security incidents The new “Security Incident Unmatched Users” table captures unmatched affected user records for security incidents, enabling analysts to identify and address discrepancies when user records don't match existing system records. LLM-powered SIR integration builder With the latest LLM-powered integrations on the ServiceNow AI Platform, you can create product-ready integration quickly. The LLM-powered integration builder has the following capabilities: Automatically generates integration code from a public API documentation Provides guided setup built on existing capabilities Provides easy edit and maintenance of the generated auto code MITRE D3FEND framework Security administrators can now ingest MITRE D3FEND data. Security analysts can explore MITRE ATT&CK and D3FEND techniques through an interactive, node-based visualization that maps attack techniques, defense techniques, and related artifacts within a Security Incident Response record. Preserve manual security tags and restrict removal Manual security tags applied by analysts are preserved when automatic tagging rules execute on security incidents, avoiding inadvertent tag removal during automated processes. Analysts can no longer manually remove security tags once applied to an incident, ensuring tag consistency throughout the incident life cycle. Assign parent relationships to similar security incidents Select multiple similar security incidents from the Similar Security Incidents related list and link them as children to the current security incident using the Link as children button. View and update Security Incident Response system properties View and update system properties specific to the Security Incident Response workspace directly from the workspace administration settings interface. Create quick filters for Security Incidents and Response Tasks lists Enable rapid filtering of security incident lists based on predefined criteria by creating and managing quick filters for the Security incident [sn.si.incident] and Response tasks [sn_si_task] tables within the SIR Workspace. Filters are stored in the Quick Filters [sn_si_aw_quick_filters] table. Configure auto refresh interval for security incident lists Set up refreshing of the security incident list at specified intervals by using the `sn_si_incident.auto_refresh_interval` system property. The default refresh rate is five minutes. Control external user access to security incident SOC users can grant read-only access to specific security incidents for defined external users through the Access to security incident field in the SIR workspace. Configure default landing tab for security analysts Customize the default landing tab for security analysts and security managers when they open a security incident. Compose emails from Response Tasks and Investigation tabs Send emails without having to switch tabs by composing them directly from the Response Tasks and the Investigation tabs of a security incident. Configure default view for contextual menu Determine whether the contextual menu panel for a security incident is expanded or collapsed by default when a security analyst opens a security incident.

Changes

Between your current release family and Australia, some changes were made to existing Security Incident Response features.


Release	Release notes
Zurich	Security Incident Response Other Records Add  multiple ITSM incidents, problems, or change requests to a security incident for which multiple IT actions are needed. For more information, see the "Link multiple ITSM incidents" section. Modify attachments of a closed security incident You cannot modify the attachments of a security incident once the security incident is closed.
Australia	Assign groups in PIR user assignment rules User Assignment Rules for Post-Incident Review (PIR) assessments in the SIR module now support group-based assignment in addition to individual user selection. You can configure assignment rules using groups. The PIR automatically reflects group membership updates without requiring manual edits to the assignment rules configuration.

Removed

Between your current release family and Australia, some Security Incident Response features or functionality were removed.


Release	Release notes
Zurich	No updates for this release.
Australia	No updates for this release.

Deprecations

Between your current release family and Australia, some Security Incident Response features or functionality were deprecated.


Release	Release notes
Zurich	No updates for this release.
Australia	No updates for this release.

Activation information

Review information on how to activate Security Incident Response.


Release	Release notes
Zurich	No updates for this release.
Australia	Install Security Incident Response by requesting it from the ServiceNow Store.

Additional requirements

If any additional requirements were introduced or changed for Security Incident Response we have noted them here.


Release	Release notes
Zurich	No updates for this release.
Australia	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Security Incident Response we have noted them here.


Release	Release notes
Zurich	No updates for this release.
Australia	No updates for this release.

Accessibility information

Review details on accessibility information for Security Incident Response, such as specific requirements or compliance levels.


Release	Release notes
Zurich
Australia	No updates for this release.

Localization information

If there are specific localization considerations for Security Incident Response we have noted them here.


Release	Release notes
Zurich	No updates for this release.
Australia	No updates for this release.

Highlight information

If there are specific highlight considerations for Security Incident Response we have noted them here.


Release	Release notes
Zurich	Integrate Cortex XSIAM by Palo Alto Networks with ServiceNow Security Incident Response platform to turn SIEM insights into actionable incidents, thus accelerating response from detection to closure. Use Advanced Work Assignment (AWA) to automatically assign incidents to your security analysts, based on their availability, capacity, and skills. Ingest third-party risk scores in Security Incident Response to factor these scores when calculating risk scores. Starting in version 13.9.33, you can do the following: Fetch closed offenses from IBM QRadar into Security Incident Response. Set the batch size for correlation rules during IBM QRadar offense polling to optimize performance. Use the Now Assist LLM-powered integration builder to rapidly build integrations for Security Incident Response using auto-code generation. Ingest MITRE D3FEND data and visualize attack–defense relationships through an interactive graph directly within a security incident. Starting in version 13.9.21, you can do the following: Integrate CrowdStrike Next-Gen SIEM integration with ServiceNow Security Incident Response platform to retrieve detections and convert them into security incidents, thus enabling automated response actions. Improve incident classification and enable efficient retrieval of historical data and alerts through enhanced Splunk ES integrations. Configure and use on-call scheduling to prevent gaps in coverage and ensure analysts are available to address security incidents by configuring shifts for analysts. See Security Incident Response for more information.
Australia	Enable automated response actions by integrating CrowdStrike Next-Gen SIEM with the ServiceNow Security Incident Response platform to retrieve detections and convert them into security incidents. Fetch closed offenses from IBM QRadar into Security Incident Response. Rapidly build integrations for Security Incident Response using auto-code generation through the Now Assist LLM-powered integration builder. Ingest MITRE D3FEND data and visualize attack–defense relationships through an interactive graph directly within a security incident. See Security Incident Response for more information.