Security Incident Response release notes
Summarize
Summary of Security Incident Response Release Notes - Washington DC
The ServiceNow® Security Incident Response (SIR) application enhances collaboration between security and IT teams, enabling faster and more efficient threat responses. The Washington DC release introduces new features aimed at improving the security incident management process, enhancing metrics tracking, and integrating with tools for better incident resolution.
Show less
Key Features
- Conference Call Integration: Collaborate with team members and stakeholders via Microsoft Teams, Zoom, or Webex to resolve security issues and capture relevant post-call interactions.
- Flow-based Playbooks: Transition to automated playbooks using Flow Designer with new predefined scenarios for various security threats, such as malicious files, spoofed emails, and credential dumping.
- Post-Incident Management: Capture Mean Time to Repair (MTTR) metrics, and manage report generation for post-incident reviews.
- Security Incident Response Workspace Enhancements: Monitor scan requests, report incidents as risks, and create customer service cases directly from the workspace.
- VirusTotal Integration: Protect user privacy by sending URLs as hashes for threat lookups.
- Microsoft Azure Sentinel Integration: Automatic updates for SIR incident data based on changes in Azure Sentinel, with the ability to retrieve incidents for up to six months.
Key Outcomes
With the Washington DC release, ServiceNow customers can expect improved efficiency in managing security incidents through enhanced collaboration tools and automated processes. The integration capabilities allow for a more seamless workflow between security teams and external tools, ultimately leading to a stronger security posture and quicker incident resolution.
The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and view your organization's security posture. Security Incident Response was enhanced and updated in the Washington DC release.
Security Incident Response highlights for the Washington DC release
- Make conference calls including team members, customers, and other stakeholders to resolve customer issues.
- Capture MTTR (Mean time to repair) information through usage and definition metrics for security incidents.
- Monitor scan requests and report security incidents as a risk event to the Risk Management team from the Security Incident Response Workspace.
- Create a customer service case for the security incident directly from the Security Incident Response Workspace, which will be tracked by the Customer Service Management (CSM) team.
- VirusTotal integration is provided with an option to send URLs as hashes for threat lookup, to protect the users' privacy on the integration.
New in the Washington DC release
- Major Security Incident Management Conference Call Integration
- Collaborate with your customers and peer agents through a conference call to resolve customer issues through Microsoft Teams, Zoom, or Webex. You can also capture post-call chat, recordings, participant info.
- Flow-based Playbooks
- More easily transition from manual or undocumented playbooks to automated and repeatable playbooks using Flow Designer. Security Incident Response now supports the following new playbooks:
- Playbook for Office 365 - Malicious File Detected
- Playbook for Repeat Detection
- Playbook for Spoofed Emails (using the same Display name)
- Playbook for Endpoint Detection
- Playbook for Possible Password Spray
- Playbook for T1003 - Detect Credential Dumping Tools
- Playbook for Email Domain Spoofing Detection
- Playbook for Typo Squatted Domain
- Playbook for Credential Sniffing
- Playbook for T1070 - Windows Events Logs Cleared
- Playbook for OSquery of External Address in /etc/hosts file
- Playbook for User Deleting Bash History - Cloud
- Playbook for Successful VPN Attempts from the Service Accounts - Corp/Cloud
- Playbook for Attempted Access to Deactivated Accounts
- Playbook for T1003 - Defense Evasion - Mimikatz DCShadow
- Playbook for T1003 - Credential Dumping - Mimikatz DCSync
- Playbook for Okta User Login Failures from Multiple IPs
- Playbook for ModSec Brute force by IP Burst
- Manage post incident activities
- Security Incident Response now supports the following capabilities:
- Usage and definition metrics for security incidents to capture MTTR (Mean time to repair).
- Enable or disable the Post Incident Review (PIR) report generation for child security incidents.
- Security Incident Response Workspace
- You can now perform the following tasks in the Security Incident Response Workspace:
- Monitor scan requests
- Report security incidents as a risk event, which will be tracked by the Risk Management team
- Create a customer service case for the security incident, which will be tracked by the Customer Service Management (CSM) team
- Activate and configure the VirusTotal integration
- Send URLs as hashes for threat lookup to protect the users' privacy on the integration.
Changed in this release
- Microsoft Azure Sentinel integrationMicrosoft Azure Sentinel integration
-
- Any new or updated changes made in Microsoft Azure Sentinel will automatically update the respective SIR incident data while mapping the Microsoft Azure Sentinel fields. For more information, seeMap the Microsoft Azure Sentinel incident fields.
- Pull all open and closed Azure Sentinel incidents for the period up to 6 months. For more information, see Schedule the Microsoft Azure Sentinel incident retrieval.
Deprecations
- Recorded Future
- Trusted Security Circles
For more information about these deprecations, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.
Activation information
Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.