Security Incident Response release notes
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Security Incident Response release notes - Xanadu Release
The ServiceNow Security Incident Response (SIR) application in the Xanadu release enhances the ability of security and IT teams to collaborate efficiently, respond faster to threats, and maintain a comprehensive view of the organization’s security posture. This release introduces new integrations, automation capabilities, and improved workflows to streamline incident management and reporting.
Show less
Key Features
- Risk Score Calculator: Automatically calculates risk scores for security incidents based on customizable, user-defined criteria and weighted rule-based scoring.
- Shift Handover: Enables tracking and communication of critical tasks and updates between shifts, improving operational continuity and reducing errors.
- Slack Integration for Major Incidents: Automatically creates dedicated Slack channels to facilitate real-time collaboration between Incident Managers and Responders during major security incidents.
- Legal Request Playbook: Provides structured guidance for Incident Managers to summarize major incidents for Legal teams, supporting compliance with SEC reporting requirements (e.g., 8K/10K filings).
- Executive Status Reports: Mobile-friendly reports can be generated and shared via email with users inside and outside the ServiceNow instance, including third-party vendors.
- AWS Security Hub Integration: Enables bidirectional data exchange, automatically creating and updating security incidents based on AWS Security Hub findings.
- ICAP Integration for Data Loss Prevention (DLP): Ingests DLP alerts from Amazon S3, displays detailed alert information in the DLP workspace, allows evidence download, and supports automated response actions such as blocking or quarantining sensitive data.
- Playbooks for Zero-Day Vulnerabilities and Legal Requests: Step-by-step procedures to mitigate unknown software vulnerabilities and manage legal notifications for material breaches.
- Zscaler and Netskope Enhancements: Improved URL category list management for Zscaler approvers and status mapping between Netskope DLP incidents and ServiceNow incidents.
- Security Incident Response Orchestration and Integration Workflows: Migration of multiple workflows to Flow Designer for enhanced automation and streamlined incident response processes across integrations like CrowdStrike Falcon Host and Carbon Black.
- DLP Incident Management Updates: Closure codes are now mandatory when closing DLP incidents, with user and group management simplified through related lists in administration modules.
Activation and Related Applications
The Security Incident Response application is available via the ServiceNow Store, requiring customers to request installation. Activation of any core Security Operations plugins automatically enables the Security Support Common plugin.
Security Incident Response integrates closely with other ServiceNow security applications such as Vulnerability Response and Threat Intelligence, providing a unified platform to connect security with IT operations and enhance threat detection and remediation capabilities.
The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and view your organization's security posture. Security Incident Response was enhanced and updated in the Xanadu release.
Security Incident Response highlights for the Xanadu release
- Define and calculate the risk score of security incidents through the Risk Score Calculator, which is based on user-defined criteria. The risk score is auto-calculated for the security incident records.
- Track the handover of important work items between shifts through the Shift Handover application.
- Automatically create dedicated Slack channels for Incident Managers to engage with Incident Responders to manage major security incidents with the MSIM Slack integration.
- Facilitate the ability of the Incident Manager to provide a summary of a major security incident to their Legal teams by using the MSIM Legal Request playbook. The Legal team can use that summary when filing an 8K or 10K form to comply with regulatory bodies such as the SEC when disclosing security breaches.
- Share mobile-friendly MSIM Executive Status Reports generated in email format. You can also share the Executive Status Reports with users outside your ServiceNow® instance, including third-party vendors, other entities, or email distribution lists.
Important:
Security Incident Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.
New in the Xanadu release
- Security Incident Response integration with AWS Security Hub
- Security Incident Response supports the AWS Security Hub findings integration. This enables you to ingest AWS Security Hub findings and automatically create security incidents in Security Incident Response.
- Internet Content Adaption Protocol (ICAP) integration for DLP IR
- Internet Content Adaption Protocol (ICAP) integration helps you to track the usage and movement of sensitive data on various platforms.
- Configure and schedule DLP alerts ingestion from the specified Amazon S3 buckets which includes the capability to perform the delta imports to ensure only new or modified data is ingested.
- Display the ingested alerts in the DLP workspace by providing the key details on each alert such as the match content, alert severity, and relevant metadata.
- Download associated evidence files directly from the DLP workspace for further investigation or review.
- Enable users to apply automatic responses based on predefined criteria such as alert escalation, notifications, or enforcement policies.
- Remediate response actions such as blocking or quarantining sensitive data, or sending out alerts to stakeholders.
- Customize and define the severity mapping between ICAP DLP incidents with ServiceNow incidents.
- Playbook for zero-day vulnerability
- Get step-by-step procedure to address and mitigate zero-day threats—vulnerabilities in the software that are unknown to the vendor, leaving systems exposed to attacks.
- Configure Shift Handover Templates
- Provide detailed communication of critical information, tasks, and updates between outgoing and incoming personnel for a seamless transition between shifts by using the Shift Handover feature. Improve operational continuity, reduce errors, and increase overall efficiency in the workplace.
- Configure Slack chat connector for major security incidents
- View and filter collaboration chat activities on Slack to more efficiently collaborate to resolve major security incidents.
- Playbook for Legal Request
- Get step-by-step guidance on how you can inform the legal team about the latest summary of a major security incident so they can notify the SEC in the 4-day time frame that is required for material breaches.
- Add Zscaler Internet Access URL category lists
- Enable Zscaler approvers to add observables to the list of required approvals or remove them when the Require Approval option is selected.
- Configure how an automatic event is created and MISP event data
- Add security tags during automatic MISP profile configuration.
- Mapping DLP incident status with Netskope
- Provide the mappings between the DLP Incident status in your ServiceNow instance and the Netskope Object status.
- Define the new Risk Score Calculator Rules
- The Risk score configuration in the Security Incident Response workspace has been enhanced with the following capabilities:
- Set up a Risk Score Calculator from either script or condition builders.
- Apply multiple conditions while setting up rule-based scoring.
- Apply weightage to each scoring line. Weights should add up to 100.
- For rule-based scoring, select table fields and values for setting up a condition.
- Capture conditions and scoring via scripts.
- Manually execute risk score calculators to recalculate after making changes.
- Managing MSIM status reports
- Share mobile-friendly Executive Status Reports with users outside your ServiceNow instance, including third-party vendors, other entities, or email distribution lists.
UI changes
- Configure how an automatic event is created
-
- A new Security tags field in automatic MISP profile configuration determines which observables with the security tags will not be attached to the automatic event created using the profile.
- Introduced local and global tags in Automatic MISP profile configuration to add the selected tags to the newly created automatic MISP event.
Changed in this release
- Security Incident Response Orchestration
-
Integration Name Integration Changes Security Incident Response Orchestration flows and actions Workflow is migrated to the Flow Designer in following sections: - Security Operations common functionality
-
Integration Name Integration Changes Security Operations Integration- Block Request capability Workflow is migrated to the Flow Designer flows in the following integrations: Security Operations Integration- Get Network Statistics capability Workflow is migrated to the Flow Designer in following sections: Security Operations Integration- Get Running Processes capability Workflow is migrated to the Flow Designer in following sections: Security Operations Integration- Isolate Host capability Workflow is migrated to the Flow Designer in following sections: Security Operations Integration- Publish to Watchlist capability Workflow is migrated to the Flow Designer in following section: Security Operations Integration- Sightings Search capability Workflow is migrated to the Flow Designer in following section: - Security Incident Response integrations
-
Integration Name Integration Changes CrowdStrike Falcon Host integration Workflow is migrated to the Flow Designer in following sections: - Review and assign your DLP incidents
- Providing a closure code when closing a DLP incident from the DLP IR analyst workspace is now mandatory.
- DLP Incident Response Administration
- Adding users and groups is now accomplished through related lists rather than adding users from the respective configurations in the following Administration modules:
- DLP Default Configuration
- DLP Assignment Rules
- DLP Response Due Date Rules
- DLP Incident Assessment
- DLP User Instructions Templates
- DLP Record Level Restrictions
- DLP Field Level Restrictions
- Install and configure the Netskope DLP integration for Data Loss Prevention
- The Netskope integration now supports DLP incident ingestion.
- Data Loss Prevention Incident Response Incident Management
- View the forensic details of DLP Incidents in both the DLP IR Analyst workspace and DLP End user workspace.
- Download evidence files
- The Netskope integration supports downloading the evidence file directly on demand.
Activation information
Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
- Security Operations common functionality
- When any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated.
Related ServiceNow applications and features
- Vulnerability Response
- Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
- Threat Intelligence
- The ServiceNow® Threat Intelligence application enables you to find indicators of compromise (IoC) and enrich security incidents with threat intelligence data.