Combined Security Incident Response release notes for upgrades from Vancouver to Washington DC

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Security Incident Response release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Vancouver to Washington DC.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Security Incident Response to Washington DC

Before you upgrade to Washington DC, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Vancouver
Washington DC	No updates for this release.

New features

Between your current release family and Washington DC, new features were introduced for Security Incident Response.


Release	Release notes
Vancouver	[Placeholder link text to key integrate-msim-conference-calls] Collaborate with your customers and peer agents through a conference call to resolve customer issues through Microsoft Teams, Zoom, or Webex. You can also capture post-call chat, recordings, participant info. Flow-based Playbooks More easily transition from manual or undocumented playbooks to automated and repeatable playbooks using . Security Incident Response now supports the following new playbooks: Playbook for Office 365 - Malicious File Detected Playbook for Repeat Detection Playbook for Spoofed Emails (using the same Display name) Playbook for Endpoint Detection Playbook for Possible Password Spray Playbook for T1003 - Detect Credential Dumping Tools Playbook for Email Domain Spoofing Detection Playbook for Typo Squatted Domain Playbook for Credential Sniffing Playbook for T1070 - Windows Events Logs Cleared Playbook for OSquery of External Address in /etc/hosts file Playbook for User Deleting Bash History - Cloud Playbook for Successful VPN Attempts from the Service Accounts - Corp/Cloud Playbook for Attempted Access to Deactivated Accounts Playbook for T1003 - Defense Evasion - Mimikatz DCShadow Playbook for T1003 - Credential Dumping - Mimikatz DCSync Playbook for Okta User Login Failures from Multiple IPs Playbook for ModSec Brute force by IP Burst Manage post incident activities Security Incident Response now supports the following capabilities: Usage and definition metrics for security incidents to capture MTTR (Mean time to repair). Enable or disable the Post Incident Review (PIR) report generation for child security incidents. Security Incident Response Workspace You can now perform the following tasks in the Security Incident Response Workspace: Monitor scan requests Report security incidents as a risk event, which will be tracked by the Risk Management team Create a customer service case for the security incident, which will be tracked by the Customer Service Management (CSM) team Activate and configure the VirusTotal integration Send URLs as hashes for threat lookup to protect the users' privacy on the integration.
Washington DC	Major Security Incident Management Conference Call Integration Collaborate with your customers and peer agents through a conference call to resolve customer issues through Microsoft Teams, Zoom, or Webex. You can also capture post-call chat, recordings, participant info. Flow-based Playbooks More easily transition from manual or undocumented playbooks to automated and repeatable playbooks using . Security Incident Response now supports the following new playbooks: Playbook for Office 365 - Malicious File Detected Playbook for Repeat Detection Playbook for Spoofed Emails (using the same Display name) Playbook for Endpoint Detection Playbook for Possible Password Spray Playbook for T1003 - Detect Credential Dumping Tools Playbook for Email Domain Spoofing Detection Playbook for Typo Squatted Domain Playbook for Credential Sniffing Playbook for T1070 - Windows Events Logs Cleared Playbook for OSquery of External Address in /etc/hosts file Playbook for User Deleting Bash History - Cloud Playbook for Successful VPN Attempts from the Service Accounts - Corp/Cloud Playbook for Attempted Access to Deactivated Accounts Playbook for T1003 - Defense Evasion - Mimikatz DCShadow Playbook for T1003 - Credential Dumping - Mimikatz DCSync Playbook for Okta User Login Failures from Multiple IPs Playbook for ModSec Brute force by IP Burst Manage post incident activities Security Incident Response now supports the following capabilities: Usage and definition metrics for security incidents to capture MTTR (Mean time to repair). Enable or disable the Post Incident Review (PIR) report generation for child security incidents. Security Incident Response Workspace You can now perform the following tasks in the Security Incident Response Workspace: Monitor scan requests Report security incidents as a risk event, which will be tracked by the Risk Management team Create a customer service case for the security incident, which will be tracked by the Customer Service Management (CSM) team Activate and configure the VirusTotal integration Send URLs as hashes for threat lookup to protect the users' privacy on the integration.

Changes

Between your current release family and Washington DC, some changes were made to existing Security Incident Response features.


Release	Release notes
Vancouver	Symantec Integration for Data Loss Prevention Incident Response This integration is enhanced to support the following: Symantec API request customization Symantec time zone support Incident comments sync is now configurable for Symantec Create and manage email templates for your DLP incidents The default email template for End User Digest are enhanced to send digest notifications to notify the users about the nearest upcoming due dates of DLP incidents with the severity as critical, high, medium, or low. Create and manage the preconfigured email templates to send notifications to the end users, user groups, or managers. With these templates, you can coach and communicate with the end users on the Data Loss Prevention Incident Response (DLP IR) incidents resolution. DLP default configuration settings You can now define and reapply End user lookup rules and Assignment rules to existing Active DLP incidents. Data Loss Prevention Incident Response User Workspace The Data Loss Prevention Incident Response (DLP IR) User Workspace is an enhanced workspace where end users, managers, and approvers can use to review the assigned DLP incidents. The end users, managers, and approvers can then respond to the incidents by specifying the correct actions.
Washington DC	Microsoft Azure Sentinel integrationMicrosoft Azure Sentinel integration Any new or updated changes made in Microsoft Azure Sentinel will automatically update the respective SIR incident data while mapping the Microsoft Azure Sentinel fields. For more information, seeMap the Microsoft Azure Sentinel incident fields. Pull all open and closed Azure Sentinel incidents for the period up to 6 months. For more information, see Schedule the Microsoft Azure Sentinel incident retrieval.

Removed

Between your current release family and Washington DC, some Security Incident Response features or functionality were removed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.

Deprecations

Between your current release family and Washington DC, some Security Incident Response features or functionality were deprecated.


Release	Release notes
Vancouver	ServiceNow® Security Incident Response no longer supports the Threat Crowd integration. Therefore, if you run a threat look-up against any observables using the Threat Crowd integration, you might see an error. For details, see the Threat lookup of an Observable fails with ThreatCrowd Integration article in the Now Support Knowledge Base. ServiceNow® Security Incident Response no longer supports the Tanium integration v2 integration. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.
Washington DC	ServiceNow® Security Incident Response no longer supports the following integrations: Recorded Future Trusted Security Circles For more information about these deprecations, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

Activation information

Review information on how to activate Security Incident Response.


Release	Release notes
Vancouver	Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Washington DC	Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Additional requirements

If any additional requirements were introduced or changed for Security Incident Response we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Security Incident Response we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.

Accessibility information

Review details on accessibility information for Security Incident Response, such as specific requirements or compliance levels.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.

Localization information

If there are specific localization considerations for Security Incident Response we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.

Highlight information

If there are specific highlight considerations for Security Incident Response we have noted them here.


Release	Release notes
Vancouver	The SIR Workspace is now enhanced to support the McAfee ePO integration by leveraging the capability framework along with the existing capabilities. Provides you key insights with the Security Incident Manager Overview dashboard, CISO Overview dashboard, and CISO Reporting Overview dashboard. You can now use the DLP Severity Mapping to configure and synchronize the mapping between Symantec incidents and ServiceNow AI Platform incidents. Create and configure end user lookup rules and assign the DLP incidents to the respective end users based on those rules. DLP Incident Response integration with Microsoft, which enables you to perform the ingestion process, highlight the match content. Create and manage user instructions template for DLP incidents to help the users understand the instructions involved in the incident resolution. Using DLP Approvals module, users can configure the approval rules for various levels of approvers whenever an advanced type of response option is selected. DLP Release email from quarantine option allows the users to release the email that is quarantined from the Microsoft Purview compliance portal.
Washington DC	Make conference calls including team members, customers, and other stakeholders to resolve customer issues. Capture MTTR (Mean time to repair) information through usage and definition metrics for security incidents. Monitor scan requests and report security incidents as a risk event to the Risk Management team from the Security Incident Response Workspace. Create a customer service case for the security incident directly from the Security Incident Response Workspace, which will be tracked by the Customer Service Management (CSM) team. VirusTotal integration is provided with an option to send URLs as hashes for threat lookup, to protect the users' privacy on the integration.