Consolidated page of all release notes for Security Incident Response from Vancouver to Xanadu.
How to use this page
To help you prepare for your upgrade, we have combined the cross-family Security Incident Response release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Vancouver to Xanadu.
Tip: If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."
Important information for upgrading Security Incident Response to Xanadu
Before you upgrade to Xanadu, review these pre- and post-upgrade tasks and complete the tasks as needed.
| Release |
Release notes |
Vancouver |
|
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
New features
Between your current release family and Xanadu, new features were introduced for Security Incident Response.
| Release |
Release notes |
Vancouver |
- [Placeholder link text to key integrate-msim-conference-calls]
- Collaborate with your customers and peer agents through a conference call to resolve customer issues through Microsoft Teams, Zoom, or Webex. You can also capture post-call chat, recordings, participant info.
- Flow-based Playbooks
- More easily transition from manual or undocumented playbooks to automated and repeatable playbooks using . Security Incident Response now supports the following new playbooks:
- Manage post incident activities
- Security Incident Response now supports the following capabilities:
- Usage and definition metrics for security incidents to capture MTTR (Mean time to repair).
- Enable or disable the Post Incident Review (PIR) report generation for child security incidents.
- Security Incident Response Workspace
- You can now perform the following tasks in the Security Incident Response Workspace:
- Monitor scan requests
- Report security incidents as a risk event, which will be tracked by the Risk Management team
- Create a customer service case for the security incident, which will be tracked by the Customer Service Management (CSM) team
- Activate and configure the VirusTotal integration
- Send URLs as hashes for threat lookup to protect the users' privacy on the integration.
|
Washington DC |
- Major Security Incident Management Conference Call Integration
- Collaborate with your customers and peer agents through a conference call to resolve customer issues through Microsoft Teams, Zoom, or Webex. You can also capture post-call chat, recordings, participant info.
- Flow-based Playbooks
- More easily transition from manual or undocumented playbooks to automated and repeatable playbooks using . Security Incident Response now supports the following new playbooks:
- Manage post incident activities
- Security Incident Response now supports the following capabilities:
- Usage and definition metrics for security incidents to capture MTTR (Mean time to repair).
- Enable or disable the Post Incident Review (PIR) report generation for child security incidents.
- Security Incident Response Workspace
- You can now perform the following tasks in the Security Incident Response Workspace:
- Monitor scan requests
- Report security incidents as a risk event, which will be tracked by the Risk Management team
- Create a customer service case for the security incident, which will be tracked by the Customer Service Management (CSM) team
- Activate and configure the VirusTotal integration
- Send URLs as hashes for threat lookup to protect the users' privacy on the integration.
|
Xanadu |
- Security Incident Response integration with AWS Security Hub
- Security Incident Response supports the AWS Security Hub findings integration. This enables you to ingest AWS Security Hub findings and automatically create security incidents in Security Incident Response.
- Security Incident Response supports a bidirectional exchange of data with AWS Security Hub. SIR ingests findings from AWS Security Hub to create aggregated security incidents. Simultaneously, any
change in a security incident is also updated on the related AWS Security Hub findings.
- Internet Content Adaption Protocol (ICAP) integration for DLP IR
- Internet Content Adaption Protocol (ICAP) integration helps you to track the usage and movement of sensitive data on various platforms.
- Configure and schedule DLP alerts ingestion from the specified Amazon S3 buckets which includes the capability to perform the delta imports to ensure only new or modified data is ingested.
- Display the ingested alerts in the DLP workspace by providing the key details on each alert such as the match content, alert severity, and relevant metadata.
- Download associated evidence files directly from the DLP workspace for further investigation or review.
- Enable users to apply automatic responses based on predefined criteria such as alert escalation, notifications, or enforcement policies.
- Remediate response actions such as blocking or quarantining sensitive data, or sending out alerts to stakeholders.
- Customize and define the severity mapping between ICAP DLP incidents with ServiceNow incidents.
- Playbook for zero-day vulnerability
- Get step-by-step procedure to address and mitigate zero-day threats—vulnerabilities in the software that are unknown to the vendor, leaving systems exposed to attacks.
- Configure Shift Handover Templates
- Provide detailed communication of critical information, tasks, and updates between outgoing and incoming personnel for a seamless transition between shifts by using the Shift Handover feature. Improve operational continuity,
reduce errors, and increase overall efficiency in the workplace.
- Configure Slack chat connector for major security incidents
- View and filter collaboration chat activities on Slack to more efficiently collaborate to resolve major security incidents.
- Playbook for Legal Request
- Get step-by-step guidance on how you can inform the legal team about the latest summary of a major security incident so they can notify the SEC in the 4-day time frame that is required for material breaches.
- Add Zscaler Internet Access URL category lists
- Enable Zscaler approvers to add observables to the list of required approvals or remove them when the Require Approval option is selected.
- Configure how an automatic event is created and MISP event data
- Add security tags during automatic MISP profile configuration.
- Mapping DLP incident status with Netskope
- Provide the mappings between the DLP Incident status in your ServiceNow instance and the Netskope Object status.
- Define the new Risk Score Calculator Rules
- The Risk score configuration in the Security Incident Response workspace has been enhanced with the following capabilities:
- Set up a Risk Score Calculator from either script or condition builders.
- Apply multiple conditions while setting up rule-based scoring.
- Apply weightage to each scoring line. Weights should add up to 100.
- For rule-based scoring, select table fields and values for setting up a condition.
- Capture conditions and scoring via scripts.
- Manually execute risk score calculators to recalculate after making changes.
- Managing MSIM status reports
- Share mobile-friendly Executive Status Reports with users outside your ServiceNow instance, including third-party vendors, other entities, or email distribution lists.
|
Changes
Between your current release family and Xanadu, some changes were made to existing Security Incident Response features.
| Release |
Release notes |
Vancouver |
- Symantec Integration for Data Loss Prevention Incident Response
- This integration is enhanced to support the following:
- Symantec API request customization
- Symantec time zone support
- Incident comments sync is now configurable for Symantec
- Create and manage email templates for your DLP incidents
- The default email template for End User Digest are enhanced to send digest notifications to notify the users about the nearest upcoming due dates of DLP incidents with the severity as critical, high, medium, or low. Create
and manage the preconfigured email templates to send notifications to the end users, user groups, or managers. With these templates, you can coach and communicate with the end users on the Data Loss Prevention Incident
Response (DLP IR) incidents resolution.
- DLP default configuration settings
- You can now define and reapply End user lookup rules and Assignment rules to existing Active DLP incidents.
- Data Loss Prevention Incident Response User Workspace
- The Data Loss Prevention Incident Response (DLP IR) User Workspace is an enhanced workspace where end users, managers, and approvers can use to review the assigned DLP incidents. The end users, managers, and approvers can
then respond to the incidents by specifying the correct actions.
|
Washington DC |
|
Xanadu |
|
Removed
Between your current release family and Xanadu, some Security Incident Response features or functionality were removed.
| Release |
Release notes |
Vancouver |
No updates for this release. |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Deprecations
Between your current release family and Xanadu, some Security Incident Response features or functionality were deprecated.
| Release |
Release notes |
Vancouver |
- ServiceNow®
Security Incident Response no longer supports the Threat Crowd integration. Therefore, if you run a threat look-up against any observables using the Threat Crowd integration, you might see an error. For details, see the Threat lookup of an Observable fails with ThreatCrowd Integration article in the Now Support Knowledge Base.
- ServiceNow®
Security Incident Response no longer supports the Tanium integration v2 integration. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.
|
Washington DC |
ServiceNow®
Security Incident Response no longer supports the following integrations:
- Recorded Future
- Trusted Security Circles
For more information about these deprecations, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.
|
Xanadu |
No updates for this release. |
Activation information
Review information on how to activate Security Incident Response.
| Release |
Release notes |
Vancouver |
Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps
and for information about submitting requests to the store. For cumulative release notes
information for all released apps, see the ServiceNow Store version history release
notes.
|
Washington DC |
Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes. |
Xanadu |
Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
|
Additional requirements
If any additional requirements were introduced or changed for Security Incident Response we have noted them here.
| Release |
Release notes |
Vancouver |
No updates for this release. |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Browser requirements
If any specific browser requirements were introduced or changed for Security Incident Response we have noted them here.
| Release |
Release notes |
Vancouver |
No updates for this release. |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Accessibility information
Review details on accessibility information for Security Incident Response, such as specific requirements or compliance levels.
| Release |
Release notes |
Vancouver |
No updates for this release. |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Localization information
If there are specific localization considerations for Security Incident Response we have noted them here.
| Release |
Release notes |
Vancouver |
No updates for this release. |
Washington DC |
No updates for this release. |
Xanadu |
No updates for this release. |
Highlight information
If there are specific highlight considerations for Security Incident Response we have noted them here.
| Release |
Release notes |
Vancouver |
- The SIR Workspace is now enhanced to support the McAfee ePO integration by leveraging the capability framework along with the existing capabilities.
- Provides you key insights with the Security Incident Manager Overview dashboard, CISO Overview dashboard, and CISO Reporting Overview dashboard.
- You can now use the DLP Severity Mapping to configure and synchronize the mapping between Symantec incidents and ServiceNow AI Platform incidents.
- Create and configure end user lookup rules and assign the DLP incidents to the respective end users based on those rules.
- DLP Incident Response integration with Microsoft, which enables you to perform the ingestion process, highlight the match content.
- Create and manage user instructions template for DLP incidents to help the users understand the instructions involved in the incident resolution.
- Using DLP Approvals module, users can configure the approval rules for various levels of approvers whenever an advanced type of response option is selected.
- DLP Release email from quarantine option allows the users to release the email that is quarantined from the Microsoft Purview compliance portal.
|
Washington DC |
- Make conference calls including team members, customers, and other stakeholders to resolve customer issues.
- Capture MTTR (Mean time to repair) information through usage and definition metrics for security incidents.
- Monitor scan requests and report security incidents as a risk event to the Risk Management team from the Security Incident Response Workspace.
- Create a customer service case for the security incident directly from the Security Incident Response Workspace, which will be tracked by the Customer Service Management (CSM) team.
- VirusTotal integration is provided with an option to send URLs as hashes for threat lookup, to protect the users' privacy on the integration.
|
Xanadu |
- Define and calculate the risk score of security incidents through the Risk Score Calculator, which is based on user-defined criteria. The risk score is auto-calculated for the security incident records.
- Track the handover of important work items between shifts through the Shift Handover application.
- Automatically create dedicated Slack channels for Incident Managers to engage with Incident Responders to manage major security incidents with the MSIM
Slack integration.
- Facilitate the ability of the Incident Manager to provide a summary of a major security incident to their Legal teams by using the MSIM Legal Request playbook. The Legal team can use that summary when filing an 8K or 10K form to comply with regulatory bodies such as the SEC when disclosing security breaches.
- Share mobile-friendly MSIM Executive Status Reports generated in email format. You can also share the Executive Status Reports with users outside your ServiceNow® instance, including third-party vendors, other entities, or email distribution lists.
|