Combined Security Incident Response release notes for upgrades from Xanadu to Zurich

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Security Incident Response release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Xanadu to Zurich.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Security Incident Response to Zurich

Before you upgrade to Zurich, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

New features

Between your current release family and Zurich, new features were introduced for Security Incident Response.


Release	Release notes
Xanadu	Security Incident Response integration with AWS Security Hub Security Incident Response supports the AWS Security Hub findings integration. This enables you to ingest AWS Security Hub findings and automatically create security incidents in Security Incident Response. Security Incident Response supports a bidirectional exchange of data with AWS Security Hub. SIR ingests findings from AWS Security Hub to create aggregated security incidents. Simultaneously, any change in a security incident is also updated on the related AWS Security Hub findings. Internet Content Adaption Protocol (ICAP) integration for DLP IR Internet Content Adaption Protocol (ICAP) integration helps you to track the usage and movement of sensitive data on various platforms. Configure and schedule DLP alerts ingestion from the specified Amazon S3 buckets which includes the capability to perform the delta imports to ensure only new or modified data is ingested. Display the ingested alerts in the DLP workspace by providing the key details on each alert such as the match content, alert severity, and relevant metadata. Download associated evidence files directly from the DLP workspace for further investigation or review. Enable users to apply automatic responses based on predefined criteria such as alert escalation, notifications, or enforcement policies. Remediate response actions such as blocking or quarantining sensitive data, or sending out alerts to stakeholders. Customize and define the severity mapping between ICAP DLP incidents with ServiceNow incidents. Playbook for zero-day vulnerability Get step-by-step procedure to address and mitigate zero-day threats—vulnerabilities in the software that are unknown to the vendor, leaving systems exposed to attacks. Configure Shift Handover Templates Provide detailed communication of critical information, tasks, and updates between outgoing and incoming personnel for a seamless transition between shifts by using the Shift Handover feature. Improve operational continuity, reduce errors, and increase overall efficiency in the workplace. Configure Slack chat connector for major security incidents View and filter collaboration chat activities on Slack to more efficiently collaborate to resolve major security incidents. Playbook for Legal Request Get step-by-step guidance on how you can inform the legal team about the latest summary of a major security incident so they can notify the SEC in the 4-day time frame that is required for material breaches. Add Zscaler Internet Access URL category lists Enable Zscaler approvers to add observables to the list of required approvals or remove them when the Require Approval option is selected. Configure how an automatic event is created and MISP event data Add security tags during automatic MISP profile configuration. Mapping DLP incident status with Netskope Provide the mappings between the DLP Incident status in your ServiceNow instance and the Netskope Object status. Define the new Risk Score Calculator Rules The Risk score configuration in the Security Incident Response workspace has been enhanced with the following capabilities: Set up a Risk Score Calculator from either script or condition builders. Apply multiple conditions while setting up rule-based scoring. Apply weightage to each scoring line. Weights should add up to 100. For rule-based scoring, select table fields and values for setting up a condition. Capture conditions and scoring via scripts. Manually execute risk score calculators to recalculate after making changes. Managing MSIM status reports Share mobile-friendly Executive Status Reports with users outside your ServiceNow instance, including third-party vendors, other entities, or email distribution lists.
Yokohama	Process Mining for security incidents Identify factors contributing to delays in processing Security Incident Response (SIR) incidents that take a long time to close or resolve by scanning historical SIR records through Process Mining. Time-consuming factors can include multiple reassignments, prolonged hold times, and periods of inactivity. CrowdStrike Next-Gen SIEM integration As a Profile Admin: Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents. Create detection profiles. Map CrowdStrike Next-Gen SIEM Detection and Events Fields to SIR security incident fields. Filter CrowdStrike Next-Gen SIEM defects. Aggregate detections to existing open security incidents so that you don't have to create duplicate security incidents. Schedule ongoing detection ingestion. Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response. Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes. Create an event profile Enables bidirectional updates and closure synchronization between Splunk ES and Splunk integrations. Enables retrieval of historical, and ongoing data including closed events, with an option to pull the closed events into the ServiceNow Splunk ES instance. Receive updates for the mapped fields in SIR. Components installed with Security Incident Response A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and create, edit, delete, and manage profiles for the Splunk, Splunk ES, and Azure Sentinel Integration for Security Operations application. Add indirectly linked VITs to CVEs Identify all the Third-Party Entities (TPEs) associated with a Common Vulnerabilities and Exposures (CVE) and then calculate and display the total number of vulnerable items (VITs) indirectly linked to those CVEs through the TPEs by setting the sn_ti.include_cve_vit_indirect_relation property. Configure on-call schedules As an admin: Create a shift and assign or remove members to/from the shift. Create/edit on-call schedules for groups. View any group’s on-call schedule, including those to which they belong. As an analyst: Specify your availability and preferred contact methods. View your on-call schedule and see other members of your shift. Configure report templates in Security Incident Response As an admin, create report templates that can be used to generate an incident summary or an executive summary for analysis and sharing. As an analyst, use the templates to generate analyst summary or executive summary reports for a SIR incident that can be shared over email. Security Incident Response conference call integration Initiate conference calls using communication channels such as Microsoft Teams, Cisco Webex, or Zoom with customers and peer agents to resolve security incidents over a call by using the SIR conference call feature. Enhancements to relationship graphs As an admin: Define default child nodes to populate in the relationship graph. Configure relationship labels. As an analyst: Add or remove child nodes at the parent node level. Save the state of the relationship graph. Retrieve updated data. Proofpoint integration for Security Operations Proofpoint integration for Security Operations supports integration between SOAR (Security Orchestration, Automation, and Response) and Proofpoint Targeted Attack Protection (TAP) software. This integration provides the following benefits: Detect and block threats such as business email compromise and tags suspicious emails for tracking, analysis, and audit. Import data to automatically create security incidents for email events that are not captured by TAP products. Data Loss Prevention Incident Response Analyst Workspace Preview the evidence file of the incident from either the Data Loss Prevention analyst workspace or the DLP end user workspace.
Zurich	Security Incident Response Integration with Cortex XSIAM by Palo Alto Networks As a profile admin: Create profiles for incident ingestion. Filter Cortex XSIAM incidents. Map Cortex XSIAM Incident, Alert, and Event fields to SIR security incident fields. Aggregate incidents to existing open security incidents to avoid having to create duplicate security incidents. Synchronize ServiceNow instance Work notes with Palo Alto Networks XSIAM comments. Set up Splunk environment The ServiceNow Security Operations Event Ingestion Add-on for Splunk ES enables seamless integration between Splunk and ServiceNow Security Operations, allowing you to send security-related events from Splunk ES to a ServiceNow security incident. LLM-powered SIR integration builder With the ServiceNow platform's latest LLM powered integrations, you can create product-ready integration quickly. The LLM-powered integration builder has the following capabilities: Automatically generates integration code from a public API documentation. Provides guided setup built on existing capabilities. Provides easy edit and maintenance of the generated auto code. Deny rule for phishing emails The security admin can add rules to prevent the conversion of phishing emails such as false positives or low-risk messages into security incidents. Any new phishing email is verified first with the deny rules to avoid unwanted security incidents. MITRE D3FEND framework Security administrators can now ingest MITRE D3FEND data. Security analysts can explore MITRE ATT&CK and D3FEND techniques through an interactive, node-based visualization that maps attack techniques, defense techniques, and related artifacts within a Security Incident Response (SIR) record. Update information in security incident related records The security analysts can now edit related records such as associated observables, for a security incident directly from the Related Records list view. Security analysts can quickly update the records without leaving their current context. Advanced Work Assignment for SIR Use Advanced Work Assignment (AWA) to streamline the security incident assignment process which ensure that critical incidents are handled by the most appropriate and available analysts. This improves overall response times and efficiency in security operations. As an admin, configure the following: Service channels Queues Assignment rules Presence states Rejection reasons As an analyst, do the following: Set your availability Accept or reject incoming security incidents Prevent duplicate security incidents for IT incidents Prevent the creation of duplicate security incidents when ITIL users escalate an IT incident to a security incident, the system by enabling the `sn_si.disable_duplicate_security_incident` system property. Ingest third-party risk scores Factor third-party risk scores into security incident risk calculation by ingesting and mapping those scores for better prioritization of high-risk threats. Simplified adding categories and sub-categories for security incidents Admin can create categories and subcategories in Security Incident Response Workspace based on threat types, compliance requirements, or reporting needs. Security analysts can assign these categories and subcategories to security incidents. Security incident Details tab Include the Functional Impact, Recoverability and Information Impact fields on the Details tab of a security incident to improve triage accuracy, incident handling efficiency, and executive reporting for calculating the risk score. Close multiple security incidents Close security incidents in bulk with predefined closure comments or codes to reduce the time that would be spent on manually closing individual incidents. Closure candidates might include multiple incidents with common root causes such as alert misconfiguration, duplicates, or changes in system behavior. Process Mining for security incidents Identify factors contributing to delays in processing SIR incidents that take a long time to close or resolve by scanning historical SIR records through Process Mining. Time-consuming factors can include multiple reassignments, prolonged hold times, and periods of inactivity. Use analysis methods to identify these factors such as multi-hop analysis or bottleneck analysis. Send Observables to TISC Add metadata to the observables such as confidence score, Traffic Light Protocol value, notes and TISC tags before sending them to TISC. Add indirectly linked VITs to CVEs In MITRE-ATT&CK framework, identify all third-party entities (TPEs) associated with common vulnerabilities and exposures (CVEs) and then calculate and display the total number of vulnerable items (VITs) indirectly linked to those CVEs through the TPEs by setting the sn_ti.include_cve_vit_indirect_relation system property. Configure on-call schedules As an admin, manage on-call schedules through the following activities: Create a shift and assign or remove members to or from the shift. Create and edit on-call schedules for groups. View any group’s on-call schedule. As an analyst, track your on-call responsibilities through the following activities: Specify your availability and preferred contact methods. View your on-call schedule. See other members of your shift. Users accessing the same incident When you open an incident, the initials of all the users currently accessing the same incident are displayed to avoid conflicts. Universal search field for linking observables Search across all the field values of the associated observables for an incident. CrowdStrike Next-Gen SIEM integration As a Profile Admin: Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents. Create detection profiles. Map CrowdStrike Next-Gen SIEM Detection and Events Fields to SIR security incident fields. Filter CrowdStrike Next-Gen SIEM defects. Aggregate detections to existing open security incidents so that you don't have to create duplicate security incidents. Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response. Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes. Create an event profile Enables bidirectional updates and closure synchronization between Splunk ES and Splunk integrations. Enables retrieval of historical, and ongoing data including closed events, with an option to pull the closed events into the ServiceNow Splunk ES instance. Receive updates for the mapped fields in SIR. Components installed with Security Incident Response A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and to create, edit, delete, and manage profiles for the Splunk, Splunk ES, and Azure Sentinel Integration for Security Operations application. Enhancements to relationship graphs As an admin: Define default child nodes to populate in the relationship graph. Configure relationship labels. As an analyst: Add or remove child nodes at the parent node level. Save the state of the relationship graph. Retrieve updated data.

Changes

Between your current release family and Zurich, some changes were made to existing Security Incident Response features.

Release

Release notes

Xanadu

Security Incident Response Orchestration


Integration Name	Integration Changes
Security Incident Response Orchestration flows and actions	Workflow is migrated to the Flow Designer in following sections: Create Lookup Request for IoC Changes Flow Security Incident Response- Get Network Statistics Flow Security Incident Response - Get Running Services Flow

Security Operations common functionality


Integration Name	Integration Changes
Security Operations Integration- Block Request capability	Workflow is migrated to the Flow Designer flows in the following integrations: Run Block Request Security Operations Integration - Block Request Flow
Security Operations Integration- Get Network Statistics capability	Workflow is migrated to the Flow Designer in following sections: Execution Tracking - Begin (CIs) Flow Action Security Incident Response- Get Network Statistics Flow
Security Operations Integration- Get Running Processes capability	Workflow is migrated to the Flow Designer in following sections: Security Operations - Get Running Processes Flow Security Operations Carbon Black Integration - Get Running Processes Flow
Security Operations Integration- Isolate Host capability	Workflow is migrated to the Flow Designer in following sections: Security Operations - Isolate Host Flow Run Isolate Host Security Operations Carbon Black Integration - Isolate Host Flow
Security Operations Integration- Publish to Watchlist capability	Workflow is migrated to the Flow Designer in following section: Security Operations Integration - Publish to Watchlist Flow
Security Operations Integration- Sightings Search capability	Workflow is migrated to the Flow Designer in following section: Security Operations Integration - Sightings Search Flow

Security Incident Response integrations


Integration Name	Integration Changes
CrowdStrike Falcon Host integration	Workflow is migrated to the Flow Designer in following sections: Get started with the CrowdStrike Falcon Host integration Security Operations CrowdStrike Falcon Host - Publish to Watchlist Flow

Review and assign your DLP incidents

Providing a closure code when closing a DLP incident from the DLP IR analyst workspace is now mandatory.

Administer

Adding users and groups is now accomplished through related lists rather than adding users from the respective configurations in the following Administration modules:

DLP Default Configuration
DLP Assignment Rules
DLP Response Due Date Rules
DLP Incident Assessment
DLP User Instructions Templates
DLP Record Level Restrictions
DLP Field Level Restrictions

Install and configure the Netskope DLP integration for Data Loss Prevention

The Netskope integration now supports DLP incident ingestion.

Manage incidents

View the forensic details of DLP Incidents in both the DLP IR Analyst workspace and DLP End user workspace.

Download evidence files

The Netskope integration supports downloading the evidence file directly on demand.

Yokohama

Security Operations


Integration name	Integration changes
Microsoft Teams Chat	Simplified the setup of Microsoft Teams Chat integration with Major Security Incident Management Workspace. For more information, see Integrate Major Security Incident Management with Microsoft SharePoint.
Microsoft SharePoint	Simplified the setup of Microsoft SharePoint integration with Major Security Incident Management Workspace. For more information, see Integrate Major Security Incident Management with Microsoft Teams.
Security Incident Response Integrations	Workflow was migrated to Workflow Studio. For more information, see the following: Get Log Data Flow Get WildFire Data Enrichment Flow Configure Microsoft Exchange - Perform Email Search and Deletion flow Get AutoFocus Session Info Enrichment Flow
Security Incident Response Orchestration	Workflow was migrated to Workflow Studio in the section Run procdump flow.
Security Operations common functionality	Workflow was migrated to Workflow Studio. For more information, see the following: Integration capabilities Security Operations Integration- Block Request capability Security Operations Integration- Email Search and Delete capability Security Operations Integration- Enrich CI capability Security Operations Integration- Enrich Observable capability Security Operations Integration- Get Network Statistics capability Security Operations Integration- Get Running Processes capability Security Operations Integration- Isolate Host capability Security Operations Integration- Publish to Watchlist capability Security Operations Integration- Sightings Search capability Security Operations Integration - Threat Lookup capability Change the order of flow execution

Other additional Security Incident Response setup tasks

View security incidents with read access and update security incidents with write access without any defined security role.

Zurich

Security Incident Response Other Records: Add  multiple ITSM incidents, problems, or change requests to a security incident for which multiple IT actions are needed. For more information, see the "Link multiple ITSM incidents" section.
Modify attachments of a closed security incident: You cannot modify the attachments of a security incident once the security incident is closed.

Removed

Between your current release family and Zurich, some Security Incident Response features or functionality were removed.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Deprecations

Between your current release family and Zurich, some Security Incident Response features or functionality were deprecated.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Activation information

Review information on how to activate Security Incident Response.


Release	Release notes
Xanadu	Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Yokohama	Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Zurich	No updates for this release.

Additional requirements

If any additional requirements were introduced or changed for Security Incident Response we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Security Incident Response we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Accessibility information

Review details on accessibility information for Security Incident Response, such as specific requirements or compliance levels.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich

Localization information

If there are specific localization considerations for Security Incident Response we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Highlight information

If there are specific highlight considerations for Security Incident Response we have noted them here.


Release	Release notes
Xanadu	Define and calculate the risk score of security incidents through the Risk Score Calculator, which is based on user-defined criteria. The risk score is auto-calculated for the security incident records. Track the handover of important work items between shifts through the Shift Handover application. Automatically create dedicated Slack channels for Incident Managers to engage with Incident Responders to manage major security incidents with the MSIM Slack integration. Facilitate the ability of the Incident Manager to provide a summary of a major security incident to their Legal teams by using the MSIM Legal Request playbook. The Legal team can use that summary when filing an 8K or 10K form to comply with regulatory bodies such as the SEC when disclosing security breaches. Share mobile-friendly MSIM Executive Status Reports generated in email format. You can also share the Executive Status Reports with users outside your ServiceNow® instance, including third-party vendors, other entities, or email distribution lists.
Yokohama	Identify inefficiencies and optimize the resolution process of security incidents for faster closure by using Process MIning. Implemented CrowdStrike Next-Gen SIEM integration enabling real-time ingestion of correlated detections, and enrichment data. Enhanced Splunk ES integrations to improve incident classification and enable efficient retrieval of historical data and alerts. Include the number of VITs indirectly associated with a CVE through TPEs. Help managers ensure there are no gaps in coverage and analysts are always available to address security incidents by configuring shifts for analysts. Define default child nodes to populate in the relationship graph, and add or remove child nodes at the parent node level. See Security Incident Response for more information.
Zurich	Integrate Cortex XSIAM by Palo Alto Networks with ServiceNow Security Incident Response platform to turn SIEM insights into actionable incidents, thus accelerating response from detection to closure. Use Advanced Work Assignment (AWA) to automatically assign incidents to your security analysts, based on their availability, capacity, and skills. Ingest third-party risk scores in Security Incident Response to factor these scores when calculating risk scores. Starting in version 13.9.33, you can do the following: Fetch closed offenses from IBM QRadar into Security Incident Response. Set the batch size for correlation rules during IBM QRadar offense polling to optimize performance. Use the Now Assist LLM-powered integration builder to rapidly build integrations for Security Incident Response using auto-code generation. Ingest MITRE D3FEND data and visualize attack–defense relationships through an interactive graph directly within a security incident. Starting in version 13.9.21, you can do the following: Integrate CrowdStrike Next-Gen SIEM integration with ServiceNow Security Incident Response platform to retrieve detections and convert them into security incidents, thus enabling automated response actions. Improve incident classification and enable efficient retrieval of historical data and alerts through enhanced Splunk ES integrations. Configure and use on-call scheduling to prevent gaps in coverage and ensure analysts are available to address security incidents by configuring shifts for analysts. See Security Incident Response for more information.