Security Incident Response release notes

  • Release version: Zurich
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response release notes - Zurich release

    The ServiceNow® Security Incident Response (SIR) application in the Zurich release enhances your organization's ability to connect security and IT teams, accelerate threat response, and improve visibility into your security posture. Key integrations, automation, and analytical capabilities enable faster incident detection, assignment, and resolution.

    Show full answer Show less

    Key Features

    • Integrations with Security Platforms:
      • Connect Cortex XSIAM by Palo Alto Networks to convert SIEM insights into actionable incidents with incident aggregation and synchronization of comments.
      • Integrate CrowdStrike Next-Gen SIEM to automate detection-to-incident conversion and status synchronization.
      • Enhance Splunk ES integration with event ingestion add-ons and bidirectional updates, including fetching closed offenses from IBM QRadar.
    • Advanced Work Assignment (AWA): Automatically assign security incidents to analysts based on availability, capacity, and skills to improve response efficiency.
    • Third-Party Risk Score Ingestion: Incorporate external risk scores into incident risk calculations to prioritize high-risk threats effectively.
    • LLM-Powered Integration Builder: Rapidly create and maintain integrations using AI-generated code from public API documentation, simplifying integration setup.
    • MITRE D3FEND Framework Visualization: Ingest MITRE D3FEND data and visually explore attack-defense relationships within incidents via interactive graphs.
    • Improved Incident Management:
      • Edit related records directly from the incident view for streamlined updates.
      • Prevent duplicate security incidents on IT incident escalation with configurable system properties.
      • Bulk close multiple incidents with predefined closure comments to save time.
      • Configure detailed incident categorization and impact fields to enhance triage accuracy and reporting.
    • On-Call Scheduling: Manage and view on-call schedules and shifts to ensure continuous incident coverage without gaps.
    • Usability Enhancements:
      • Display users currently accessing an incident to avoid conflicts.
      • Universal search for observables linked to incidents.
      • Coral theme default with dark mode option for improved UI experience.
    • Security Controls: Phishing email deny rules to prevent false positives from becoming incidents.
    • Process Mining: Analyze historical incident records to identify bottlenecks and delays in incident resolution.

    Important Configuration and Administration

    • Profile Admin role enables management of integration profiles for Splunk, Splunk ES, and Azure Sentinel.
    • Admins can configure service channels, queues, assignment rules, presence states, rejection reasons, and default graph nodes.
    • System properties allow customization for incident deduplication, CVE-VIT relationships, and other behaviors.

    Key Outcomes for ServiceNow Customers

    • Accelerated detection-to-closure lifecycle through seamless integration with leading security platforms.
    • Improved analyst efficiency with automated incident assignment and enhanced UI capabilities.
    • Better prioritization and risk scoring by incorporating third-party risk intelligence.
    • Greater visibility into attack and defense tactics via MITRE framework visualizations.
    • Streamlined incident closure processes and reduced manual effort.
    • Continuous incident coverage ensured by on-call scheduling and shift management.
    • Improved collaboration and conflict avoidance with real-time user presence indicators.

    Security Incident Response in the Zurich release is available via the ServiceNow Store, enabling your organization to leverage these enhancements for a more effective and efficient security operations practice.

    The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and gain insight into your organization's security posture. Security Incident Response was enhanced and updated in the Zurich release.

    Security Incident Response highlights for the Zurich release

    • Integrate Cortex XSIAM by Palo Alto Networks with ServiceNow Security Incident Response platform to turn SIEM insights into actionable incidents, thus accelerating response from detection to closure.
    • Use Advanced Work Assignment (AWA) to automatically assign incidents to your security analysts, based on their availability, capacity, and skills.
    • Ingest third-party risk scores in Security Incident Response to factor these scores when calculating risk scores.
    • Starting in version 13.9.33, you can do the following:
      • Fetch closed offenses from IBM QRadar into Security Incident Response.
      • Set the batch size for correlation rules during IBM QRadar offense polling to optimize performance.
      • Use the Now Assist LLM-powered integration builder to rapidly build integrations for Security Incident Response using auto-code generation.
      • Ingest MITRE D3FEND data and visualize attack–defense relationships through an interactive graph directly within a security incident.
    • Starting in version 13.9.21, you can do the following:
      • Integrate CrowdStrike Next-Gen SIEM integration with ServiceNow Security Incident Response platform to retrieve detections and convert them into security incidents, thus enabling automated response actions.
      • Improve incident classification and enable efficient retrieval of historical data and alerts through enhanced Splunk ES integrations.
      • Configure and use on-call scheduling to prevent gaps in coverage and ensure analysts are available to address security incidents by configuring shifts for analysts.

    See Security Incident Response for more information.

    Important:
    Security Incident Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Zurich release

    Security Incident Response Integration with Cortex XSIAM by Palo Alto Networks
    As a profile admin:
    • Create profiles for incident ingestion.
    • Filter Cortex XSIAM incidents.
    • Map Cortex XSIAM Incident, Alert, and Event fields to SIR security incident fields.
    • Aggregate incidents to existing open security incidents to avoid having to create duplicate security incidents.
    • Synchronize ServiceNow instance Work notes with Palo Alto Networks XSIAM comments.
    Setup ServiceNow Security Operations Event Ingestion Addon for Splunk ES
    The ServiceNow Security Operations Event Ingestion Add-on for Splunk ES enables seamless integration between Splunk and ServiceNow Security Operations, allowing you to send security-related events from Splunk ES to a ServiceNow security incident.
    LLM-powered SIR integration builder
    With the ServiceNow platform's latest LLM powered integrations, you can create product-ready integration quickly. The LLM-powered integration builder has the following capabilities:
    • Automatically generates integration code from a public API documentation.
    • Provides guided setup built on existing capabilities.
    • Provides easy edit and maintenance of the generated auto code.
    Deny rule for phishing emails
    The security admin can add rules to prevent the conversion of phishing emails such as false positives or low-risk messages into security incidents. Any new phishing email is verified first with the deny rules to avoid unwanted security incidents.
    MITRE D3FEND framework
    Security administrators can now ingest MITRE D3FEND data. Security analysts can explore MITRE ATT&CK and D3FEND techniques through an interactive, node-based visualization that maps attack techniques, defense techniques, and related artifacts within a Security Incident Response (SIR) record.
    Update information in security incident related records
    The security analysts can now edit related records such as associated observables, for a security incident directly from the Related Records list view. Security analysts can quickly update the records without leaving their current context.
    Advanced Work Assignment for Security Incident Response
    Use Advanced Work Assignment (AWA) to streamline the security incident assignment process which ensure that critical incidents are handled by the most appropriate and available analysts. This improves overall response times and efficiency in security operations.

    As an admin, configure the following:

    • Service channels
    • Queues
    • Assignment rules
    • Presence states
    • Rejection reasons

    As an analyst, do the following:

    • Set your availability
    • Accept or reject incoming security incidents
    Prevent duplicate security incidents for IT incidents
    Prevent the creation of duplicate security incidents when ITIL users escalate an IT incident to a security incident, the system by enabling the sn_si.disable_duplicate_security_incident system property.
    Ingest third-party risk scores
    Factor third-party risk scores into security incident risk calculation by ingesting and mapping those scores for better prioritization of high-risk threats.
    Simplified adding categories and sub-categories for security incidents
    Admin can create categories and subcategories in Security Incident Response Workspace based on threat types, compliance requirements, or reporting needs.

    Security analysts can assign these categories and subcategories to security incidents.

    Security incident Details tab
    Include the Functional Impact, Recoverability and Information Impact fields on the Details tab of a security incident to improve triage accuracy, incident handling efficiency, and executive reporting for calculating the risk score.
    Close multiple security incidents
    Close security incidents in bulk with predefined closure comments or codes to reduce the time that would be spent on manually closing individual incidents. Closure candidates might include multiple incidents with common root causes such as alert misconfiguration, duplicates, or changes in system behavior.
    Process Mining for security incidents
    Identify factors contributing to delays in processing SIR incidents that take a long time to close or resolve by scanning historical SIR records through Process Mining. Time-consuming factors can include multiple reassignments, prolonged hold times, and periods of inactivity. Use analysis methods to identify these factors such as multi-hop analysis or bottleneck analysis.
    Send Observables to TISC
    Add metadata to the observables such as confidence score, Traffic Light Protocol value, notes and TISC tags before sending them to TISC.
    Add indirectly linked VITs to CVEs
    In MITRE-ATT&CK framework, identify all third-party entities (TPEs) associated with common vulnerabilities and exposures (CVEs) and then calculate and display the total number of vulnerable items (VITs) indirectly linked to those CVEs through the TPEs by setting the sn_ti.include_cve_vit_indirect_relation system property.
    Configure on-call schedules
    As an admin, manage on-call schedules through the following activities:
    • Create a shift and assign or remove members to or from the shift.
    • Create and edit on-call schedules for groups.
    • View any group’s on-call schedule.

    As an analyst, track your on-call responsibilities through the following activities:

    • Specify your availability and preferred contact methods.
    • View your on-call schedule.
    • See other members of your shift.
    Users accessing the same incident
    When you open an incident, the initials of all the users currently accessing the same incident are displayed to avoid conflicts.
    Universal search field for linking observables
    Search across all the field values of the associated observables for an incident.
    CrowdStrike Next-Gen SIEM integration
    As a Profile Admin:
    • Discover CrowdStrike Next-Gen SIEM detections that are candidates for security incidents and automate the creation of these security incidents.
    • Create detection profiles.
    • Map CrowdStrike Next-Gen SIEM Detection and Events Fields to SIR security incident fields.
    • Filter CrowdStrike Next-Gen SIEM defects.
    • Aggregate detections to existing open security incidents so that you don't have to create duplicate security incidents.
    • Automate CrowdStrike Next-Gen SIEM detection status updates for Security Incident Response.
    • Synchronize CrowdStrike Next-Gen SIEM detection comments with SIR Work notes.
    Create and name an event profile for the Splunk Enterprise Security event ingestion integration
    • Enables bidirectional updates and closure synchronization between Splunk ES and Splunk integrations.
    • Enables retrieval of historical, and ongoing data including closed events, with an option to pull the closed events into the ServiceNow Splunk ES instance.
    • Receive updates for the mapped fields in SIR.
    Components installed with Security Incident Response
    A new Profile Admin role (sn_si.ingestion_profile_admin) provides access to configure plugins, and to create, edit, delete, and manage profiles for the Splunk, Splunk ES, and Azure Sentinel Integration for Security Operations application.
    Enhancements to relationship graphs
    As an admin:
    • Define default child nodes to populate in the relationship graph.
    • Configure relationship labels.
    As an analyst:
    • Add or remove child nodes at the parent node level.
    • Save the state of the relationship graph.
    • Retrieve updated data.

    UI changes

    Shift Handover Records
    The Start date and End date fields have been removed. You can now select the shift name instead when configuring the Shift Handover record.
    Coral theme
    Coral is now the default theme for new portal, web, and mobile experiences with Next Experience or Core UI enabled. This theme provides a fresh look and feel, featuring brand-neutral illustrations to enhance your user experience. A dark theme option is available for web and mobile experiences.

    Changed in this release

    Security Incident Response Other Records
    Add
 multiple ITSM incidents, problems, or change requests to a security incident for which multiple IT actions are needed. For more information, see the "Link multiple ITSM incidents" section.
    Modify attachments of a closed security incident
    You cannot modify the attachments of a security incident once the security incident is closed.

    Accessibility information

    Dark theme
    The new Coral theme includes a dark theme option for web and mobile experiences. This option is commonly used to alleviate eye strain and improve readability.

    Related ServiceNow applications and features

    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
    Threat Intelligence
    The ServiceNow® Threat Intelligence application enables you to find indicators of compromise (IoC) and enrich security incidents with threat intelligence data.