Unified experience framework for integrations powered by Capability Framework

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified experience framework for integrations powered by Capability Framework

    The Unified Experience Framework enhances orchestration activities within ServiceNow’s Zurich release by providing a consistent, streamlined user interface for integrations that fall under the Capability Framework. This replaces the previously disjointed classic UI experience where each capability had a separate execution interface. The unified experience applies to orchestration tasks like running threat lookups and sighting searches, improving usability and efficiency for security analysts.

    Show full answer Show less

    Note that some integration-specific actions, such as "Create Indicators" in Microsoft Defender, retain their own tailored experiences as dictated by their use cases.

    Key Features

    • Three-Step Modal Screen Workflow: The framework organizes orchestration into up to three modal screens:
      • Implementations Selection: Analysts select one or more implementations tied to a capability, with each implementation showing its integration source and additional configurable information (e.g., supported observable types or filters).
      • Common Inputs: Where applicable, common input parameters relevant to the selected implementations are provided (currently used by Sightings Search).
      • Run Time Specific Inputs: Inputs unique to each selected implementation can be specified in this step.
    • Additional Information Column: Provides static contextual info to assist analysts in choosing appropriate implementations, such as filter criteria or supported observable types.
    • Backend Filtering: The UI allows selecting any implementation and observable type, but during submission, backend systems filter to submit only supported observables, ignoring unsupported ones. An informational message alerts users to this behavior.
    • Flexible Workflow: Not all three steps are mandatory; the workflow adapts based on the capability and input requirements.

    Practical Benefits for ServiceNow Customers

    • Consistent User Experience: Security analysts benefit from a unified interface across orchestration capabilities, reducing complexity and learning curves.
    • Configurability: Administrators can customize additional information fields to provide relevant context, enhancing decision-making during integrations.
    • Efficient Integration Handling: The framework manages multiple implementations per capability, allowing analysts to select and act on the most appropriate data sources or tools seamlessly.
    • Improved Input Management: Distinguishing between common and specific inputs streamlines data entry and execution accuracy.

    Additional Considerations

    The framework currently includes capabilities such as Run Threat Look Up and Sightings Search, with modal screens tailored accordingly. For in-depth configuration, including technical setup of the UX framework, administrators should refer to the dedicated configuration procedures.

    This framework is integrated within the SIR Workspace and the Investigation Canvas, enhancing investigation workflows.

    In the classic UI, the experience is disjointed when performing orchestration activities such as running threat look, performing sighting search, and so on. Each capability has its own experience while executing it. In the new workspace, there is unified experience across all capabilities.

    The unified experience is applicable only for those integrations and orchestration activities that fall within the capability framework. There can be actions specific to integration, for example, Create Indicators in Microsoft Defender. These actions will have its own experience as required by the use-case.

    The new framework consists of modal screens with three steps as explained below.

    1. Implementations: The first step involves selecting one or more implementations that are present against the selected capability.

      For example, when the Analyst selects Run Threat Look Up, the Analyst will be able to select one or more implementations that are present for Run Threat Look Up capability.

      Each implementation will have the details of the Integration Source. Refer to the table below. Additional information is also presented against each implementation.

      Additional Information can include for example information on any filters, types of observables supported, etc. The Additional Information can be configured as desired. For more information, to UX framework technical configuration procedure.

      Table 1. Unified Implementation Framework Modal
      Implementation Description
      Name Name of the implementation.
      Integration Source The source of the implementation such as the configuration that is being used.
      Additional Information This column captures the static information which adds more context to the security analyst against the selected implementation(s) to proceed with an action. For example, supportability or filtered information. Also, if an implementation supports only a certain type of observables such as Domain or URL, then you can add that additional information here in this column to provide the context to the user.
      Note:
      The UI framework would basically allow the selection of any type of implementation and any type of observables. During the submission, the existing base system integrations that are shipped will take care of the filtering in the backend and submit only the supported type of observables. The rest of the records that don't match the supportability will be ignored. Hence, a UI information message is displayed while you select the capability: Only supported records will be submitted against the selected implementation(s).
      Figure 1. Screen 1: Implementation(s)
      Run Threat Lookup view: Available Implementations.
    2. Common inputs: Add common inputs for the selected implementations or for all the selected applicable implementations. This is the screen 2 of your implementation. For example, as of now only Sightings Search has the common inputs screen. This implementation is a combination of screen 1 (Implementations) and screen 2 (common inputs).
      Figure 2. Screen 1 + Screen 2
      Run Sighting Search view: Common inputs.
    3. Run time details: Add specific run time inputs for the selected implementations which are different from each other implementation. This is the screen 3 of your implementation. This implementation is a combination of screen 1 (Implementations) and screen 3 (specific run time inputs).
      Figure 3. Specific inputs
      Run Additional Actions view: Run time details.
    Note:
    Not all three steps are always required. Depending on the capability and the type of inputs required, the runtime details step and common inputs step will be visible.