Manage security threats using the Security Analyst Workspace

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage security threats using the Security Analyst Workspace

    The Security Analyst Workspace in ServiceNow’s Security Incident Response application provides a modern user interface designed specifically for security analysts. It offers powerful tools like the playbook, peek view, and tabbed views to efficiently analyze and manage security incidents. This workspace helps reduce investigation time through automation, enabling faster threat response and minimizing the risk of breaches.

    Show full answer Show less

    Prerequisites and Access

    • Your instance must be at least London Patch 3 or later.
    • Required roles must be assigned to users.
    • The Security Incident Response UI application must be installed from the ServiceNow Store.
    • Access the workspace via Security Incident > Incidents (New UI), which opens in a separate browser tab.

    Key Features

    • Quick Filters: Quickly filter security incidents using customizable filters to focus on relevant cases.
    • Personalized Incident List: Customize and sort the incident list to suit your workflow and analysis needs.
    • Peek View: Preview essential incident details without fully opening the record, saving time when handling multiple incidents.
    • Quick Actions: Perform inline edits, manage attachments, send emails (including templated messages), and update assignment fields directly from the workspace.
    • Tabbed Interface: Work on multiple security incidents simultaneously with easy switching between open tabs.
    • Incident Tabs with Analysis Tools:
      • Overview Tab: Displays customizable tiles summarizing incident details and related data.
      • Explore Tab: Configure which tiles appear on the Overview tab, including observables, threat lookups, user information, and more.
      • Incident Timeline Tab: Tracks all actions and communications related to the incident, with search and filtering capabilities for detailed investigation tracking.
    • Security Analyst Playbooks: Step-by-step guides embedded within the workspace to resolve common security threats like phishing or malicious code activities.

    Benefits for ServiceNow Customers

    This workspace streamlines the process of managing security incidents by consolidating key information and tools in one interface tailored for security analysts. It improves efficiency through automation and quick access features, supports multitasking with tabbed views, and enhances communication with integrated email functionality. The playbooks provide structured guidance for consistent and effective threat resolution. Together, these capabilities help reduce investigation time and improve incident response outcomes.

    Security Incident Response includes a new user interface called the Security Analyst Workspace that features powerful tools for assisting in analysis, including the playbook, peek view, and tabs for working on multiple security incidents.

    Purpose-built for security analysts, the powerful tools in the Security Analyst Workspace allow you to analyze the ever-growing volume of data associated with security incidents. And automated actions significantly reduce the security incident investigation time, which can be the difference between stopping an attack and suffering a breach.

    Before using the Security Analyst Workspace

    Before you can begin using the Security Analyst Workspace, you must ensure that your instance has at least London Patch 3 installed, you have the correct roles defined, and have downloaded the Security Incident Response UI application from the ServiceNow Store.
    Note:
    If your instance is running a version earlier than London Patch 3, you must request the Security Incident Response UI plugin through the HI Customer Service system.

    Access the Security Analyst Workspace

    To access this new workspace, navigate to Security Incident > Incidents (New UI).

    The workspace opens in a separate browser tab.

    Locate the security incidents you want to analyze with Quick Filters

    The Security Analyst Workspace provides several tools for filtering the list of security incidents so you can quickly find the security incidents you want to analyze. The Quick Filters let you select a subset of the security incidents based on criteria in the filter.

    Simply click the quick filter you want to use.

    Note:
    You can click an Edit button to identify which quick filters you want displayed on the list screen. A minimum of one filter must be selected, up to a maximum of six.

    You can define additional quick filters, as well as primary filters for the Security Analyst Workspace, using the classic environment. For more information, see Set up primary and secondary filters for Security Analyst Workspace.

    Personalize the security incident list

    As with all lists in your instance, the Security Analyst Workspace provides tools for personalizing the list and sorting the information displayed to meet your analysis needs.

    Save time with Peek view

    Before opening a security incident record, you can save time using the Peek view. This feature allows you to quickly locate vital security artifacts without having to reload the entire page. Simply click the > icon to the left of a security incident number to take a peek.

    The peek view provides a snapshot of vital information in a single view. This view can save valuable time when you are working with multiple incidents. You can click the down arrows on certain fields to make on-the-fly updates, such as assigning an assignment group or a specific analyst.

    Perform quick actions on a security incident

    After you have selected and opened a specific security incident, you can perform time-saving actions on the record.
    • If you security incident is open, click the Edit Record icon to make quick changes to any of its fields. If the record is closed, you can change only its tag.
    • Click Manage Attachments to attach files to the security incident. You can also download or remove attached files and edit the encryption applied to the attachments.
    • Click Compose Email to send a quick email to a colleague. Emails can be free-form, or you can send canned emails selected from a list of templates. Emails sent and replies received are captured in the Incident Timeline.
      Note:
      You can create custom templates that contain reusable content for emails and email notifications. Variables can be used for inserting information specific to the security incident or alert, such as the subject line, priority, or threat category. Use the Security Incident [sn_si_incident] table for emails and email notifications related to Security Incident Response. For more information, see Email templates
    • Click More to view a quick snapshot of the security incident, such as the description, business impact, and priority. You can also click the down-arrow in the Assignment group and Assigned to fields to make on-the-fly changes to those fields.

    Work with multiple security incidents

    The tabbed interface allows you to keep several security incidents open simultaneously so you can switch between them with a single click. This can save time and allow you to see the big picture when threats from multiple sources are identified.

    View analysis information in the security incident tabs

    When you open a security incident record, three tabs are shown:
    • Overview
    • Explore
    • Incident Timeline

    Overview tab

    Use the Overview tab to view information in a security incident in a single location. No need to open another application or console.

    The tiles that are displayed on the Overview tab are customizable. You can collapse and expand them as needed, and you can move them around by dragging the Grip icon. Click the More options icon to delete a tile or change its heading text.

    Explore tab

    Configure the tiles displayed on the Overview tab using the Explore tab. Simply select the tiles you want to view from the left-hand pane, and click the Pin icon. Pinned tiles automatically appear in the Overview tab.

    The left-hand pane of the Explore tab includes a wide variety of information that you can display on the Overview tab. For example, expand Observables to display these related lists.
    • Observables
    • Threat Lookup Results
    • Security Scan Results
    • Domain Lookups
    • Observable Enrichment

    Additional related lists are available under Users, Configuration Items, and Incidents.

    Incident Timeline tab

    Use the Incident Timeline tab during your investigation for tracking purposes. Every time an action is performed on a security incident, the system records it in the Incident Timeline.
    • You can also manually add worknotes to the timeline by typing them in the Add work notes box and clicking Post.
    • You can search for a specific timeline activity using the Search box.
    • The Filter Activity icon allows you to display only the types of timeline activity you want to see (for example, only incidents created by a specific analyst).
    • You can add or remove the Incident Timeline from the Overview tab using the Pin/Unpin icon.

    Handle security incidents using the Playbook

    Resolve certain types of security threats in a step-by-step manner using the built-in Security Analyst Playbooks. For example, an analyst can use the playbook to resolve phishing attacks and threats caused by malicious code activities. For more information, see Resolve security threats with the playbook.