Working with Security Incident Records

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Security Incident Records

    The Security Incident Record in ServiceNow Zurich Release is a comprehensive workspace designed to help security analysts efficiently manage and respond to security incidents. It consolidates key incident details, investigative tools, automated playbooks, and related records into a unified interface, enabling a streamlined and contextual incident response process.

    Show full answer Show less

    Key Components of a Security Incident Record

    • Security Incident Number and Short Description: Unique identifier and brief description displayed prominently for quick reference.
    • Form Banner: Read-only section showing essential fields like Category, Priority, Risk Score, State, and assignment details.
    • Security Tags: Displays tags that classify the incident based on security context.
    • Overview Tab: Snapshot of incident details including description, business impact (assets and affected users), threat intelligence (observables), response tasks, and related incidents.
    • Details Tab: Shows the full security incident form with all form fields.
    • Investigation Tab: Provides tools and environment for incident investigation activities.
    • Playbook Tab: Displays automated response playbooks triggered via Process Automation Designer for consistent incident handling.
    • Response Tasks Tab: Lists all tasks associated with responding to the incident.
    • Related Records Tab: Groups various related lists (business impact, threat intel, etc.) for easy navigation and editing without leaving the workspace.
    • Other Records Tab: Contains IT-related records such as change requests, incidents, problems, outages, and emails linked to the incident.
    • Post Incident Review Tab: Appears when the incident advances to the Review state, enabling post-incident assessments and reporting.
    • Contextual Menu: Provides quick access to common actions like activity stream, playbooks, runbook templates, attachments, and analyst assist tools across all tabs.
    • Form UI Actions: A set of actionable buttons on the top-right of the form for operations such as saving, creating response tasks, composing emails, initiating playbooks, linking to major incidents, and switching UI views.

    Key Functional Areas in the Security Incident Response Workspace

    • Incident Orchestration: Enables analysts to view and interact with the investigation canvas and perform relevant tasks.
    • Response Tasks Management: Centralizes all response tasks for streamlined tracking and completion.
    • Related IT Records and Emails: Facilitates access and editing of associated IT service records directly within the incident context.
    • Post Incident Review: Supports structured review and documentation after incident resolution.
    • Threat Intelligence Security Center (TISC) Integration: Embeds threat intelligence data within the workspace to enrich incident context.
    • Reporting: Provides access to all reports related to the security incident for analysis and sharing.
    • Collaboration Tools: Enables real-time collaboration with other analysts and affected users through chat and conference calls.
    • Relationship Graphs: Visualizes connections between the incident and related items to help analysts understand the full context.
    • MITRE Attack and Defend Technique Graph: Offers interactive visualization of attack and defense techniques linked to the incident for enhanced threat analysis.
    • Incident Timeline: Chronological view of all incident events with filtering options to focus on specific activity types.

    Practical Benefits for ServiceNow Customers

    • Provides a unified, detailed view of security incidents to accelerate understanding and response.
    • Enables automation and consistency in response through playbooks triggered by defined conditions.
    • Improves collaboration and communication between analysts and stakeholders.
    • Allows quick access and editing of related IT and security records without losing context.
    • Enhances threat analysis with integrated threat intelligence and MITRE framework visualizations.
    • Supports thorough incident lifecycle management including post-incident review and reporting.

    The Security Incident Record consists of the following.

    Key components available on a security incident record:
    Figure 1. Key components of a security incident
    Working with Security Incident Records
    Number Name Description
    1 Security incident number The security incident number is available against the tab name.
    2 Short description Short description of the security incident which is displayed above the form banner.
    3 Form banner This is read-only section, which contains the key fields such as Category, Priority, Risk score, State, and the incident assignment details.
    Note:
    The regular platform tags can be applied here as well.
    4 Security tags Displays the security tags associated with a security incident.
    5 Overview Provides a snapshot overview of the security incident such as Description, Business Impact comprising of asset details by type, affected users by criticality, Threat intelligence items comprising of observables by finding and by type, Response Tasks, Related security incidents comprising of child security incidents and similar security incidents.
    6 Details The details tab displays the security incident form.
    7 Investigation The Investigation tab displays the incident investigation experience.
    8 Playbook Playbook is triggered through Process Automation Designer (PAD). If a process is created, and if the a trigger condition is set to trigger the playbook for a security incident. Then a playbook appears.
    9 Response Tasks The Response Tasks captures all the response tasks associated with a security incident.
    10 Related Records The Related Records tab consists of all the related lists from the classic UI under this section. The related lists are grouped under various section such as business impact, threat intel, and so on for an easy navigation.
    11 Other Records Other records tab consists of IT records such as changes requests, incidents, and emails grouped and displayed in this section.
    12 Post Incident Review tab As the security incident progresses to the Review state, the Post Incident Review tab is displayed with the post incident assessments and reports within the tab.
    13 Contextual menu Provides easy access to the quick actions and is available across all the tabs for the analyst to access whenever required.

    The contextual menu provides easy navigation to the multiple resources such as:

    1. Activity Stream
    2. Playbook
    3. Analyst Assist
    4. Runbook
    5. Templates
    6. Attachments
    14 Form UI actions The various security incident form UI actions are displayed on the top right of the incident form. The available form UI actions are:
    • Discuss
    • Save
    • Create Response Task
    • Compose Email
    • Add Playbook
    • Open Associated Workflow(s)
    • Crete incident
    • Create Problem
    • Create Change Request
    • Create Outage
    • Calculate Severity
    • Link to Major Security Incident
    • Propose as Major Security Incident
    • Promote to Major Security Incident
    • Run Additional Action(s) on Endpoint
    • Associate MITRE ATT&CK Technique
    • Switch to Classic UI
    • Add to Security Case
    • Delete

    For more information, see Working with Form UI actions.