Security Case Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Case Management

    Security Case Management in ServiceNow Zurich release enables security analysts engaged in threat hunting to collect and analyze information on suspicious activities within their environment. It integrates various security-related records such as incidents, observables, configuration items (CIs), and affected users into a unified case framework to support comprehensive threat analysis.

    Show full answer Show less

    Key Features

    • Case Creation and Integration: Cases can be created from multiple sources including Security Case Management, Security Incident Response, Threat Intelligence, Configuration Items, and Users tables. Existing cases can be enriched with additional data from these sources to enhance investigation depth.
    • Structured Case Layout: Each security case consists of three main sections:
      • Case Header: Displays basic identification and classification information, including a unique case number prefixed with "SECC".
      • Additional Case Details: Contains analysis-specific information such as case state, work notes, and recorded activities.
      • Case Artifacts: Contains multiple tabs with related records to support investigation. Analysts can search within tabs, exclude irrelevant records (which are hidden but not deleted), and restore them if necessary.
    • Interactive Exploration: Analysts can pivot through related data by using the Additional Details icon to view connected information, such as incidents or vulnerabilities tied to a specific Configuration Item.
    • Annotations: Analysts can add personal notes to case artifacts to document insights or observations, supporting collaborative and detailed analysis.
    • Advanced Tools: Includes capabilities like running sightings searches on observables and searching for security artifacts directly within cases, facilitating efficient and thorough examinations.

    Practical Benefits for ServiceNow Customers

    By leveraging Security Case Management, your security teams can:

    • Centralize and correlate diverse security data for holistic threat analysis.
    • Quickly assess the nature and scope of threats such as targeted campaigns or advanced persistent threats through comprehensive case views.
    • Maintain a clear audit trail of investigative activities and findings within each case to support accountability and collaboration.
    • Efficiently manage large volumes of security information by filtering out safe or irrelevant data without losing historical records.
    • Enhance investigative workflows with integrated search and annotation tools designed for security analysts.

    Overall, Security Case Management empowers your security analysts to conduct more effective, organized, and insightful threat investigations using ServiceNow’s unified platform.

    Security Case Management provides a means for security analysts who are engaged in threat hunting to gather information on suspicious activity in their environment. Case-related records, such as security incidents, observables, CIs, and affected users can be added to cases to accommodate broad and specific analysis.

    With the ability to easily pivot through the records and related information, analysts can assess whether they are facing a targeted campaign, advanced persistent threat, and so forth.

    Security cases can be created from various sources on your instance, including Security Case Management, Security Incident Response, and Threat Intelligence. You can also create cases from configuration items and affected users in the Configuration Items [cmdb.ci] and Users [sys.user] tables, respectively. After cases have been created, each of these sources can be also used to add valuable analysis resources to existing cases.

    Each security case consists of three main sections, a header section, a section with additional case details, and a case artifacts section containing a collection of records that aid in building an argument for identifying and dealing with particular threats.

    Case header

    Figure 1. Case header section
    Case header

    The case header provides basic information used to identify and classify the security case. The case number uses the SECC prefix.

    Additional case details

    Figure 2. Additional Case Details section
    Additional case details

    The Additional Case Details section provides information specific to the analysis that has already been performed on the case, including its current state, and work notes and activities recorded for the case.

    Case artifacts

    Figure 3. Case Artifacts section
    Case artifacts

    The Case Artifacts section provides a series of tabs of information contained in the security case.

    You can perform searches within the contents of each tab. You can also exclude specific records you have already evaluated as being safe or which are of no value in your investigation. The excluded records are not deleted, but are hidden from view. If needed, you can view excluded records and add them back.

    Within each tab, you can click the Additional Details icon to show related information for the selected record. For example, if you click the Configuration Items tab to view the Configuration Items Explorer, and click Additional Details for a specific CI, you can view incidents, vulnerable items, and annotations associated with that CI.
    Figure 4. Case Artifacts—related detail
    Related data on CIs
    You can also select a record and click the Annotate button for a case-related artifact to add annotations to the record. Annotations are simply notes that each analyst can make on a particular artifact.
    Figure 5. Security Annotations
    Annotations
    Other tools the analyst can use for examining cases include: