Domain separation and Security Incident Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Security Incident Response

    Domain separation in the Security Incident Response (SIR) application enables ServiceNow customers, especially service providers (SPs), to segregate data, processes, and administrative tasks into distinct logical groupings called domains. This separation ensures that data, workflows, dashboards, reports, and integrations remain isolated per customer or tenant, enhancing security and operational efficiency. It supports multi-tenant environments by controlling data visibility and access according to domain-specific permissions.

    Show full answer Show less

    Domain separation helps standardize Security Operations Center (SOC) and incident response procedures while reducing operational costs and improving service quality. The feature is supported at various maturity levels depending on the ServiceNow release version, with full standard support from the Orlando release onwards.

    Key Features

    • Domain-Aware Data and Business Logic: Security incidents, observables, workflows, and integrations are contained within their respective domains, ensuring strict data separation.
    • Integration Support: From the Madrid release, third-party integrations can be configured and activated per domain, preventing cross-domain access to integration data and automation results.
    • Domain-Specific Automation Capabilities: Key response automation features like Threat Lookup, Sighting Search, Blocking Requests, Isolating Hosts, and Email Search operate within the domain context.
    • Configurable Security Incident Processes: Each domain can define its own incident categories, workflows, escalation paths, SLAs, risk score calculators, and post-incident review processes.
    • Tenant Autonomy: Tenant domain owners manage their own email parsing rules, incident response workflows, integrations, knowledge base articles, and runbooks, enabling tailored incident management.
    • Role and Access Management: Administrators assign user roles and groups within each domain to maintain proper access control aligned with domain separation principles.

    How Domain Separation Works in Security Incident Response

    SIR supports the full lifecycle of security incidents within separated domains, including:

    • Ingestion of alerts and events to create incidents via email parsers, SIEM applications, and manual reporting.
    • Enrichment of incident artifacts using domain-specific integrations and asset data.
    • Investigation and orchestration of response workflows that remain domain-specific.
    • Execution of containment and eradication actions automated through integrations configured per domain.
    • Performance measurement and post-incident review with dashboards and analytics scoped to the domain.

    Setup and Configuration

    Domain separation setup in SIR is automatic once domain separation is enabled on the instance. Key configuration tasks include:

    • Assigning user roles and groups within domains.
    • Installing and configuring third-party integrations for each domain.
    • Setting up incident groups, escalations, SLAs, and risk score calculators.
    • Defining incident process workflows, email parsing rules, and inbound email actions per domain.
    • Customizing playbooks, runbooks, and knowledge base articles to support domain-specific incident response.

    Benefits for ServiceNow Customers

    • Secure Multi-Tenancy: Ensures that sensitive incident data and response workflows are isolated per tenant, supporting managed service provider models and large organizations with multiple business units.
    • Operational Efficiency: Enables standardized yet customizable SOC processes across customers, reducing overhead and improving response consistency.
    • Improved Data Governance: Limits data exposure to authorized users within each domain, aligning with compliance and regulatory requirements.
    • Flexible Integration Management: Allows customers to tailor integrations and automation to their environment without impacting others on the same platform instance.

    Domain separation is supported in Security Incident Response. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An Admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    Domain separation in SIR overview

    In the Security Incident Response application, domain separation enables service providers (SPs) to standardize SOC (Security Operations Center) and Security Incident Response (SIR) procedures across the customer base they serve with lowered operational costs and a higher quality of service. Separate customer workspaces for workflows, dashboards, reports, and so forth, ensures that customer data is separated and never exposed to other clients.

    Table 1. Domain separation support in Security Incident Response by version releases
    Release Support level Notes
    Geneva, Helsinki No support Initiation of data-level domain separation
    Istanbul Data only
    Jakarta Level 2 (Data, Requestor, Fulfiller) New features: 3rd-party Integrations support with Level 2 domain separation under a single instance of integration, including Threat Intelligence integrations
    Kingston Level 2 (Data, Requestor, Fulfiller) New features: Sighting Search integration for SIR is enabled with multiple instances, but all instances still live under a single domain. Example: If there are two instances of a Splunk integration configured (SplunkCLOUD and SplunkCORP), both are still leveraged for incident response activities in a single domain, where the implementation was originally configured.
    London Level 2 (Data, Requestor, Fulfiller) New features: All integrations reside across multiple domains
    Madrid Level 2 (Data, Requestor, Fulfiller) All integrations can now reside across multiple domains. In the above example, SplunkCloud can be domain1 and SplunkCORP domain2.
    New York Level 2 (Data, Requestor, Fulfiller) All integrations reside across multiple domains.
    Orlando Standard All integrations reside across multiple domains.
    Paris Standard All integrations reside across multiple domains.

    Domain separation for the Security Incident Response application covers the following product functionality:

    • Security alerts are directed to the appropriate domain of the user whose ID/ credential/ scope generates the incident and is registered as a Security Incident.
    • Alerts generate “observables,”which represent stateful properties or measurable events: Security workflows in the domain of the security incident are used to orchestrate the response.
    • Integrations are configured in the domain of the security incident for response automation.
    • Capabilities are configured in the domain of the security incident for response automation. These capabilities (as of the Kingston release) include:
      • Threat Lookup
      • Enrich Observable
      • Enrich Configuration item
      • Get Running Process
      • Get Network Statistics
      • Block Request
      • Isolate Host
      • Sighting Search
      • Email Search and Delete
      • Publish to Watchlist
    • Results from Response Automation (such as Threat Lookup or Sighting Search) are stored in the domain of the security incident.
    • Other security incidents are cross-referenced in the same domain of the security incident based on a shared set of observables.
    • Other users are cross-referenced in the domain of the security incident.
    • Configuration Items are cross-referenced in the same domain as the security incident.
    • Manual response tasks are added to the domain of the security incident.
    • Knowledge base articles and run books are referenced in the domain of the security incident.
    • Security Incident Response metrics pertinent to incidents in the domain are displayed on dashboards as well as in reporting.
    Note:
    In the preceding cases, the overarching principles of visibility in separated domains in the NOW Platform apply. As always, an incident in the parent domain can reference artifacts in the child domain, but not the other way around.

    How domain separation works in Security Incident Response

    The Security Incident Response application manages the life cycle of a security incident end to end. The following use cases are domain-separation aware:

    • Ingestion of events and alerts to create security incidents for the analyst in the customer SOC or the MSP to respond:
      • Email parsers (platform based, user-reported phishing, custom)
      • De-duplication events/alerts prior to incident creation
      • Auto extraction of observables
      • Applications in third-party SIEM store
    • Enrichment of artifacts involved in the incidents (IP, URLs, domains, file hashes):
      • Asset enrichment (CMDB)
      • Users (Platform)
      • Automation: Observable enrichment (Ex: WhoIs)
    • Investigate the incidents with the help of the artifacts and their reputation or association with known threats
      • Orchestrate: Playbooks and knowledge base articles
      • Automation: Threat Lookup (Ex: VirusTotal), Sighting Search (Ex: Splunk), Get Running Processes (Ex: Carbon Black)
    • Eradicate the threat-related artifacts involved in the incident based on the investigation performed
      • Orchestrate: Playbooks and knowledge base articles
      • Automation: Email search and delete (Ex: Microsoft Exchange), Block IP (Ex: Palo Alto Firewall)
    • Measure the efficiency or Incident response operations
      • Performance Analytics Dashboards: Productivity and incident trends
      • Reconstruction of incident investigation steps from work notes
      • Post-incident review

    Domain separation setup

    Setting up domain separation for Security Incident Response doesn’t require any additional steps. All Security Incident Response tables acquire the Domain column after the instance is domain separated.

    Domain-separated data

    Data can be domain-separated, which means:

    • Security incidents in one domain can’t be viewed from other domains.
    • Observables extracted from the security incident are placed in the same domain and can’t be viewed from other domains.
    • Up to the Kingston release, configured third-party integrations exist in the global domain and are accessible to all other domains in the instance.
    • In the Madrid release, third-party integrations can be configured and activated on a per-domain basis. This means that the integration activated and configured in one domain cannot be leveraged in another domain.
    • Automations that run on the observables using third-party integrations (for Threat Investigation, Containment, or Eradication), place their results in the domain of the security incident and the results can’t be viewed from another domain.
    • Orchestration workflows created in one domain aren’t visible in another domain.
    • Capabilities (as delineated in the preceding capabilities function list) that are invoked stay generic across domains with domain-specific implementation of the capability being called. For example, a Sighting Search on an IP can invoke a Splunk implementation in one domain and a QRadar implementation in another.

    Configuration

    All aspects of product configuration are self-contained in a domain-separated environment. Setup can be tailored for individual domains.
    Note:
    Business logic and the processes in #2-5 below can be administered within the tenant domain.

    The following tasks must be configured:

    1. System Administration
    2. Security Incident Response Administration
    3. Security incident email settings
    4. Security incident playbook settings
    5. Capability configurations

    How tenant domains manage their own application data

    • Tenant domain owners create their own email parsing rules for ingesting security incidents.
    • Tenant domain owners can configure specific integrations exclusively for use within the domain.
    • Tenant domain owners can create their own incident response workflows.
    • Tenant domain owners can create their own incident categories, incident response knowledge base articles, and runbooks to be associated with incident response workflows.
    • Tenant domain users create and close their own security incidents.

    Business logic and processes that can be domain separated by instance owner

    • Security Incident Response users and groups
    • Security Incident Response integrations (starting with the Madrid release)
    • Email parsing rules for incident creation
    • Business rules to consolidate multiple events or alerts into a security incident
    • Workflows for incident response orchestration
    • Security incident risk score calculators
    • Security incident escalation path
    • Security incident SLAs
    • Security incident process definitions
    • Security incident post-incident review processes