View Major Security Incident trend charts

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of View Major Security Incident trend charts

    This feature provides ServiceNow customers with visualized metrics and charts to track the progress and impact of a Major Security Incident (MSI). It consolidates data from linked Security Incident Response (SIR) incidents and related tasks, reflecting real-time activity and trends. The Overview tab displays key impact metrics such as affected assets, users, locations, and team resources, helping teams manage the evolving scope of the incident effectively.

    Show full answer Show less

    Key Features

    • Time Tracking: Shows the total active duration of the MSI calculated from the Detection Date, displayed in days, hours, and minutes. Also provides an estimated resolution date if available.
    • Active Team Monitoring: Lists response teams and members actively working on the incident, with trend charts showing team involvement over time. Teams are assigned and viewable from the Details tab.
    • Linked SIR Incidents by State: Visualizes the distribution and trends of linked security incidents by their states (Analysis, Contain, Eradicate, Recover, Review). Users can navigate directly to detailed incident views.
    • SIR Tasks Overview: Displays counts and trends of active response tasks categorized by task state (Draft, Assigned, Work in Progress, Closed Complete) and assignment groups. Overdue tasks are highlighted with direct navigation to task details for quick resolution.
    • MSI Direct Tasks: Shows tasks created specifically on the MSI record, independent of linked SIR tasks, with filtering by task state for detailed management.
    • External Collaboration Tracking: Monitors collaboration activities coordinated through Microsoft Teams and SharePoint, labeled by incident state, with trend charts showing activity volume during the incident lifecycle.

    Practical Use for ServiceNow Customers

    This visualization and tracking capability enables incident response teams to:

    • Quickly assess the current impact and scope of a major security incident.
    • Monitor task progress and team activity to ensure timely responses.
    • Identify overdue tasks and bottlenecks for faster remediation.
    • Understand collaboration efforts integrated from external tools like Teams and SharePoint.
    • Navigate seamlessly between high-level incident trends and detailed task or incident records for efficient management.

    These insights help customers maintain control over the incident lifecycle, supporting better communication, prioritization, and resolution efforts within the ServiceNow MSI workspace.

    View the major security incident impact progress metrics visualized as bar graphs and charts.

    In addition to the incident timeline and progress trend chart visualizations, the Overview tab provides relevant impact metrics to manage the changing scope of the incident, including rollup of affected assets, users, locations, and team resources.

    The counts displayed in the visualization components are based on active tasks on linked Security Incident Response (SIR) incidents. As tasks are opened and closed, these counts change in terms of the nature and volume of remaining activity planned for the major security incident to represent the trends shown in the trend chart visualization components.

    Figure 1. MSIM Overview tab impact metrics
    View the impact metrics of the major security incident
    Refer to the following table for the UI actions that you can perform from the Overview section:
    Table 1. Overview UI sections
    Title Description
    Time Displays the period in total number of days from when the major security incident is active.

    The time is calculated based on the Detection Date entered in the Details tab of the workspace.

    The Detection Date is often captured initially when the major security incident was first created or proposed. Whenever, this date is modified the time is automatically calculated, refreshed, and displayed in the format days: hours: minutes, for example 20D: 13H: 58M.

    Estimated resolution date: The date by when the incident resolution date is estimated to resolve. This date is often captured initially when the major security incident was first created or promoted.

    The date is updated and refreshed based on the estimated date provided in the Details tab of the workspace.

    If the estimated date is not provided in the Details section, then this section displays ‘hyphen’ without any date value.
    Active Team Displays the different response teams and team members from each team who are actively working on the major security incident and its related tasks.
    Active Team trend: Displays the trend chart of each team and its team members who are actively working on the major security incident and related tasks on regular interval.
    Note:
    View the assigned active groups from the Details tab of the workspace.
    Linked SIR incidents By incident state: View the distribution of linked security incidents based on a incident state such as Analysis, Contain, Eradicate, Recover, or Review.

    Trends by incident state: Further indicates the trend view of how the number of linked incidents are progressing based on incident state.

    Selecting each incident state link allows you to navigate and view the linked security incident details directly on the Linked SI/VI tab of the workspace.

    This section is updated and refreshed automatically whenever changes occur to the underlying incidents.
    SIR Tasks Displays active task totals that are linked to the MSI record via SIR incidents.
    • By task state: View the incident response tasks based on the incident state such as Draft, Assigned, Work in progress, Closed Complete. This distribution chart allows for a further distribution breakdown by assignment groups. Selecting each task state allows you to view a filtered list by incident task state on the Tasks tab of the workspace. The filtered view allows you to view and update individual task details.
    • In progress tasks by incident state label: Displays active tasks and groups based on incident state label that must be applied in the Task Organizer components. These default labels have values such as Analysis, Contain, Eradicate, Recover, or Review to indicate the nature of the task involved.
    • Overdue: Displays the security incident response tasks, which are active and had exceeded the due date.

      You can view the details of all the overdue tasks by selecting the total Overdue count and having it auto navigate to the Tasks tab.

    • Trends by task state: View the progress trend of both work in progress and closed response tasks over the incident duration.
    Note:
    The trend chart graph retrieves the latest data based on the scheduled job. You can configure or modify the data retrieval time interval as required.
    MSI Tasks Displays active tasks in total, which were created directly on the MSI record (and these aren’t linked response tasks):

    By task state: View the major security incident created tasks, assigned tasks and its related information.

    Selecting each task state allows you to view a filtered list by incident task state on the Tasks tab of the workspace. The filtered view will allow for viewing and updating individual task details.
    External Collaboration Displays collaboration activities in total for all the labelled collaboration activities from the Collaboration Activity Stream:
    • By incident state label:View the incident collaboration activities data that are coordinated with Microsoft Teams and Microsoft SharePoint files and folders and are labeled using incident state labels such as Analysis, Contain, Eradicate, or Recover from the Collaboration tab of the workspace.
    • Trends by activity type: View the trend chart for the number of Microsoft Teams and Microsoft SharePoint files and folders activities over the incident duration.