Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Security Incident Response release notes

Security Incident Response release notes

ServiceNow® Security Incident Response application enhancements and updates in the Helsinki platform release.

Activation information

An administrator can activate the Security Incident Response (com.snc.security_incident) plugin.

Browser requirements

See Generally supported browsers.

New in the Helsinki platform release

Dashboards for CISO and Security Manager
Chief security officers and security managers can view dashboards that target specific security metrics based on criticality, service impact, or SLAs related to their roles.
Affected users added to security incidents
Often, security incidents can be targeted at users or groups, as opposed to CIs. Multiple incidents for the same affected user can be an indication of a greater problem.
Business Criticality calculator
The business criticality calculator uses an aggregate of other severity calculators to calculate the potential impact on your business that is posed by a security incident or vulnerability.
Generic transform map
Data sources, such as Splunk, provide additional information that is not part of the base system table definition. When new fields are exposed in the Security Incident table, those fields are auto-populated without needing to modify the import definition.
Splunk integration
Integration with Splunk via a Splunkbase application lets security analysts and responders create events or incidents in Security Incident Response. This function enables teams to collaborate on the downstream response to an incident while tracking all the runbook responses and hand-offs in ServiceNow Security Operations. ServiceNow Security Operations for Splunk is available at

Changed in this release

  • Administrator lockdown on by default: The administrator lockout feature is enabled by default. A security role is required to access security features and records.
  • Role change: sn_si.agent has been changed to sn_si.analyst.
  • Performance Analytics plugin: Performance Analytics functionality has been split into its own plugin, because Performance Analytics dashboards require separate licensing.
  • Post-incident review is automatically generated: When the post incident review (PIR) reaches the Review state, the report is automatically generated. When a security assessment is taken, the report is generated again.
  • UI simplifications:
    • New menu items are tailored for Security Analysts.
    • Additional entries were added to integrate with common-used filters.
    • Menu entries are role-sensitive so that users with different roles are presented with tailored, optimized navigation menus.