Security Incident Response release notes

ServiceNow® Security Incident Response application enhancements and updates in the Istanbul release.

Activation information

Activate the Security Incident Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription.

New in the Istanbul release

Parent/child security incidents

Security teams can use parent-child security incident relationships to associate related security incidents to one another for greater ease in managing and resolving security incidents.

Special access roles
Sometimes security teams need to loop in non-security users from within their organization or external consultants, but do not want to give them full access to all security incidents. Using special access roles, security teams can grant access to individuals on a case-by-case basis to allow for read-only or full access to security incidents.
Manual Runbook
Most security teams have extensive runbooks that drive their processes. However, it can be cumbersome for analysts to find the appropriate runbook during the investigation and remediation of an incident. By introducing the ability for security analysts to access relevant runbook articles directly from a security incident, and based on the context of the incident, security teams are able to ensure the appropriate information is easily accessible to expedite response times.
Exchange search
Phishing attacks are a common security incident across organizations. By introducing the ability to search for emails in Exchange and optionally deleting them, analysts are more readily able to determine the scope of an attack and protect their organization.
Create a customer service case from a security incident
Organizations using both Security Incident Response and Customer Service can now easily create customer service cases from within a security incident. If a task needs to be completed by another group, it can be created and tracked from within a security incident.
Security Incident Response Orchestration
With Security Incident Response Orchestration activities, users can interact with and retrieve data from Windows or UNIX-based systems and environments using workflow.

Changed in this release

  • Process definitions: State flows have been changed and renamed to process definitions. Security teams can more easily modify the states that teams follow within the context of a security incident with more flexibility when transitioning between states.
  • Updated security incident overview: Security Incident Response Explorer provides a graphical view into security incident activity, so that security administrators or analysts can quickly pinpoint areas of concern.
  • Dashboard enhancements: You can filter report widgets directly from a homepage or dashboard without modifying the reports using interactive filters.