Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Security Incident Response release notes

Security Incident Response release notes

ServiceNow® Security Incident Response application enhancements and updates in the Jakarta release.

Jakarta upgrade information

Application administration is enabled for Security Incident Response by default. Before upgrading, verify whether you have added custom tables to Security Incident Response. If so, and your custom tables rely on global ACLs, you may need to recreate those global ACLs in the Security Incident Response scope after the upgrade. If you added custom roles or custom ACLs, retest them after the upgrade and ensure the assignable by attribute on the roles is set correctly to allow access to application administration.

After you upgrade, modify any custom integrations that write or read Security Incident observables to use the Observables table and the new m2m with Security Incident. The Context field in the m2m table defines the relationship of the observable to the security incident for Observable Types, such as IP (Source or Destination) and URL (Referrer).

Activation information

Activate the Security Incident Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription.

New in the Jakarta release

Security Incident Response workflow templates

You can customize and use many incorporated template workflows in your deployment.

View Security Workflows lists all workflows related to security incidents.
Sightings Search for observables
Analysts can perform local searches for observables in log stores and SIEMs to better understand the prevalence of a threat in their environment. New integrations for IBM QRadar, Intel McAfee ESM, Splunk, Elasticsearch, and HPE ArcSight Logger provide base system implementations for this capability.
Expanded support for Get Running Processes
Carbon Black and Unix systems include base-system integrations to get a list of running processes as part of automated enrichment for a security incident. You can define whitelists and blacklists to exclude common processes and highlight those processes known to be commonly associated with threats.
Related items in security incidents
You can correlate between security incidents and shared observables with new related lists. Related Users and Related Configuration Items detail users and configuration items from other security incidents with similar observables.
Security tags
You can apply tags to security incidents to classify them in generic ways. You can organize these tags into groups applying a single group member to a security incident. These tags can restrict user access. By default, the system comes with an implementation of the NIST Traffic Light Protocol (TLP). It includes roles that can be used to restrict user access based on the TLP designation.
ProcDump
Execute a procdump on Windows systems. The results are gathered through the MID server and stored in a preconfigured file location in your network.
Risk score
Configure automatic calculation of scores based on various factors using the Risk Score Configuration. Security Analysts can override the automatic risk score calculation for any security incident.
Post incident reviews
You can target questions to specific pre-defined groups by assigning roles to categories.

Changed in this release

  • Security incident observables:

    Observables associated with a security incident are stored in a table, which:

    • Improves support for incidents with many observables
    • Enables correlation with other security incidents
    • Provides a way to select and perform local searches using a related list

    Observables are in a related list and can be added individually from this list or using the Add Multiple Observables related link.

  • Embedded and related lists for security incidents: Several embedded lists have been changed to related lists in Security Incident. You can select and view different groupings of related lists on security incident from a set of Related Links.
  • Malware results related lists: Displays report results from integrations that provide threat intelligence lookups.
  • Label change: Business Criticality has been changed to Business Impact.

Removed in this release

  • Security incident fields for observables: Observable fields are deprecated and replaced with an m2m relationship to the Observables table:
    Note: If you have custom integrations using these fields, they still work, however, they are no longer used by Security Incident Response. You can update your integrations with new fields in Security Incident observables.
    • Malware Hash
    • Source IP
    • Destination IP
    • Malware URL
    • Referrer URL
    • Other IoC