The ServiceNow Store contains Security Incident Response products.

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store.

Recent release highlights for Security Incident Response

Data Loss Prevention Incident Response (2.1.20)
  • Fixed:
    • Accessibility bugs:
      • Tab elements now visible and accessible.
      • Assessment text no longer overlaps with the number in the Assessment tab within the DLP IR Analyst Workspace.
    • Default target state issue in Incident Response Options Rule resolved.
    • UI Elevation and Theme issues:
      • Assessment heading now properly visible in Coral Dark theme.
      • In the Preview File tab, the body is now visible and borders are correctly displayed in Coral Dark theme.
    • Performance bugs addressed to improve overall responsiveness and stability.
    • Security bugs fixed to improve system protection and compliance.
DLP Incident Response integration with Microsoft (1.1.1)
  • Fixed:
    • Generation of unnecessary error logs on clicking the Sensitive Information tab in the Workspace.
    • Bug where multiple Sensitive Information Types with the same name were incorrectly created under the Detective Sensitive tab when different conditions were met simultaneously.
    • Limitation where the "Incident Response Option Rule" could not be modified for Out-of-the-Box (OOTB) configurations. Users can now adjust these rules as expected.
DLP Incident Response integration with ICAP (1.0.11)
Fixed: Keyboard focus would exit the profile creation confirmation modal when navigating through the dialog options using the Tab key. Focus is now properly contained within the modal dialog.
DLP Incident Response Integration with Symantec (1.1.21)
Fixed: Unnecessary error logs that were generated on clicking the Sensitive Information tab in the Workspace.
Major Security Incident Management (3.4.3)
Fixed: Resolved an issue where tasks deleted from the List View were not being removed from the sn_msi_task table.
Microsoft Azure Sentinel - Incident Ingestion Integration For Security Operations (11.0.25)
  • Fixed:
    • AzureSentinelCommentStatusSync script include throwing "String object has exceeded maximum permitted size of 33554432" error.
    • Empty SIR's getting created.
MISP integration for Security Operations (1.2.1)
  • Fixed:
    • Sightings Search Flow triggering an error.
    • REST Action error when called from Script Action: Refresh MISP Galaxies Event Handler.
Now Assist for Security Incident Response (3.2.2)
  • New:
    • Security Incident Resolving: This agentic workflow helps security analysts resolve security incidents by leveraging existing runbooks and historical security incidents. By analyzing similar past cases, it generates a clear and effective plan to resolve ongoing security incidents.
    • SOC Efficiency Analyzing: This agentic workflow helps SOC managers assess the quality of security incidents and track the key performance metrics, providing insights to explain and improve SOC operations.
      • Generate Key Metrics for Security Incident Response (SIR): Track case volume, Mean Time to Assign (MTTA), and Mean Time to Resolve (MTTR) over a customizable date range.
      • Metrics Analysis and Insights: Receive actionable insights into how to optimize MTTR, MTTA, and case volume, along with recommendations for improvement based on the data.
  • Changed:
    • Recommended Actions:
      • Enhanced to incorporate a feedback option on the overall recommendation provided, enabling continuous improvement of future recommendations.
      • Additionally, the top (N) number of recommendation cards are displayed based on the configuration settings.
Security Case Management common workspace components (1.3.4)
Fixed: Bug related to dark theme in the Post Incident review section.
Security Incident Response (13.6.7)
  • Fixed:
    • Playbook email has skip feature but cannot skip send email action due to mandatory fields.
    • Configuration Item (CI) not copied to SIR Task from parent Security Incident and CI field not visible in active states.
    • Compose email in SIR Workspace is having incorrect body/email template.
    • Automated Phishing Playbook flow which is not checking for work note mandatory configuration while changing the state to closed.
    • Missing the "Add Observables" Option in Security Incident Workspace in French.
    • Service Operations Workspace Playbook is overwritten when SIR plugin is installed.
    • Message "This form has not been configured for Workspace" in Security Incident Response Workspace when previewing a security incident.
Security Incident Response integration with Microsoft Defender for Endpoint (1.0.12)
Fixed: Query failure due to insufficient 'query_match' access on sn_sec_core_integration_item.sys_scope for users with sn_si.analyst role, impacting Defender for Endpoint integration.
Security Incident Response Workspace (1.7.10)
  • Fixed:
    • SIT page Related record section in SecOps workspace keeps loading.
    • Runbook articles were not properly applied with dark theme on the SIR workspace.
    • Drop down buttons on investigation tab were not visible properly.
    • Backend name is showing up instead of display name in Reports section of the SIR Workspace.
    • Schedules page in SIR workspace accessible for user with the sn_si.read role.
Security Operations Spoke (10.6.7)
Fixed: Duplicate Knowledge Base (KB) numbers created after installing the SIR plugin.
Recommended Actions for Security Operations (1.1.2)
Fixed: A JSON parsing failure that impacted initiating the skill, generating recommended actions from a security incident, and creating a response task.
Splunk Enterprise Event Ingestion for Security Operations (11.3.4)
  • Fixed:
    • When multiple values are going in the affected users or configurations items from splunk, an error alert message pop up with the message: input value was not found for mapped field.
    • Affected user getting mapped to empty user record if no value corresponding to it in Splunk v2.
Splunk ES Integration for Security Operations (12.1.9)
  • Fixed:
    • Bug: The Splunk ES process for sending events to the Security Incident Response (SIR) job was causing memory contention on nodes, leading to node restarts.
    • Improvement: Performance improvements were implemented for Splunk ES, which resolved the memory contention issue on nodes.
Threat Intelligence (13.3.2)
Fixed: A security issue related to ACL where users could bypass access control restrictions through the Create New Security Case functionality.
Threat Intelligence Security Center integration with Microsoft Defender for Endpoint (1.0.4)
  • Fixed:
    • Issue with missing runtime inputs during the initial setup of the Microsoft Defender integration.
    • Corrected logic related to the Observable Expiration Period, which was not functioning as expected.