ServiceNow Store - Security Incident Response release notes
- UpdatedJun 5, 2025
- 13 minutes to read
The ServiceNow Store contains Security Incident Response products.
Recent release highlights for Security Incident Response
- Data Loss Prevention Incident Response (2.1.20)
-
- Fixed:
- Accessibility bugs:
-
- Tab elements now visible and accessible.
- Assessment text no longer overlaps with the number in the Assessment tab within the DLP IR Analyst Workspace.
- Default target state issue in Incident Response Options Rule resolved.
- UI Elevation and Theme issues:
-
- Assessment heading now properly visible in Coral Dark theme.
- In the Preview File tab, the body is now visible and borders are correctly displayed in Coral Dark theme.
- Performance bugs addressed to improve overall responsiveness and stability.
- Security bugs fixed to improve system protection and compliance.
- Fixed:
- DLP Incident Response integration with Microsoft (1.1.1)
-
- Fixed:
- Generation of unnecessary error logs on clicking the Sensitive Information tab in the Workspace.
- Bug where multiple Sensitive Information Types with the same name were incorrectly created under the Detective Sensitive tab when different conditions were met simultaneously.
- Limitation where the "Incident Response Option Rule" could not be modified for Out-of-the-Box (OOTB) configurations. Users can now adjust these rules as expected.
- Fixed:
- DLP Incident Response integration with ICAP (1.0.11)
- Fixed: Keyboard focus would exit the profile creation confirmation modal when navigating through the dialog options using the Tab key. Focus is now properly contained within the modal dialog.
- DLP Incident Response Integration with Symantec (1.1.21)
- Fixed: Unnecessary error logs that were generated on clicking the Sensitive Information tab in the Workspace.
- Major Security Incident Management (3.4.3)
- Fixed: Resolved an issue where tasks deleted from the List View were not being removed from the sn_msi_task table.
- Microsoft Azure Sentinel - Incident Ingestion Integration For Security Operations (11.0.25)
-
- Fixed:
- AzureSentinelCommentStatusSync script include throwing "String object has exceeded maximum permitted size of 33554432" error.
- Empty SIR's getting created.
- Fixed:
- MISP integration for Security Operations (1.2.1)
-
- Fixed:
- Sightings Search Flow triggering an error.
- REST Action error when called from Script Action: Refresh MISP Galaxies Event Handler.
- Fixed:
- Now Assist for Security Incident Response (3.2.2)
-
- New:
- Security Incident Resolving: This agentic workflow helps security analysts resolve security incidents by leveraging existing runbooks and historical security incidents. By analyzing similar past cases, it generates a clear and effective plan to resolve ongoing security incidents.
- SOC Efficiency Analyzing: This agentic workflow helps SOC managers assess the quality of security incidents and track the key performance metrics, providing insights to explain and improve SOC operations.
- Generate Key Metrics for Security Incident Response (SIR): Track case volume, Mean Time to Assign (MTTA), and Mean Time to Resolve (MTTR) over a customizable date range.
- Metrics Analysis and Insights: Receive actionable insights into how to optimize MTTR, MTTA, and case volume, along with recommendations for improvement based on the data.
- Changed:
- Recommended Actions:
- Enhanced to incorporate a feedback option on the overall recommendation provided, enabling continuous improvement of future recommendations.
- Additionally, the top (N) number of recommendation cards are displayed based on the configuration settings.
- Recommended Actions:
- New:
- Security Case Management common workspace components (1.3.4)
- Fixed: Bug related to dark theme in the Post Incident review section.
- Security Incident Response (13.6.7)
-
- Fixed:
- Playbook email has skip feature but cannot skip send email action due to mandatory fields.
- Configuration Item (CI) not copied to SIR Task from parent Security Incident and CI field not visible in active states.
- Compose email in SIR Workspace is having incorrect body/email template.
- Automated Phishing Playbook flow which is not checking for work note mandatory configuration while changing the state to closed.
- Missing the "Add Observables" Option in Security Incident Workspace in French.
- Service Operations Workspace Playbook is overwritten when SIR plugin is installed.
- Message "This form has not been configured for Workspace" in Security Incident Response Workspace when previewing a security incident.
- Fixed:
- Security Incident Response integration with Microsoft Defender for Endpoint (1.0.12)
- Fixed: Query failure due to insufficient 'query_match' access on sn_sec_core_integration_item.sys_scope for users with sn_si.analyst role, impacting Defender for Endpoint integration.
- Security Incident Response Workspace (1.7.10)
-
- Fixed:
- SIT page Related record section in SecOps workspace keeps loading.
- Runbook articles were not properly applied with dark theme on the SIR workspace.
- Drop down buttons on investigation tab were not visible properly.
- Backend name is showing up instead of display name in Reports section of the SIR Workspace.
- Schedules page in SIR workspace accessible for user with the sn_si.read role.
- Fixed:
- Security Operations Spoke (10.6.7)
- Fixed: Duplicate Knowledge Base (KB) numbers created after installing the SIR plugin.
- Recommended Actions for Security Operations (1.1.2)
- Fixed: A JSON parsing failure that impacted initiating the skill, generating recommended actions from a security incident, and creating a response task.
- Splunk Enterprise Event Ingestion for Security Operations (11.3.4)
-
- Fixed:
- When multiple values are going in the affected users or configurations items from splunk, an error alert message pop up with the message: input value was not found for mapped field.
- Affected user getting mapped to empty user record if no value corresponding to it in Splunk v2.
- Fixed:
- Splunk ES Integration for Security Operations (12.1.9)
-
- Fixed:
- Bug: The Splunk ES process for sending events to the Security Incident Response (SIR) job was causing memory contention on nodes, leading to node restarts.
- Improvement: Performance improvements were implemented for Splunk ES, which resolved the memory contention issue on nodes.
- Fixed:
- Threat Intelligence (13.3.2)
- Fixed: A security issue related to ACL where users could bypass access control restrictions through the Create New Security Case functionality.
- Threat Intelligence Security Center integration with Microsoft Defender for Endpoint (1.0.4)
-
- Fixed:
- Issue with missing runtime inputs during the initial setup of the Microsoft Defender integration.
- Corrected logic related to the Observable Expiration Period, which was not functioning as expected.
- Fixed: