Version history for the Security Operations Security Incident Response on the ServiceNow Store.

Important: For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

Version history

Version 13.6.7 - June 2025
  • Fixed:
    • Playbook email has skip feature but cannot skip send email action due to mandatory fields.
    • Configuration Item (CI) not copied to SIR Task from parent Security Incident and CI field not visible in active states.
    • Compose email in SIR Workspace is having incorrect body/email template.
    • Automated Phishing Playbook flow which is not checking for work note mandatory configuration while changing the state to closed.
    • Missing the "Add Observables" Option in Security Incident Workspace in French.
    • Service Operations Workspace Playbook is overwritten when SIR plugin is installed.
    • Message "This form has not been configured for Workspace" in Security Incident Response Workspace when previewing a security incident.
Version 13.6.6 - May 2025
  • New: Added a new field (date and time) to store incident detection time. Tag does not get removed on SIR requests.
  • Fixed:
    • kb_publish_flow and kb_retire_flow field value added for retired kb's related to workflows.
    • Automatic Threat lookup is working after upgrading the SIR related plugins to latest version and not upgrading the Palo Alto integrations.
    • Security Incident Response Workspace is available from the Now Experience Search drop-down for analyst persona.
    • Clean up Security Incident Encryption Context from com.snc.security_incident plugin.
    • Remove Run Orchestration UI Action from security incident table.
    • SIR demo data references the Legacy HR Group Type named "human_resources" instead of the scoped HR one.
    • Sighting Search parent flow is not honoring input parameter wait and is running asynchronously.
    • ACL Bypass via "Create CSM Case Record" Data Broker | Security Incident Response Workspace.
    • ACL Bypass due to the usage of GlideRecord.
Version 13.6.5 - March 2025
Changed: Supporting changes for generative AI feature, Close Security Incident which is part of Now Assist for the Security Incident Response (SIR) application.
Version 13.6.4 - February 2025
  • New:
    • Supporting changes for:
      • Conference call capability for SIR through Teams/ Zoom/ WebEx for team members and also affected user
      • Daily Status reporting functionality within SIR via mobile friendly email attachment
  • Changed:
    • Supporting changes for migration from workflows to Flow Designer were added for few integrations:
      • McAfee ePO
      • Palo Alto Networks WildFire
      • Store SIR Threat Core
      • Microsoft Exchange On-Premises
Version 13.6.2 - November 2024
  • New: Supporting changes for "Now Assist for Security - Post Incident Analysis" using Generative AI.
  • Changed: Supporting changes for migration from workflows to flows using Flow Designer were added for the following:
    • Crowdstrike Falcon Insight Integration
    • CarbonBlack Integration
    • Splunk Sighting Search Integration
    • MISP integration
    • CheckPoint INtegration
    • Elastic Search integration
    • Microsoft Defender
    • Fire Eye HX
    • Arcisght logger
    • Palo Alto NGFW
    • Create IoC Lookup request activity workflow migration
  • Fixed:
    • When sending a 'POST' REST payload into ServiceNow to insert an incident record, The response will error with '500 Internal Server Error.
    • AI search on SI records was failing due to field level ACLs.
    • Scheduled job - Build cache of critical services CI was failing when use_cache is activated.
    • The Security Incident Form on the SIR Workspace was taking 25 to 30 seconds to load the widgets.
    • Run Additional Triage" sub-flow was unable to add work notes in the parent SIR
    • Security Incident Response (SIR) Parent/Child Relationship Allows Child Incident to be Parent to its Parent Incident, resulting in recursive updates.
    • Long running job "Lookup Security Incident Observables"
Version 13.5.2 - September 2024
Fixed: Block Request is now working on Zscaler.
Version 13.5.1 - August 2024
Changed: Migration of workflows to flow designer.
Version 13.4.5 - June 2024
  • New: Added Security Incident Response Workspace(sn_si_aw:1.5.1) as a dependency for Security Incident Response (sn_si:13.4.5).
  • Fixed: View rules option is now working.
Version 13.4.3 - May 2024
  • Fixed:
    • The 'Secure Attachment' table does not support or consider the file extension property.
    • Duplication rules updated inactive or closed security incident records when ingesting emails from an email parser.
Version 13.3.6 - March 2024
  • Fixed:
    • Security Incident form gets stuck after changing the configuration item when the "Calculate Severity" business rule is enabled
    • An error occurs while evaluating the "si_response_tasks' template script and when you try to close the security incident
    • Improved performance of the Critical service-affected security calculator when the "Refresh Impacted Services on CI Change" business rule is enabled
    • On the Run Additional Actions modal, now the Comment field is set as a mandatory field (to support Microsoft Defender for Endpoint)
Version 13.3.4 - February 2024
  • Changed: You can now create "Encrypted Field Configurations" records for both secure_notes and Attachment.
  • Fixed:
    • The new task form is now editable for the role "sn_si.basic".
    • The Post-Incident Review tab now displays correctly when an assessment is canceled.
    • The Heisenberg styles no longer distort pages in the Next Experience UI.
    • The sn_si_incident_import OOTB mapped vulnerability field is now included on the sn_si_incident record, preventing errors on the first data load.
    • Code signing: KMF Signature records are now generated for records of sn_sec_core_integration_item.
    • Emails no longer include an extra email address with the recipients of the email.
Version 13.3.2 - December 2023
  • New: Added definition metrics for security incident MTTR.
  • Fixed: Misconfiguration of table/field ACLs within the 'com.snc.security_incident' plugin.
Version 13.3.0 - November 2023
  • Changed:
    • Added a configurable property to enable or disable the "Post Incident Review" report generation for child security incidents.
    • Replaced the Knowledge V3 reference with a service portal navigation link.
Version 13.2.2 - September 2023
New: Added usage metrics to capture MTTR for security incidents.
Version 13.2.1 - August 2023
Fixed:
  • In the Timeline section at the bottom of the PIR report, the value of the short description is not visible in the bolded header as well as in the values of any of the encrypted fields of the corresponding response tasks (SITs).
  • The field duration metric for sn_si_incident.assigned_to can generate metrics against the wrong table as a result of using 'definition,' which is not set for field duration metrics.
Version 13.1.0 - May 2023
  • Fixed:
    • Security Analyst doesn't have access to modify the 'Read access' and 'Privileged access' fields on the security incident form.
    • GlideChoiceList is not refreshed every time.
Version 13.0.5 - April 2023
Changed: Updated to support this application on the Security Incident Response workspace.
Version 13.0.1 - March 2023
Fixed: State choices are not populating for the Security Incident when we switch to the 'NIST Open' process definition.
Version 12.9.9 - February 2023
New: Changes to support Security Incident Response Workspace.
Version 12.9.6 - January 2023
Fixed: The base system 'report_view' ACLs for the SIR report are missing.
Version 12.9.5 - December 2022
  • Changed:
    • Added report_view ACL for the following tables:
      • sn_si_audit_log
      • task_cmdb_ci_service
Version 12.9.4 - November 2022
  • Fixed:
    • After submitting a PIR form, the texts (answers) get word-wrapped and show as one statement even though the input was entered into different lines.
    • Security Tag's order in SIR classic UI differs from the one that is created.
    • Update async BR to the new value of async_always.
Version 12.9.2 - August 2022
  • Fixed:
    • Non-admin users cannot view the security incident catalog items from the sc_cat_Item table.
    • A closed security incident returns to the review state after the associated problem/incident moves to the closed state.
    • Security Case form issues in the Sandiego environment.
    • The "Security Tags Toolbar" field shrinks when placed in a different place on the security incident form.
Version 12.9.1 - March 2022
Fixed: Closing the Parent SIR does not close the child security incident when there is a Response task.
Version 12.8.9 - January 2022
Changed: Minor changes to the Integrations Capability framework V2.
Version 12.8.1 - December 2021
  • Changed: MITRE ATT&CK 2.0 updates
  • Fixed:
    • The Security Incident Response module is creating Knowledge articles with the same numbers as current knowledge articles
    • In the Security Incident table (sn_si_incident), the metric definition 'Incident State Duration' is incorrectly configured.
Version 12.5.1 - August 2021
  • Fixed:
    • Fixed sighting search work notes to capture the count of external sightings.
    • Issues related assigning or closing a task.
    • Fixed mapping between security incident and incident.
Version 12.4.1 - June 2021
Fixed: Service portal Security Incident catalog features, email parsing, and scheduled jobs.
Version 12.3.5 - May 2021
Changed: Added a few Restricted Caller Access (RCA) files from other applications to the Security Incident Response (SIR) application.
Version 12.2.7 - February 2021
New: Post incident review reports provides the set up capability to create multiple report templates and configure those to align with the security incidents.
Version 12.0.0 - December 2020
  • New: Introduced the MITRE ATT&CK framework which improves the Now Platform SOAR capabilities that enable proactive analysis, response, and reporting on threats across the security infrastructure.
  • Changed: As part of the inclusive language initiative, allow list and deny list tags have been replaced with allow list and deny list respectively.
  • Fixed: This release contains few functional fixes.
Version 11.1.1 - November 2020
New: Enabled report_view ACLs for sensitive tables and fields.
Version 11.0.4 - October 2020
Changed: The app has been updated to incorporate modifications to the CrowdStrike Falcon Host portal authentication process.
Version 11.0.1 - September 2020
  • New:
    • Post Incident Review Assessments change provides the configurations to define the assessment trigger conditions to generate both mandatory and optional assessments for specific security incidents.
    • File type observable security change provides stringent security measures to store the suspicious files and enables the files type observables for sandbox integration.
Version 10.5.2 - August 2020
  • Changed: The number of related lists shown on Security Incident form have been reduced. Users will now see only the most commonly used related lists by default.
  • Fixed: Performance issues with the "Related Configuration Items" and "Related Users" related lists have been addressed.
Version 10.4.0 - June 2020
  • New: Created new form to collect customer configuration items and submit it to Licensing team
  • Fixed: Security tag assignment to newly created security incidents
Version 10.0.5 - April 2020
  • Fixed: Dispatch actions updated for compatibility with Security Incident Response UI
  • Removed: ATF Test and related test configuration steps and variables
Version 10.0.2 - March 2020
  • New: Capability Framework v2: The updated Integrations Capability framework provides a consistent architecture to support interoperability with third-party integrations. The changes include:
    • Ability to specify conditions for triggering capabilities and implementations (For example: based on Incident Category)
    • Easy configuration of capability and integration execution parameters like Batch input size, rate limits and time out period
    • Creating your own Capability
    • Easier troubleshooting of Capability executions
Version 9.0.1 - November 2019
  • New: User Reported Phishing 2.0 provides an updated way to ingest phishing emails. It includes email aggregation, email header extraction, and improved configuration capabilities.
  • Fixed: Bug fixes.
Version 8.0.10 - June 2019
Refer to Security Incident Response release notes for product changes and updates in the Madrid release.