The ServiceNow® Security Incident Response (SIR) application helps your organization connect security and IT teams, respond faster and efficiently to threats, and view your organization's security posture. Security Incident Response was enhanced and updated in the Washington DC release.

Security Incident Response highlights for the Washington DC release

  • Make conference calls including team members, customers, and other stakeholders to resolve customer issues.
  • Capture MTTR (Mean time to repair) information through usage and definition metrics for security incidents.
  • Monitor scan requests and report security incidents as a risk event to the Risk Management team from the Security Incident Response Workspace.
  • Create a customer service case for the security incident directly from the Security Incident Response Workspace, which will be tracked by the Customer Service Management (CSM) team.
  • VirusTotal integration is provided with an option to send URLs as hashes for threat lookup, to protect the users' privacy on the integration.
Important: Security Incident Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

New in the Washington DC release

Major Security Incident Management Conference Call Integration
Collaborate with your customers and peer agents through a conference call to resolve customer issues through Microsoft Teams, Zoom, or Webex. You can also capture post-call chat, recordings, participant info.
Flow-based Playbooks
More easily transition from manual or undocumented playbooks to automated and repeatable playbooks using Flow Designer. Security Incident Response now supports the following new playbooks:
Manage post incident activities
Security Incident Response now supports the following capabilities:
  • Usage and definition metrics for security incidents to capture MTTR (Mean time to repair).
  • Enable or disable the Post Incident Review (PIR) report generation for child security incidents.
Security Incident Response Workspace
You can now perform the following tasks in the Security Incident Response Workspace:
  • Monitor scan requests
  • Report security incidents as a risk event, which will be tracked by the Risk Management team
  • Create a customer service case for the security incident, which will be tracked by the Customer Service Management (CSM) team
Activate and configure the VirusTotal integration
Send URLs as hashes for threat lookup to protect the users' privacy on the integration.

Changed in this release

Microsoft Azure Sentinel integrationMicrosoft Azure Sentinel integration

Deprecations

ServiceNow® Security Incident Response no longer supports the following integrations:
  • Recorded Future
  • Trusted Security Circles

For more information about these deprecations, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

Activation information

Install Security Incident Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Related ServiceNow applications and features

Vulnerability Response
Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
Threat Intelligence
The ServiceNow® Threat Intelligence application enables you to find indicators of compromise (IoC) and enrich security incidents with threat intelligence data.
Security Operations common functionality
When any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated.