0
13.9.23
Zurich, Yokohama, Xanadu, Washington DC, Vancouver Patch 4, Vancouver, Utah, Tokyo
With ServiceNow Security Incident Response, you can manage and automate the life cycle of your security incidents from initial prioritization to containment and resolution. Use the automated workflows to respond quickly and consistently and understand the trends and bottlenecks with analytics-driven dashboards and comprehensive reporting systems.
Integrations with third-party security solutions give you an enterprise-wide view of your security posture. Add orchestration for much faster incident response.
New:
- Ingest security incidents using email parsers, external monitoring, tracking systems, or the service catalog. Consolidate multiple events into a single incident for an efficient response.
- Use the tile-based Security Analyst workspace to quickly and efficiently perform day-to-day security analysis work.
- Employ security automation with third-party cybersecurity solutions to accelerate triage, investigation, containment, eradication, and remediation steps during incident response.
- Use the Security Analyst Playbooks to analyze specific threats step-by-step to orchestrate security automation. Playbooks lead you through a series of tasks and other activities for resolving the threat.
- The User-Reported Phishing feature allows you to create incidents from employees' forwarded phishing emails.
- Perform a post-incident review. Creating knowledge base articles can help with future similar incidents.
- Post-incident review reports provide the setup capability to create multiple report templates and configure those to align with the security incidents.
- Walk through the Security Incident Response setup process using the Setup Assistant in a simple, step-by-step procedure.
- Managed Security Service Providers offer domain-separated implementations of all existing and future integrations, such as Threat lookup, Observable enrichment, and Sighting search based on the user.
- Fixed:
- Linked items cannot be added when choosing all.
- When Observable type is changed to File, no error or informative message is populated as attachment is mandatory.
- Color contrast issue on the MITRE heatmap.
- Urgency is missing from Create Security Incident Response for an incident.
- The SIR Observable Type Identification script did not recognize file paths that used a forward slash '/'.
- Not able to close informative alert message under Observable Creation for File Type.
- Attachments under .eml was not getting created as observables.
- Unable to create a new record directly from the table "sn_si_m2m_task_affected_user" with an analyst role.
- Remove the ATF test cases, which were referring to the workflow templates.
- Work notes propagation between an incident to a security incident is not happening.
- ACL(sn_si_incident.work_notes) description was incorrect.
- Privilege Escalation to Global Admin | Security Incident Response.
- Changed:
- Clicking widgets on Security Incident Manager overview dashboard displayed an error for sn_si.manager.
- Restrict attachment modifications after security incident closure.
- Enhance SIR with native support for third-party risk scoring, integration and prioritization.
- Simplify and democratize category management in security incident response.
- Enhance user-reported phishing workflow with pattern-based allow/deny rules.
- Implement NIST-based incident prioritization in security incident response.
- Prevent duplicate escalations from IT Incidents to Security Incidents with confirmation mechanism.
- Ability to link multiple problem and change request records to SIR record.
- Enable in-line editing of associated observables and findings in SIR Workspace.
- Enable flexible creation of multiple linked ITSM records (INC, CHG, PRB) from the SIR Workspace.
- Flow to PAD conversion: Wrapper Process Generator is not shown with state lanes when we selecting "Generate Process."
- Improper use of current.update in BR(s) from the Security Support Common product.
- Granular Admin Roles - Cobalt Wren - SIR.
- Security [Directive] Read Only field Security.
- Dot-Walk Scoping Bypass - SIR Core.
The following Security Operations apps must be installed and activated:
- Security Integration Framework
- Security Support Common
- Security Support Orchestration
- Threat Core
Permissions and roles:
- Role required: System Admin (admin) or Security Admin (sn_si.admin)