Unified experience capabilities and modal screens

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified experience capabilities and modal screens

    This document outlines the Unified Experience capabilities and modal screen workflows available in the Xanadu release (updated August 1, 2024). It details how Security Analysts interact with various integration implementations through a series of modal screens to perform security actions within ServiceNow. The guide helps customers understand which screens appear for different capabilities, what inputs are required, and which integrations are supported.

    Show full answer Show less

    Key Features

    • Screen-Based Workflow: Security Analysts use up to three modal screens depending on the capability:
      • Screen 1 – Select Implementations: Always presented for all capabilities, where analysts choose one or more integration implementations.
      • Screen 2 – Common Inputs: Presented when a capability requires common inputs across implementations, such as date/time for sighting searches or file name/path for file retrieval.
      • Screen 3 – Implementation Specific Inputs: Presented when inputs vary by selected implementation, allowing analysts to provide run-time inputs tailored to each integration.
    • Implementation Selection: Currently, only single implementation selection is supported per action, with plans for multi-selection in future releases.
    • Integration Support: Supports a wide range of security integrations including but not limited to:
      • Virus Total, Hybrid Analysis, CrowdStrike Falcon Intelligence
      • Microsoft Defender for Endpoint, FireEye HX, Carbon Black
      • Splunk, QRadar, MISP, Zscaler, Palo Alto NGFW, Check Point NGFW

    Capabilities and Screen Usage

    • Run Threat Look Up & Run Observable Enrichment: Only Screen 1 is presented; no additional inputs required.
    • Run Sighting Search (Web, Email, General): Screen 1 and Screen 2 appear; common inputs like date/time frequency are captured.
    • Submit to Sandbox: Screen 1 and Screen 3 appear; inputs vary by implementation, with no common inputs.
    • Publish to Watchlist, Allow/Block Request, Get Host Details, Get Network Statistics, Get Running Processes, Get Running Services: Only Screen 1 with no additional inputs.
    • Get File: Screen 1 and Screen 2; requires common inputs such as file name and path.
    • Isolate/Un-Isolate Host and Run Additional Actions: Screen 1 and Screen 3; implementation-specific inputs vary and must be provided accordingly.

    Practical Benefits for ServiceNow Customers

    This structured modal experience streamlines how Security Analysts interact with diverse security tools through the ServiceNow platform. By standardizing the input screens and clearly defining when common versus implementation-specific inputs are needed, analysts can efficiently submit security actions with the right context. Customers benefit from:

    • Consistent user experience across multiple security integrations
    • Reduced complexity by only showing relevant input fields per action and implementation
    • Improved accuracy and speed in executing threat lookups, enrichments, host isolations, and other critical security tasks
    • Future readiness for multi-selection of implementations to handle bulk actions

    The following table below describes the capabilities and applicable screens.

    Table 1.
    Capability UX Frameworks Screens Applicable Integrations Supported
    Run Threat Look Up Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Run Threat Look Up.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Virus Total
    • Hybrid Analysis
    • Security Incident Response Integration with Zscaler
    • Phistank
    • Metadefender
    • Threatcrowd
    • Have I Been Pawned?
    • Crowd Strike Falcon Intelligence
    Run Observable Enrichment Only Screen 1 – Select Implementations is applicable

    There are no common inputs or implementation specific inputs applicable for Run Observable Enrichment.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • MISP
    • Microsoft Defender Endpoint
    • Shodan
    • RiskIQ
    • WHOIS
    • Reverse WHOIS
    Run Sighting Search/Run Web Sighting Search/Run Email Sighting Search Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Sighting search takes date and time frequency as common inputs across multiple implementations of Splunk and other integrations.

    This screen will be presented to the Security Analyst to capture date and time frequencies.

    For integrations that don’t require these inputs, for example FireEye HX, they will be ignored. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.
    • Splunk-incident Enrichment
    • Carbon Black
    • Elastic search
    • FireEye HX
    • McaFee ESM
    • MSFT Defender for endpoint
    • Splunk Sighting
    • Qradar sighting search
    • MISP
    Submit to Sandbox Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Submit to Sandbox takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects Crowdstrike Falcon X Quick Scan, Crowdstrike Falcon X Windows 64, Crowdstrike Falcon X Linux, and Zscaler, the inputs vary. Crowdstrike Falcon X Quick scan and Zscaler don’t need further run time inputs. Crowdstrike Falcon X Windows 64 takes optional run time inputs that differs from Crowdstrike Falcon X Linux. So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • CrowdStrike Falcon X Sandbox Integration
    • Security Incident Response Integration with Zscaler
    Publish to Watchlist Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Publish to Watchlist.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

    		 Crowdstrike Falcon Host
    Allow/Block Request Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Allow/Block Request.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Palo Alto Network NGFW
    • Check Point NGFW
    • Security Incident Response Integration with Zscaler
    Get Host Details Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Host Details.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Microsoft Defender for Endpoint
    Get File Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Get File takes file name, path as common inputs. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

    		 FireEye HX
    Get Network Statistics Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Network Statistics. So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • NetStat
    Get Running Processes Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Processes.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Carbon Black
    • System Command
    Get Running Services Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Services.

    So, only screen 1 is presented to the Analyst to select one or more implementations. After selecting the implementations, the Analyst will be able to submit the action.

    		 FireEye HX
    Isolate Host / Un-Isolate Host Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Isolate Host/Un-isolate Host takes different inputs for different implementations.

    There are no common inputs for this capability currently. For example, when the Analyst selects FireEye HX and Microsoft Defender for Endpoint, the inputs vary.

    FireEye HX doesn’t need run time inputs. On the other hand Microsoft Defender takes inputs such as Isolation Type and Comments.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • FireEye HX
    • Microsoft Defender Endpoint
    • Carbon Black
    Run Additional Actions Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Run Additional Actions Host takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects FireEye HX Standard Investigative Details Script, FireEye HX Triage Acquisition and Crowdstrike Falcon Insight reg unload, the inputs vary.

    FireEye HX Standard Investigative Details Script and FireEye HX Triage Acquisition take Comments as the input that could be different for both. Crowdstrike Falcon Insight reg unload takes Subkey as the input.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    Note:
    Currently supports only single selection of implementation. In future releases multi selection of implementation will be supported.
    • FireEye HX
    • Microsoft Defender for Endpoint
    • Crowdstrike Falcon Insight