Manage security threats using the Security Analyst Workspace

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage security threats using the Security Analyst Workspace

    The Security Analyst Workspace in Security Incident Response provides a dedicated, enhanced user interface designed to help security analysts efficiently manage and investigate security incidents. Featuring tools such as the playbook, peek view, and tabbed interface, it enables faster analysis and resolution of incidents, reducing investigation time and improving incident response outcomes.

    Show full answer Show less

    Prerequisites and Access

    • Ensure your ServiceNow instance has at least London Patch 3 installed.
    • Have the appropriate roles assigned.
    • Download and install the Security Incident Response UI application from the ServiceNow Store.
    • For versions earlier than London Patch 3, request the Security Incident Response UI plugin via HI Customer Service.
    • Access the workspace via Security Incident > Incidents (New UI), which opens in a new browser tab.

    Key Features

    • Quick Filters: Quickly filter security incidents using predefined or custom filters to focus your analysis.
    • Personalized Incident List: Customize and sort the incident list to suit your workflow and analysis needs.
    • Peek View: Preview critical incident details without fully opening the record, enabling faster triage and updates.
    • Quick Actions: Edit incident fields, manage attachments, and send emails directly from the workspace to streamline workflows.
    • Tabbed Interface: Work on multiple security incidents simultaneously by switching easily between open incident tabs.
    • Incident Tabs:
      • Overview Tab: View customizable tiles with key incident information in one consolidated view.
      • Explore Tab: Configure which information tiles appear on the Overview tab, including observables, threat lookups, and related lists.
      • Incident Timeline Tab: Track all actions and add work notes during investigation, with filtering and search capabilities.
    • Security Analyst Playbook: Utilize built-in playbooks for step-by-step resolution of common security threats like phishing and malicious code.

    Benefits for ServiceNow Customers

    The Security Analyst Workspace empowers your security team to reduce incident investigation times significantly by leveraging automation, intuitive interfaces, and integrated tools. It enhances your ability to analyze multiple incidents concurrently, maintain detailed investigation timelines, and apply standardized response procedures through playbooks. This leads to faster mitigation of threats, minimizing the risk of breaches and improving overall security posture.

    Security Incident Response includes a new user interface called the Security Analyst Workspace that features powerful tools for assisting in analysis, including the playbook, peek view, and tabs for working on multiple security incidents.

    Purpose-built for security analysts, the powerful tools in the Security Analyst Workspace allow you to analyze the ever-growing volume of data associated with security incidents. And automated actions significantly reduce the security incident investigation time, which can be the difference between stopping an attack and suffering a breach.

    Before using the Security Analyst Workspace

    Before you can begin using the Security Analyst Workspace, you must ensure that your instance has at least London Patch 3 installed, you have the correct roles defined, and have downloaded the Security Incident Response UI application from the ServiceNow Store.
    Note:
    If your instance is running a version earlier than London Patch 3, you must request the Security Incident Response UI plugin through the HI Customer Service system.

    Access the Security Analyst Workspace

    To access this new workspace, navigate to Security Incident > Incidents (New UI).

    The workspace opens in a separate browser tab.

    Locate the security incidents you want to analyze with Quick Filters

    The Security Analyst Workspace provides several tools for filtering the list of security incidents so you can quickly find the security incidents you want to analyze. The Quick Filters let you select a subset of the security incidents based on criteria in the filter.

    Simply click the quick filter you want to use.

    Note:
    You can click an Edit button to identify which quick filters you want displayed on the list screen. A minimum of one filter must be selected, up to a maximum of six.

    You can define additional quick filters, as well as primary filters for the Security Analyst Workspace, using the classic environment. For more information, see Set up primary and secondary filters for Security Analyst Workspace.

    Personalize the security incident list

    As with all lists in your instance, the Security Analyst Workspace provides tools for personalizing the list and sorting the information displayed to meet your analysis needs.

    Save time with Peek view

    Before opening a security incident record, you can save time using the Peek view. This feature allows you to quickly locate vital security artifacts without having to reload the entire page. Simply click the > icon to the left of a security incident number to take a peek.

    The peek view provides a snapshot of vital information in a single view. This view can save valuable time when you are working with multiple incidents. You can click the down arrows on certain fields to make on-the-fly updates, such as assigning an assignment group or a specific analyst.

    Perform quick actions on a security incident

    After you have selected and opened a specific security incident, you can perform time-saving actions on the record.
    • If you security incident is open, click the Edit Record icon to make quick changes to any of its fields. If the record is closed, you can change only its tag.
    • Click Manage Attachments to attach files to the security incident. You can also download or remove attached files and edit the encryption applied to the attachments.
    • Click Compose Email to send a quick email to a colleague. Emails can be free-form, or you can send canned emails selected from a list of templates. Emails sent and replies received are captured in the Incident Timeline.
      Note:
      You can create custom templates that contain reusable content for emails and email notifications. Variables can be used for inserting information specific to the security incident or alert, such as the subject line, priority, or threat category. Use the Security Incident [sn_si_incident] table for emails and email notifications related to Security Incident Response. For more information, see Email templates
    • Click More to view a quick snapshot of the security incident, such as the description, business impact, and priority. You can also click the down-arrow in the Assignment group and Assigned to fields to make on-the-fly changes to those fields.

    Work with multiple security incidents

    The tabbed interface allows you to keep several security incidents open simultaneously so you can switch between them with a single click. This can save time and allow you to see the big picture when threats from multiple sources are identified.

    View analysis information in the security incident tabs

    When you open a security incident record, three tabs are shown:
    • Overview
    • Explore
    • Incident Timeline

    Overview tab

    Use the Overview tab to view information in a security incident in a single location. No need to open another application or console.

    The tiles that are displayed on the Overview tab are customizable. You can collapse and expand them as needed, and you can move them around by dragging the Grip icon. Click the More options icon to delete a tile or change its heading text.

    Explore tab

    Configure the tiles displayed on the Overview tab using the Explore tab. Simply select the tiles you want to view from the left-hand pane, and click the Pin icon. Pinned tiles automatically appear in the Overview tab.

    The left-hand pane of the Explore tab includes a wide variety of information that you can display on the Overview tab. For example, expand Observables to display these related lists.
    • Observables
    • Threat Lookup Results
    • Security Scan Results
    • Domain Lookups
    • Observable Enrichment

    Additional related lists are available under Users, Configuration Items, and Incidents.

    Incident Timeline tab

    Use the Incident Timeline tab during your investigation for tracking purposes. Every time an action is performed on a security incident, the system records it in the Incident Timeline.
    • You can also manually add worknotes to the timeline by typing them in the Add work notes box and clicking Post.
    • You can search for a specific timeline activity using the Search box.
    • The Filter Activity icon allows you to display only the types of timeline activity you want to see (for example, only incidents created by a specific analyst).
    • You can add or remove the Incident Timeline from the Overview tab using the Pin/Unpin icon.

    Handle security incidents using the Playbook

    Resolve certain types of security threats in a step-by-step manner using the built-in Security Analyst Playbooks. For example, an analyst can use the playbook to resolve phishing attacks and threats caused by malicious code activities. For more information, see Resolve security threats with the playbook.