Key Components of a Security Incident Record

• Security Incident Number: Displayed on the tab for quick identification.
• Short Description: A brief summary shown above the form banner.
• Form Banner: Read-only section with key fields such as Category, Priority, Risk Score, State, and Assignment details; supports platform tags.
• Security Tags: Displays tags linked to the incident for categorization and filtering.
• Overview: Snapshot including Description, Business Impact (assets and affected users), Threat Intelligence items (observables), Response Tasks, and related incidents.
• Details: The core form for detailed incident information.
• Investigation: Provides the investigation experience for analysts.
• Playbook: Triggered via Process Automation Designer when configured, guiding automated or manual response processes.
• Response Tasks: Lists all tasks associated with the incident response.
• Related Records: Groups related lists from the classic UI, organized for easy navigation (e.g., business impact, threat intel).
• Other Records: Displays IT records like change requests, incidents, and emails linked to the incident.
• Post Incident Review: Appears when the incident moves to Review state, containing assessments and reports.
• Contextual Menu: Provides quick access to actions and resources such as Activity Stream, Playbooks, Analyst Assist, Runbook Templates, and Attachments.
• Form UI Actions: Actions available on the form’s top right, including creating response tasks, composing emails, linking incidents, promoting to major incidents, and more, enabling streamlined workflow management.

Security Incident Workspace Features

• Orchestration: Enables viewing of the investigation canvas and performing applicable actions within the workspace.
• Response Tasks and Other Records: Centralized display of all tasks and IT-related records such as incidents, changes, problems, and outages.
• Post Incident Review: Facilitates capturing and managing reviews once incidents progress to the Review state.
• Direct Editing: Allows updating related records directly from the Related Records tab without losing context.
• TISC Integration: Integrates Threat Intelligence Security Center content within the workspace for enriched incident context.
• Reports: Access to all incident-related reports for analysis and sharing.
• Collaboration: Supports communication via conference calls or chat with analysts and affected users directly in the Security Incident Response application.
• Relationship Graph: Visualizes connections between the incident and related items to aid comprehensive analysis.
• MITRE Attack and Defend Technique Graph: Interactive visualization of attack and defense techniques linked to the incident.
• Incident Timeline: Shows chronological events with filtering options to focus on relevant activities.

Practical Benefits for ServiceNow Customers

This structured and feature-rich interface enables security teams to efficiently track, analyze, and respond to security incidents. By leveraging automation through playbooks, integrated threat intelligence, and collaborative tools, customers can improve incident resolution times and maintain thorough documentation and post-incident assessments. The capability to view related records and visualize incident context supports informed decision-making and risk reduction.