Security Incident Response integration with Zscaler release notes

  • Release version: Store
  • Updated June 11, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response integration with Zscaler release notes

    The Security Incident Response integration with Zscaler enhances ServiceNow's capability to manage and automate security incident workflows by integrating with Zscaler's cloud security platform. This integration enables analysts to perform reputation lookups, manage URL/IP/domain block and allow lists, trigger approval workflows, and handle sandbox report lookups directly within ServiceNow. It also supports creating security incidents from Patient 0 alerts, improving incident detection and response.

    Show full answer Show less

    Key Features

    • Reputation Lookups: Analysts can trigger URL, IP, and domain reputation lookups to assess threats effectively.
    • Block/Allow List Management: Ability to add or remove URLs, IPs, and domains to tenant-specific block or allow lists, including configurable approval workflows.
    • Configurable Approvals: Separate approver sets can be specified for adding or removing observables, enhancing control over list modifications.
    • Automated Observable Management: Features like automatic removal of observables from deny lists when added to allow lists prevent conflicts.
    • Sandbox Report Integration: Analysts can retrieve and store sandbox reports for MD5 hashes within incidents.
    • Incident Creation from Alerts: Supports ingestion of Patient 0 alerts and automatic creation of security incidents for faster response.
    • Flow Designer Migration: Workflows have been migrated to ServiceNow’s Flow Designer, enabling smoother automation and easier maintenance.
    • Enhanced Security Controls: Upgraded dictionary fields to strict read-only and fixed ACL misconfigurations to prevent unauthorized changes.

    Fixes and Improvements

    • Resolved access issues for Security Analysts querying tables.
    • Fixed false failure reports in flows when observables were already blocked or allowed.
    • Corrected duplication of approver records and approval flow failures for deny list management.
    • Addressed sandbox submission errors by improving data validation and error handling.
    • Fixed URL validation regex issues and continuous threat lookup execution without observables.
    • Improved navigation from security incident activities to Flow Designer.
    • Corrected timing issues in Zscaler URL category list entry activation statuses.
    • Enhanced logging and fixed localization issues within the Zscaler integration scope.

    What ServiceNow Customers Can Expect

    Customers leveraging this integration can expect streamlined security incident workflows with direct Zscaler threat intelligence and control capabilities within their ServiceNow environment. The integration supports efficient threat management through automated lookups, list management with approvals, and incident creation from critical alerts. Regular updates have focused on fixing workflow errors, improving security around configuration and access, and enhancing user experience by adopting ServiceNow’s Flow Designer. This ensures a robust, secure, and maintainable integration that helps improve overall incident response effectiveness.

    Version history for the Security Incident Response integration with Zscaler on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 11.2.4 - June 2026
    • Fixed:
      • Access issues for Security Analyst while querying tables.
      • Flows reporting false failures when the Observable was already blocked or allowed.
    Version 11.2.3 - February 2026
    Fixed: Populating observable category listing from Zscaler.
    Version 11.2.2 - December 2025
    • New:
      • Upgraded dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes.
      • This update ensures the server consistently enforces read-only behavior across all UIs, scripts, and integrations.
    Version 11.1.11 - August 2025
    • Fixed:
      • Resolved an issue where the 'Zscaler Remove from URL Category' sub-flow was incorrectly left in draft state, preventing proper execution in production workflows. The sub-flow is now correctly published and active.
      • Addressed a sandbox submission failure for Zscaler integrations where the system encountered error Cannot read property "Type" from undefined, errorCode:1. Root cause was due to missing data validation in sandbox processing. The fix ensures proper error handling and data validation to prevent runtime failures during submission.
    Version 11.1.3 - February 2025
    • Fixed:
      • Resolved the issue where the 'Approval for Add to DenyList' flow was failing.
      • Corrected the duplication of Approver records for the DenyList.
    Version 11.1.1 - November 2024
    New: Migrated Workflows to Flow Designers flows. This update ensures a smoother transition and leverages the improved capabilities of Flow Designers.
    Version 11.1.0 - August 2024
    New: The Zscaler integration is improved to provide configurable options for specifying different sets of approvers for both adding and removing observables.
    Version 11.0.17 - May 2024
    New: Implemented the "Remove the observable from Denylist if present" checkbox when the same observable exists in the allow list and the analyst is trying to add the same observable to the Denylist again and vice versa.
    Version 11.0.14 - February 2024
    • Fixed:
      • Added approval for Allowlist/Denylist in the activities section for the Security Incidents.
      • The Findings field now displays all the observables.
    Version 11.0.13 - December 2023

    Fixed: Addressed the security issues related to the misconfiguration of table/field ACLs within the com.snc.secops.zscaler plugin.

    Version 11.0.12 - November 2023
    • Fixed:
      • The Zscaler URL validator regex had issues with some URLs.
      • Threat lookup runs continuously even when there are no observables.
    Version 11.0.9 - August 2023
    Fixed: Fixed an issue that prevented users from navigating to the flow designer when clicking from the security incident activity.
    Version 11.0.7 - May 2023
    Fixed: Zscalar Integration creates an entry in the Zscaler URL Category List Entries table that immediately moves to the active state is ServiceNow, even if the record in the Zsclaer app is queued for activation.
    Version 11.0.6 - February 2023
    Fixed: Zscaler integration is restricted from adding valid URL types.
    Version 11.0.3 - November 2022
    • Changed: Utah Mandate: changed app-sec-parent version to 5.0.0.77
    • Fixed:
      • Zscaler capability implementation records are not getting created in the Zscaler application scope.
      • Localization issues.
      • Filter Configurations for Zscaler capability are configured as capability-level filter conditions.
      • Improve the logging for Zscaler integration.
    Version 11.0.2 - October 2021
    • Fixed:
      • Fixed the issue with adding observables to a custom category
      • Added additional password-related policies
    Version 11.0.0 - June 2021
    • Threat Look Up Analyst will be able to trigger reputation lookup’s on URL/IP/Domain
    • Block/Allow URLs/IPs/Domain Analyst will be able to add URLs/Ips/Domain to tenant specific Block List/Allow List or other URL categories Support for periodic removal of entries from the list based on expiration value Support for Approval workflow Sandbox Report Look Up Analyst will be able to look up Sandbox report of MD5 hash and store it against the incident
    • Create Security Incident out of Patient 0 alerts Support for ingestion of patient 0 alerts and create security incidents out of them