Unified experience capabilities and modal screens

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Unified Experience Capabilities and Modal Screens

    This document outlines the capabilities and screens available for various security actions within ServiceNow, focusing on how Security Analysts can interact with these functionalities. The aim is to streamline the process of selecting implementations and submitting actions efficiently.

    Show full answer Show less

    Key Features

    • Run Threat Look Up: Only Screen 1 is used to select implementations without additional inputs.
    • Run Observable Enrichment: Similar to Threat Look Up, Screen 1 allows implementation selection only.
    • Sighting Search: Involves Screens 1 and 2, where Analysts provide date and time frequencies alongside implementation selection.
    • Submit to Sandbox: Utilizes Screens 1 and 3, allowing for varied inputs based on selected implementations.
    • Publish to Watchlist: Screen 1 is used for implementation selection only.
    • Allow/Block Request: Only Screen 1 is needed for implementation selection.
    • Get Host Details: Requires only Screen 1 for selecting implementations.
    • Get File: Involves Screens 1 and 2 to input file name and path.
    • Get Network Statistics: Only Screen 1 is used for implementation selection.
    • Get Running Processes & Services: Both require only Screen 1 for implementation selection.
    • Isolate/Un-Isolate Host: Uses Screens 1 and 3 for different inputs based on selected implementations.
    • Run Additional Actions: Involves Screens 1 and 3, with varied inputs for different implementations.

    Key Outcomes

    By utilizing these capabilities, Security Analysts can efficiently execute security actions tailored to specific implementations. This structured approach minimizes confusion, streamlines action submission, and ensures that the correct inputs are applied based on the selected tools. As a result, Analysts can expect improved response times and enhanced operational efficiency in their security workflows.

    The following table below describes the capabilities and applicable screens.

    Table 1. Capabilities and applicable screens table
    Capability UX frameworks screens applicable Integrations supported
    Run Threat Look Up Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Run Threat Look Up.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Virus Total
    • Hybrid Analysis
    • Security Incident Response Integration with Zscaler
    • Phistank
    • Metadefender
    • Threatcrowd
    • Have I Been Pawned?
    • Crowd Strike Falcon Intelligence
    Run Observable Enrichment Only Screen 1 – Select Implementations is applicable

    There are no common inputs or implementation specific inputs applicable for Run Observable Enrichment.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • MISP
    • Microsoft Defender Endpoint
    • Shodan
    • RiskIQ
    • WHOIS
    • Reverse WHOIS
    Run Sighting Search/Run Web Sighting Search/Run Email Sighting Search Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Sighting search takes date and time frequency as common inputs across multiple implementations of Splunk and other integrations.

    This screen will be presented to the Security Analyst to capture date and time frequencies.

    For integrations that don’t require these inputs, for example FireEye HX, they will be ignored. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.
    • Splunk-incident Enrichment
    • Carbon Black
    • Elastic search
    • FireEye HX
    • McaFee ESM
    • MSFT Defender for endpoint
    • Splunk Sighting
    • Qradar sighting search
    • MISP
    Submit to Sandbox Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Submit to Sandbox takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects Crowdstrike Falcon X Quick Scan, Crowdstrike Falcon X Windows 64, Crowdstrike Falcon X Linux, and Zscaler, the inputs vary. Crowdstrike Falcon X Quick scan and Zscaler don’t need further run time inputs. Crowdstrike Falcon X Windows 64 takes optional run time inputs that differs from Crowdstrike Falcon X Linux. So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • CrowdStrike Falcon X Sandbox Integration
    • Security Incident Response Integration with Zscaler
    Publish to Watchlist Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Publish to Watchlist.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

    		 Crowdstrike Falcon Host
    Allow/Block Request Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Allow/Block Request.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • Palo Alto Network NGFW
    • Check Point NGFW
    • Security Incident Response Integration with Zscaler
    Get Host Details Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Host Details.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Microsoft Defender for Endpoint
    Get File Screen 1 – Select Implementations and Screen 2 – Common Inputs are applicable.

    Get File takes file name, path as common inputs. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

    		 FireEye HX
    Get Network Statistics Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Network Statistics. So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • NetStat
    Get Running Processes Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Processes.

    So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.
    • FireEye HX
    • Carbon Black
    • System Command
    Get Running Services Only Screen 1 – Select Implementations is applicable.

    There are no common inputs or implementation specific inputs applicable for Get Running Services.

    So, only screen 1 is presented to the Analyst to select one or more implementations. After selecting the implementations, the Analyst will be able to submit the action.

    		 FireEye HX
    Isolate Host / Un-Isolate Host Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Isolate Host/Un-isolate Host takes different inputs for different implementations.

    There are no common inputs for this capability currently. For example, when the Analyst selects FireEye HX and Microsoft Defender for Endpoint, the inputs vary.

    FireEye HX doesn’t need run time inputs. On the other hand Microsoft Defender takes inputs such as Isolation Type and Comments.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    • FireEye HX
    • Microsoft Defender Endpoint
    • Carbon Black
    Run Additional Actions Screen 1 – Select Implementations and Screen 3 – Implementation specific inputs are applicable.

    Run Additional Actions Host takes different inputs for different implementations. There are no common inputs for this capability currently.

    For example, when the Analyst selects FireEye HX Standard Investigative Details Script, FireEye HX Triage Acquisition and Crowdstrike Falcon Insight reg unload, the inputs vary.

    FireEye HX Standard Investigative Details Script and FireEye HX Triage Acquisition take Comments as the input that could be different for both. Crowdstrike Falcon Insight reg unload takes Subkey as the input.

    So, these can be provided in screen 3 specifically against individual selected implementations as applicable.
    Note:
    Currently supports only single selection of implementation. In future releases multi selection of implementation will be supported.
    • FireEye HX
    • Microsoft Defender for Endpoint
    • Crowdstrike Falcon Insight