Key Components of a Security Incident Record

• Security incident number: Displays the unique identifier for the incident.
• Short description: A brief summary visible above the form banner.
• Form banner: Read-only key fields including Category, Priority, Risk score, State, and assignment details, with support for platform tags.
• Security tags: Shows tags related to the incident for classification.
• Overview: Snapshot of incident details such as description, business impact (asset and user criticality), threat intelligence (observables by finding/type), response tasks, and related incidents.
• Details tab: Displays the full security incident form with classic UI fields.
• Investigation tab: Provides an investigation experience canvas for analysts to track and analyze incident data.
• Playbook tab: Displays automated response playbooks triggered via Process Automation Designer (PAD) based on set conditions.
• Response Tasks: Lists all tasks associated with the incident response.
• Related Records: Groups related lists such as business impact and threat intelligence for easy navigation.
• Other Records: Displays IT records including change requests, incidents, problems, outages, and emails linked to the incident.
• Post Incident Review tab: Available when the incident enters the Review state, containing assessments and reports.
• Contextual menu: Provides quick access to actions like Activity Stream, Playbook, Analyst Assist, Runbook Templates, and Attachments across all tabs.
• Form UI actions: Located at the top right of the form, enabling actions such as discussing, saving, creating tasks, sending emails, linking to major incidents, promoting incidents, associating MITRE ATT&CK techniques, switching UI views, and deleting records.

Security Incident Response Workspace Features

• Investigation Canvas: Orchestrates activities for detailed incident analysis.
• Response Tasks: Centralized view and management of all response-related tasks.
• Other Records: Consolidates related IT and email records to provide full incident context.
• Post Incident Review: Facilitates formal review processes once the incident is resolved.
• Edit Related Records: Allows inline editing of related records without leaving the current workspace.
• TISC Integration: Integrates Threat Intelligence Security Center data directly within the workspace for enriched threat context.
• Reporting: Access to all incident-related reports for analysis and sharing.
• Collaboration: Enables communication with analysts and affected users via conference calls or chat.

Visualization Tools

• Relationship Graph: Visualizes connections between a security incident and related items for comprehensive context analysis.
• MITRE ATT&CK and Defend Technique Graph: Interactive node-based visualization of attack and defense techniques linked to the incident for deeper threat understanding.

Practical Benefits for ServiceNow Customers

This structured and feature-rich security incident record enables security teams to:

• Quickly access and update critical incident information.
• Leverage automated playbooks to streamline response actions.
• Coordinate incident investigations efficiently through integrated canvases and task management.
• Enhance threat analysis with integrated threat intelligence and visual tools.
• Collaborate seamlessly with stakeholders using built-in communication channels.
• Conduct thorough post-incident reviews to improve future response strategies.