Manage security threats using the Security Analyst Workspace

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage security threats using the Security Analyst Workspace

    The Security Analyst Workspace in Security Incident Response provides a modern, purpose-built interface to help security analysts efficiently manage and investigate security incidents. It includes tools like playbooks, peek views, and a tabbed interface to handle multiple incidents, significantly reducing investigation time and helping prevent breaches.

    Show full answer Show less

    Prerequisites

    • Your ServiceNow instance must be at least London Patch 3 or later.
    • Appropriate roles must be assigned to users.
    • The Security Incident Response UI application must be downloaded from the ServiceNow Store.
    • Instances running versions earlier than London Patch 3 must request the UI plugin through the HI Customer Service system.

    Access and Navigation

    Access the workspace via Security Incident > Incidents (New UI). It opens in a separate browser tab, offering a clean environment optimized for security incident handling.

    Key Features

    • Quick Filters: Easily filter security incidents based on predefined or custom criteria to quickly locate relevant cases. Users can select up to six filters and customize which appear on the list screen.
    • Personalized Incident List: Customize and sort the incident list to suit your analysis preferences for faster workflow.
    • Peek View: Preview critical incident information without fully opening the record, enabling quick insights and on-the-fly updates such as assignment changes.
    • Quick Actions: Perform rapid updates like editing records, managing attachments, and composing emails directly within the workspace. Email templates with variable fields allow standardized communication, and all email interactions are logged in the Incident Timeline.
    • Tabbed Interface: Work on multiple security incidents simultaneously by opening each in separate tabs, facilitating comprehensive threat analysis from multiple sources.
    • Incident Tabs: Each incident record includes three tabs:
      • Overview: Displays customizable tiles with key incident data in one consolidated view.
      • Explore: Configure and pin tiles to the Overview tab, including observables, threat lookups, security scan results, domain lookups, and more.
      • Incident Timeline: Tracks all actions taken on the incident, supports manual worknote entries, and can be filtered to show specific activities.
    • Playbook Integration: Utilize built-in Security Analyst Playbooks for guided, step-by-step resolution of common threats like phishing and malicious code, ensuring standardized response procedures.

    Benefits for ServiceNow Customers

    This workspace empowers security analysts to efficiently manage increasing volumes of security data with powerful filtering and multi-tasking capabilities. The integration of automated actions and playbooks speeds up investigations, reducing the risk of breaches. Centralized communication and tracking support clear collaboration and audit trails. Customization options allow teams to tailor the environment to their operational needs, increasing productivity and effectiveness in threat response.

    Security Incident Response includes a new user interface called the Security Analyst Workspace that features powerful tools for assisting in analysis, including the playbook, peek view, and tabs for working on multiple security incidents.

    Purpose-built for security analysts, the powerful tools in the Security Analyst Workspace allow you to analyze the ever-growing volume of data associated with security incidents. And automated actions significantly reduce the security incident investigation time, which can be the difference between stopping an attack and suffering a breach.

    Before using the Security Analyst Workspace

    Before you can begin using the Security Analyst Workspace, you must ensure that your instance has at least London Patch 3 installed, you have the correct roles defined, and have downloaded the Security Incident Response UI application from the ServiceNow Store.
    Note:
    If your instance is running a version earlier than London Patch 3, you must request the Security Incident Response UI plugin through the HI Customer Service system.

    Access the Security Analyst Workspace

    To access this new workspace, navigate to Security Incident > Incidents (New UI).

    Figure 1. Security Incident
    Security Incident navigation bar

    The workspace opens in a separate browser tab.

    Figure 2. Security incidents
    All open Security Incidents

    Locate the security incidents you want to analyze with Quick Filters

    The Security Analyst Workspace provides several tools for filtering the list of security incidents so you can quickly find the security incidents you want to analyze. The Quick Filters let you select a subset of the security incidents based on criteria in the filter.
    Figure 3. Quick filters
    Quick filters

    Simply click the quick filter you want to use.

    Note:
    You can click an Edit button to identify which quick filters you want displayed on the list screen. A minimum of one filter must be selected, up to a maximum of six.

    You can define additional quick filters, as well as primary filters for the Security Analyst Workspace, using the classic environment. For more information, see Set up primary and secondary filters for Security Analyst Workspace.

    Personalize the security incident list

    As with all lists in your instance, the Security Analyst Workspace provides tools for personalizing the list and sorting the information displayed to meet your analysis needs.
    Figure 4. Personalize the security incident list
    Security incident list filtering options

    Save time with Peek view

    Before opening a security incident record, you can save time using the Peek view. This feature allows you to quickly locate vital security artifacts without having to reload the entire page. Simply click the > icon to the left of a security incident number to take a peek.

    Figure 5. Peek view
    Security incident showing the peek view
    The peek view provides a snapshot of vital information in a single view. This view can save valuable time when you are working with multiple incidents. You can click the down arrows on certain fields to make on-the-fly updates, such as assigning an assignment group or a specific analyst.
    Figure 6. Peek view details
    Peek details

    Perform quick actions on a security incident

    After you have selected and opened a specific security incident, you can perform time-saving actions on the record.
    • If you security incident is open, click the Edit Record icon to make quick changes to any of its fields. If the record is closed, you can change only its tag.
    • Click Manage Attachments to attach files to the security incident. You can also download or remove attached files and edit the encryption applied to the attachments.
    • Click Compose Email to send a quick email to a colleague. Emails can be free-form, or you can send canned emails selected from a list of templates. Emails sent and replies received are captured in the Incident Timeline.
      Note:
      You can create custom templates that contain reusable content for emails and email notifications. Variables can be used for inserting information specific to the security incident or alert, such as the subject line, priority, or threat category. Use the Security Incident [sn_si_incident] table for emails and email notifications related to Security Incident Response. For more information, see Email templates
    • Click More to view a quick snapshot of the security incident, such as the description, business impact, and priority. You can also click the down-arrow in the Assignment group and Assigned to fields to make on-the-fly changes to those fields.
    Figure 7. Assignment group
    Quick actions

    Work with multiple security incidents

    The tabbed interface allows you to keep several security incidents open simultaneously so you can switch between them with a single click. This can save time and allow you to see the big picture when threats from multiple sources are identified.
    Figure 8. Work with multiple security incidents
    Security incident tabbed interface

    View analysis information in the security incident tabs

    When you open a security incident record, three tabs are shown:
    • Overview
    • Explore
    • Incident Timeline

    Overview tab

    Use the Overview tab to view information in a security incident in a single location. No need to open another application or console.
    Figure 9. Overview
    Overiew tab
    The tiles that are displayed on the Overview tab are customizable. You can collapse and expand them as needed, and you can move them around by dragging the Grip icon. Click the More options icon to delete a tile or change its heading text.
    Figure 10. Overview tab
    Getting around the Overview tab.

    Explore tab

    Configure the tiles displayed on the Overview tab using the Explore tab. Simply select the tiles you want to view from the left-hand pane, and click the Pin icon. Pinned tiles automatically appear in the Overview tab.
    Figure 11. Expore tab
    Pin to Overview
    The left-hand pane of the Explore tab includes a wide variety of information that you can display on the Overview tab. For example, expand Observables to display these related lists.
    • Observables
    • Threat Lookup Results
    • Security Scan Results
    • Domain Lookups
    • Observable Enrichment

    Additional related lists are available under Users, Configuration Items, and Incidents.

    Incident Timeline tab

    Use the Incident Timeline tab during your investigation for tracking purposes. Every time an action is performed on a security incident, the system records it in the Incident Timeline.
    • You can also manually add worknotes to the timeline by typing them in the Add work notes box and clicking Post.
    • You can search for a specific timeline activity using the Search box.
    • The Filter Activity icon allows you to display only the types of timeline activity you want to see (for example, only incidents created by a specific analyst).
    • You can add or remove the Incident Timeline from the Overview tab using the Pin/Unpin icon.
    Figure 12. Incident Timeline tab
    Incident Timeline

    Handle security incidents using the Playbook

    Resolve certain types of security threats in a step-by-step manner using the built-in Security Analyst Playbooks. For example, an analyst can use the playbook to resolve phishing attacks and threats caused by malicious code activities. For more information, see Resolve security threats with the playbook.