This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Working with Security Incident Records
The Security Incident Record in ServiceNow Yokohama release provides a comprehensive interface to manage and investigate security incidents.It includes key components such as incident identification, descriptions, categorization, and assignment details, all designed to support security analysts in incident response and resolution.
Show full answerShow less
Key Components of a Security Incident Record
Security Incident Number: Displayed on the tab for easy reference.
Short Description: A brief summary shown above the form banner.
Form Banner: Read-only section showing critical fields like Category, Priority, Risk Score, State, and assignment details, with support for platform tags.
Security Tags: Displays tags associated with the incident.
Overview: Provides a snapshot of Description, Business Impact, Threat Intelligence, Response Tasks, and related incidents.
Playbook: Triggered via Process Automation Designer to automate response processes.
Response Tasks: Lists all tasks related to incident response.
Related Records: Groups related lists such as business impact and threat intelligence for streamlined navigation.
Other Records: Displays IT-related records like change requests, incidents, and emails.
Post Incident Review: Appears when the incident reaches the Review state, containing assessments and reports.
Contextual Menu: Offers quick access to actions like Activity Stream, Playbook, Analyst Assist, and attachments across all tabs.
Form UI Actions: Provides numerous actions such as creating related tasks, sending emails, running workflows, linking to major incidents, and more.
Security Incident Response Workspace Features
Orchestration Activities: Enables analysts to interact with the investigation canvas and perform applicable actions.
Response Tasks and Other Records: Centralized display of all response tasks and related IT records for efficient incident handling.
Post Incident Review: Facilitates structured incident closure with assessments and reports.
Edit Related Records: Allows updating of related records directly from the workspace without losing context.
TISC Integration: Incorporates Threat Intelligence Security Center data within the workspace for enriched analysis.
Reports: Provides access to all incident-related reports for analysis and sharing.
Collaboration: Supports communication via conference calls or chat among analysts and affected users.
Relationship Graphs: Visualize connections between incidents and related entities for comprehensive context understanding.
MITRE Attack and Defend Technique Graph: Interactive visualization of attack and defense techniques linked to the incident.
Incident Timeline: Chronological event view with filtering options to focus on relevant activities.
Practical Benefits for ServiceNow Customers
Using the Security Incident Record and Response Workspace enables customers to efficiently manage security incidents with enhanced visibility, automated workflows, and integrated threat intelligence. It supports collaboration, detailed investigation, and structured post-incident reviews to improve response times and decision-making. The visual tools and contextual menus streamline analyst workflows, helping teams quickly understand incident context and take appropriate actions.
The Security Incident Record consists of the following.
Key components available on a security incident record:Figure 1. Key components of a security incident
Number
Name
Description
1
Security incident number
The security incident number is available against the tab name.
2
Short description
Short description of the security incident which is displayed above the form banner.
3
Form banner
This is read-only section, which contains the key fields such as Category, Priority, Risk score, State, and the incident assignment details.
Note:
The regular platform tags can be applied here as
well.
4
Security tags
Displays the security tags associated with a security incident.
5
Overview
Provides a snapshot overview of the security incident such as Description, Business Impact comprising of asset details by type, affected users by criticality, Threat intelligence items comprising of observables
by finding and by type, Response Tasks, Related security incidents comprising of child security incidents and similar security incidents.
6
Details
The details tab displays the security incident form.
7
Investigation
The Investigation tab displays the incident investigation experience.
8
Playbook
Playbook is triggered through Process Automation Designer (PAD). If a process is created, and if the a trigger condition is set to trigger the playbook for a security incident. Then a playbook appears.
9
Response Tasks
The Response Tasks captures all the response tasks associated with a security incident.
10
Related Records
The Related Records tab consists of all the related lists from the classic UI under this section. The related lists are grouped under various section such as business impact, threat intel, and so on for an easy
navigation.
11
Other Records
Other records tab consists of IT records such as changes requests, incidents, and emails grouped and displayed in this section.
12
Post Incident Review tab
As the security incident progresses to the Review state, the Post Incident Review tab is displayed with the post incident assessments and reports within the tab.
13
Contextual menu
Provides easy access to the quick actions and is available across all the tabs for the analyst to access whenever required.
The contextual menu provides easy navigation to the multiple resources such as:
Activity Stream
Playbook
Analyst Assist
Runbook
Templates
Attachments
14
Form UI actions
The various security incident form UI actions are displayed on the top right of the incident form. The available form UI actions are:
