Security Incident Response

Workshop Presentation

Asset number: 0001551

April 2025

© 2025 ServiceNow, Inc. All Rights Reserved

User Instructions
PLEASE REMOVE THIS SLIDE BEFORE PRESENTING

To help our community of ServiceNow implementers i.e. Business Process Analysts, Platform
Architects, and Technical Consultants
Across our customers, partners and internal Expert Services teams
To deliver effective workshops for gathering requirements for setting up the tool
Review the slides for any interactive animations
Hide slides you do not intend to present
Provide feedback and subscribe on Now Create content
Are we breaking any copyright laws if we use these slides?
– No. We designed this deck to be used by the entire ServiceNow ecosystem
Use Slide Master to update or remove “Partner Logo” in the footer image
Add Demo slides where needed
 Workshop Kickoff

Security Incident Response

Overview
Architecture and High-Level
Processes

Agenda Setup and Configuration

Demo

Requirement Gathering

Wrap up & Next Steps

Introductions
Introductions

• Customer project team

– Name, Title
– Name, Title
• Partner project team
– Name, Title
– Name, Title
• ServiceNow project team
– Name, Title
– Name, Title
 For virtual/hybrid
Housekeeping workshops.
Update depending
on which
application you
01 02 03
are using to run
your workshop
Time Presence Collaboration

• We’ll aim to start and finish on time • If you are comfortable, please keep • Maintain a positive atmosphere –
your Webcam on everyone’s ideas are valued
• Breaks will be taken as needed;
approximately every 1-2 hours • Please let the host know if you • Please wait for one speaker to
need to leave the workshop, via finish. Feel free to raise your
• Please return from breaks and the chat (virtual) hand if you would like to
lunch promptly; if late, please make a point
catch-up during breaks or after the • Avoid temptation to multitask while
workshop in the workshop • Discussion topics needing greater
detail will be recorded in a “Parking
• More than 3 second’s silence = Lot” for later resolution
concurrence with the point made
• Everyone’s ideas are valued
• All phones on vibrate and make
sure you mute your microphone • Have fun! 
when not contributing to the
discussion
Security Incident
Response
 Manage and automate the life cycle of your
security incidents from initial prioritization to
containment and resolution. Use the automated
workflows to respond quickly and consistently
and understand the trends and bottlenecks with
analytics-driven dashboards and comprehensive
reporting systems.
Goals and Use Cases

Manage threat Increase response Maintain Cyber

exposure proactively efficiency and resilience with
effectiveness workflows and
repeatable processes
Security Incident Response Benefits
• Integrates your Security Products threat detection systems and SIEMs

• Prioritize Incidents based on business impact

• Enrich Incidents with Threat Intelligence

• Automation and Workflows reduce manual tasks

• Major Security Incident Management Security Incident

Response

• Improve collaboration between IT, End Users, and Security Teams

• Review Post Incident Reports

Terminology
Term Definition
Security Incident Single or a series of unwanted or unexpected information security events that
have a significant probability of compromising business operations and
threatening information security
Response Task Tasks assigned to a security incident for tracking actions in response to the
threat
Observable Artifacts found on a network or operating system that are likely to indicate an
intrusion. Typical observables are IP addresses, MD5 hashes of malware files or
URLs, or domain names.
Playbook A plan that outlines the steps you will take in the event of a security incident

Runbook Used to create an association between published Knowledge Base Articles and
Security Incident Response Task
Workspace Collections of curated, task-based workflows which empower users to complete
their work easily and effectively
Event Observable occurrence that does not or has not yet affected the confidentiality,
integrity, or availability of ServiceNow information systems, or information
systems network but requires action
Product Integration
Detection SIEM

Orchestration
Analytics
Automation
CMDB

User Workflows Machine Learning

reported Workspaces
phish

Vulnerabilities Threat
and Intelligenc
Misconfiguration e
s
Exploit & Solutions Intel

Logos are trademarks or registered trademarks of their respective owners and not ServiceNow
Automated security incident response process

ServiceNow Security Incident Response

Automatically Look up observables Run Playbooks
1 Alert 2 Create SIRs 3 prioritize and 4 and determine if 5 and Remediate 7 Resolve ticket
assign ownership false positive
SIEM API Call Threat Close out
Email API SIR1 intel ticket
lookup
SIR2 Post
Revie
Automated w

False Close out

Positive ticket
Manual

Automated CI Delete email

matching from server 6
• Business Criticality Use orchestration to
for risk prioritization Add rule to automatically
CMD firewall handle external
• Assignment Group for tasks
B ownership
Reimage
system

Triage, Analyze, Contain Close

Domain Separation

Security alerts are directed to the appropriate Tenant A

domain
• Integrations are configured in the domain of the
security incident Tenant B
• Business logic and processes that can be domain
- separated: Domain A Tenant C
– Security Incident Response users and groups

– Security Incident Response integrations

– Email parsing rules for incident creation

– Business rules to consolidate multiple events

or alerts into a security incident
Domain B Domain C
– Workflows for incident response orchestration

– Security incident risk score calculators

– Security incident escalation path Domain separation enables service providers (SPs)
– Security incident SLAs
to standardize SOC (Security Operations Center)
and Security Incident Response (SIR) procedures
– Security incident process definitions across the customer base
– Security incident post-incident review
processes
Security Incident Response
Maturity model
3
Orchestrated

Increased efficiency and effectiveness

2 Remediation
Automated
Investigations
1 Playbooks for critical
Basic incident scenarios
Operations Threat intelligence
correlation Automated incident
Automated incident Automated incident response
creation enrichment Integrate with new
0 tools easily
Automated Workflow-driven,
Manual
prioritization & consistent processes Continual process
Operations
assignment improvement
Spreadsheets Accelerated
Single system response Enhanced analyst
Limited visibility of record
Better decision efficiency
Long response times Improved visibility making

Security Incident Response maturity

SIR customer journey – Outcomes & metrics
Starting here
MINDSET MODERNIZE TRANSFORM INNOVATE
CONSUMER Security Analysts, CSO, CISO, Security Operations, IT Operations
PHASE UNIFY RESPONSE BUSINESS INTEGRATION INTELLIGENT AUTOMATION

CAPABILITIES Security Reporting & Business Risk & Impact Reporting & Int. with Incident, Threat Sharing Automated
Incidents Dashboards Prioritization Awareness Dashboards Problem & Change Remediation

VALUE FASTER SECURITY RESPONSE IMPROVED SITUATIONAL AWARENESS ENTERPRISE PROTECTION

MATURITY LEVEL 1 MATURITY LEVEL 2 MATURITY LEVEL 3
• Automated Prioritization • Consistent & partially automated processes • Greatly reduce manual effort
• Automated Assignment • Accelerated response • Orchestrate 80% of tools in inf
OUTCOMES • Single System of record/action • Improved Decision Making • Integrate with new tools easily
• Improved visibility • Increased Productivity • Continual Process Improvement
• Increased productivity • Advanced Threat Hunting
• Monitor/Manage operations

• # of SIEM Ingestion Integrations • # of workflow versions/contexts • % of Workflows automated

• # of SIR/SIT opened and closed • # of configured capability impls • # of configured capability impls
• Review work notes • # of integration executions • # of SLA results – making it or not?
• Inspect assessment rules • # of SLA results – making it or not? • Measuring MTTI/MTTR, trending ^
METRICS • # of trained analysts & login • # of incidents closed and trend • # of custom integrations
frequency • # of incidents closed per analyst
• Dedicated admin and manager?
• # of inbound email Security Incidents
Governance
New capabilities will require new work processes, operationalization and governance

1 2 3
Create and Document Operationalize Govern
• Create a process guide/KB • Utilize Workspaces • Establish Ownership
Article
• Maintain integrations • Reporting
• Document in a Process guide
• Maintain a Healthy CMDB • Assure processes are followed
– Workflows processes
• Maintain Roles/Responsibilities • Create RACI
– Security incident response
tasks • Keep product updated to use • Meet business objectives
latest features
• Communicate the new
processes
Current state – What’s working/what’s not?

What’s working today? What needs to improve?

Core Setup
and
Configuration
Security Incident Response Story Themes
• Install Security Incident Response &
• Configure Security Incident Workspace
Core Setup Supporting Applications UI Configuration • Configure Security Incident Record
• Install Supporting Store 3rd Party Applications

• Identify key SIR Roles • Identify groups for SIR and SIRT
User Personas • Apply Roles to Groups Assignment • Configure Assignment Rules and Escalations

• Platform Administrator access / Lockout • Identify Playbooks

Access Restriction • Security Tags
Playbook • Identify Playbook Steps

• Configure Post Incident Assessment &

• Configure automated ingestion of 3rd party Post Incident Questions
Integration Setup (SIEM, MSSP, etc.)
Review • Configure Post Incident Assessment
• Configure 3rd party Store applications Assignment
• Customer clean up of CMDB based on CI
Customer CMDB • Identity if any notifications are necessary
Updates
Matching requirements Notifications • Configure Notifications
• Customer updates key CMDB data

• NIST Stateful, NIST Open, SANS Knowledge Base • Identify who can view and who can contribute
Process Definitions • Lifecyle for SIR and SIRT • Configure knowledge base access
Access
• Manual, Inbound Email, Service Catalog • Identify key processes that need monitoring
Record Creation • Identify key data fields for record creation SLA • Configure SLA Flow

• Setup phishing email ingestion • Review reporting needs

Email Ingestion • Configure ingestion rules Reports & Metrics • Identify process events that need monitoring

• Identify key data points that impact the score • Identify critical reports for the dashboards by
Scoring • Configure Risk Score Calculator Dashboard persona
Configuration • Configure dashboards
 Instructions:
Remove Hide
Install Plug-ins – SIR App and Workspace Slides if not
needed
Ensure that the following plugins are installed on your instance:
Security Incident Response UI (sn_app_secops_ui)
• When the Security Incident plugin is activated, the following plugins
are also activated:
• Security Incident Response
– Security Support Orchestration

– Security Operations Setup Assistant

– Threat Intelligence Support Common

– Security Incident Response Dependencies

• Compatibility
– Utah+

• Security Incident Response Workspace (sn_si_sw)

When SIR Workspace is activated the following plugins and others are
also activated
• Security Operations Spoke
• Security Case management common workspace components
• The minimum Now Platform version for standard record page
support is Tokyo Patch 7.
 Instructions:
Remove Hide
Install Plug-ins - Playbooks Slides if not
needed
Ensure that the following plugins are installed on your instance:

You need the following plugins to build the Playbooks.

• Enable or update the Workflow Studio Playbooks [sn_workflow_studio]

plugin

• Enable or update the following plugins for a playbook experience:

• Playbook Experience [com.playbook_experience]

• Playbook Experience Components [now_playbook_exp]

• Playbook Experience Core[com.glide.playbook_experience.config]

• Enable Security Operations spoke to access flows

[com.snc.secops.spoke].

• Enterprise Security Case Management PAD Commons

• You can verify that these are installed on the System

Definitions > Plugin page
Setup Assistant - Base Configurations
Leading Practice:
Use Setup Assistant to step through
the initial configuration.
Security Incident>Analyst>
Workspace Setup>
Setup Assistant

Setup Users/Group/Roles
Incident Escalations

Install Integration Plugins

Configure:
Criticality and Priority
Risk Score
Service Level Agreements
Security Incident Process
Definitions
Review Processes
Email Settings
Playbook Settings
Capability Configurations
Review installed Properties
Property Usage Recommendation
Default start time for all Type: string Leave as is or have
agents when no schedule is Default value: 08:00 business case to change
set, formatted as Location: Security Incident > Administration > Properties
08:00sn_si.default.start.tim
e
Default end time for all Type: string Leave as is or have
agents when no schedule is Default value: 17:00 business case to change
set, formatted as Location: Security Incident > Administration > Properties
17:00sn_si.default.end.time
Allow customization when When a problem or change is created, this property opens a pop-up window to Decision required
creating a Problem or modify the request.
Change Request from a If this properties are set to false, the problem or change request has the same
Security priority, short description, and description as the security incident without the
Incidentsn_si.popup option to add or edit those fields.
Type: true | false
Default value: true
Location: Security Incident > Administration > Properties
Calculate the Impacted Affected Services/Impacted CIs related list is generated through events. When Decision required, best
services in enabled the refresh gets executed in the background and security tags are added used if CIs are mapped to
background.sn_si.refresh_i to the incident. Set the value to true to perform the operation in background. Services.
mpacted.event Type: true | false
Default value: false
Location: Security Incident > Administration > Properties

More properties
here
Users, Groups,
and Roles
User groups and persona access

Inputs Outputs
• List of groups and users • Detailed requirements in stories
• Security access levels required • Created groups, add roles, and
add members to the group
• Current processes
• Right sized access to security
• Required Restrictions (sys admin,
incident details
incident record attributes)
Security: Roles & responsibilities discussion
Who fulfills these roles for the applications?

Management
Process
Process Owner Requester
Manager

SOC Management
Approvers SOC Managers

Responders
Security Analyst
Roles and Personas
Role Description Tasks
Security Incident Administrator • Full control over all Security Incident Users that will administer the
Response data. Also administers Territories entire application suite of
[sn_si.admin]
and Skills, as needed Security Incident and
• Security roles are only assignable by a User Vulnerability Response
with the sn_si.admin role
• Note: This role can restrict access to the
Security Incident application from the
System Administrator
Security Analyst • Creates and updates Security Incidents, Agents that will be assigned and
requests, and tasks, as well as problems, work on tasks
[sn_si.analyst] More
changes, and outages related to their
information
Incidents
• Typically assigned to tier 1 and tier 2 agents
who will work on Security Incidents
Security Basic • Creates and updates Security Incidents, Agents that will be assigned and
requests, and tasks, as well as problems, work on tasks
[sn_si.basic]
changes, and outages related to their
Incidents
• Security Basic is the underlying role for Basic
Security access
Security Manager • Has the same access as Security Agents, Users that can work/update
with the additional ability to adjust business tasks and manage Group
[sn_si.manager]
criticality calculators and view the Manager memberships
Dashboard (based on licensed PA Content)
Roles and Personas
Role Description Tasks
Read • Has read-only access to Security Incidents. Users that only need read-only
[sn_si.read] access to Security Incident
and/or Vulnerability Response.

External • Role for external users to view and work tasks Users that need read access to
assigned to them View and work response tasks
[sn_si.external]
• Note: Users with just the External role will be that are not part of your
able to view Tasks, but will be restricted from organization (e.g., Vendors).
viewing the Security Incident record

CISO • Has read and write access to Security Incidents Executive access to Dashboards More
and can view and manipulate the CISO and security incidents for review. information
[sn_si.ciso]
Dashboard.

Security Knowledge Admin • Manages, updates, and deletes information in Users that will administer and
the Security Incident Knowledge Base. maintain the Knowledge Base for
[sn_si.knowledge_admin]
Security Incident and
Vulnerability Response.

Security Incident Integration User External tools can provide new security incident System role so that integrations
[sn_si.integration_user] records and update security incident records. can create security incidents.
Assignment Groups

Executive access to Agents that will

Dashboards and security be assigned and
incidents for review work on tasks

Security Managers Security Incident

Administrator(s)

Users that can Users that will administer

work/update tasks and the entire application suite
Delegate? manage Group of Security Incident and
memberships Vulnerability Response
Security Analysts
CISO/Executives

Manages, updates, and

deletes information in the
Knowledge Admin Security Incident Knowledge
Base
Discuss your current Security Response
processes
1 How do security incidents currently get assigned to a group?

How do security incidents get assigned to a team

2 member in a group (Queue Management) ?

3 When does a security incident get assigned to a new

owner?

4 What groups should be able to be assigned security incidents?

Lock down Security Administration

• When the Security Incident

Response application is activated,
the System Administrator user is
granted the [sn_si.admin] role by
default. The System Administrator is
the only administrator who can set
up security groups and users

• To protect investigations and keep

security incidents private, you can
restrict Security Incident
Response access to security-specific
roles and ACLs

• Non-security administrators (System

Administrators can be restricted
from access, unless you expressly
allow them entry
Navigate to System Applications>Applications>Security Incident
Access controls – restriction of a security
incident SOC analyst cannot modify
Security analysts can restrict "Read access" and "Privilege
a security incident and access" fields of existing or
while creating a new one. SOC
provide a list of groups/users
analyst would need granular
who can access it roles, but they can be granted
as per business need.

Security Manager is the

access role that needs to
see the ‘Enforce
restriction’ field. SOC Once a SI is marked as restricted,
Analyst can not see this only members of allowed groups,
field. member of allowed user list and user
with [sn_si.admin role] can access
this security incident.

Think about your processes

and business needs when it Work notes are not posted if
comes to providing access. an incident is marked as
restricted.
Security tag groups and tags
Security tag group

You can assign tags to security

incidents to create metadata on the
responding record and define who
should have access to specific types
of security content Example configuration

The tags can be added to security

groups to organize them

Restrict access by role

Review out of
box security
tags
Available security tag groups

Term Definition
Enrichment allow list/deny This group defines whether a record is to be treated as an allow list or deny list record. Allow list records are
list generally of less significance, so they can be ignored. Deny list records are generally of higher interest.
Metatag: This group is provided as demo data. You can use it to create custom classification tags that are used by
security operations applications.
Traffic Light Protocol This group is used to ensure that sensitive information is shared with the correct audience. It employs four
colors (White, Green, Amber, and Red) to indicate different degrees of sensitivity. For each color, you can
assign the appropriate read/write access roles. When sharing observables to a trusted security circle, the tag
assigned to the trusted security circle profile determines which TLP-tagged observables can be shared with the
circle, as follows:
• TLP: WHITE: Only observables with TLP: WHITE can be shared with a TLP: WHITE profile.
• TLP: GREEN: Observables with TLP: GREEN and TLP: WHITE can be shared to a TLP: GREEN profile.
• TLP: AMBER: Observables with TLP: AMBER, TLP: GREEN, and TLP: WHITE can be shared to a TLP:
AMBER profile.
• TLP: RED: All observables, regardless of their TLP tag, can be shared with a TLP: RED profile since
TLP: RED is the highest-ranked TLP tag.
Note: You can add other TLP colors, but any in addition to the four colors included are considered not valid by
the Forum for Incident Response and Security Teams
Discuss your Security Requirements

Should a Security Incident Response group be able to view

1 Security Incidents assigned to another Security group?

Are there any circumstances where a Security Incident

2 should be limited to only certain Users or Groups?

Outside of the Security Team which teams can create

3 Security Incidents?

Do you want to restrict access to the System Administrator

4 (Platform Admin)to protect access to sensitive information?
Workshop Activity
Roles Mapping Exercise
ServiceNow Role Group Users
Security Incident Administrator
[sn_si.admin]

Security Analyst
[sn_si.analyst]

Security Analyst
[sn_si.analyst]

Security Basic
[sn_si.basic]

Security Manager
[sn_si.manager]

Read
[sn_si.read]

External
[sn_si.external]
Workshop Activity
Roles Mapping Exercise

ServiceNow Role Group Role

CISO
[sn_si.ciso]

Security Knowledge Admin

[sn_si.knowledge_admin]
Demo
Demo Application Manager and
Security Access
Integrations
Integrations – Definition

Inputs Outputs
• 3rd party Sources • Integration source and related CIs
• Protocols and Triggers • Integration capabilities by 3rd
party
• CMDB Updates
• Detailed story requirements for
configuration
Product Integration
Detection SIEM

Orchestration
Analytics
Automation
CMDB

User Workflows Machine Learning

reported Workspaces
phish

Vulnerabilities Threat
and Intelligenc
Misconfiguration e
s
Exploit & Solutions Intel

Logos are trademarks or registered trademarks of their respective owners and not ServiceNow
Integration Plugin Installs

Setup Assistant

• Select the
integration based
on Capabilities

• Download
Plugins from the
ServiceNow Store

• Install

Review and discuss the integrations you need

installed and configured
Integration Capabilities
Capability Definition
Block Request Blocks communication with an Observable associated with a Security Incident on a firewall, web proxy or other control point

Get Network Statistics Retrieves a list of active network connections from a Host or Endpoint

Get Running Processes Retrieves a list of running processes on a Configuration Item (CI) from a Host or Endpoint

Isolate Host or Endpoint Restricts system connections to other devices

Publish to Watchlist Adds Observable associated with a Security Incident to a Watchlist

Sightings Search Determines the presence of malicious Observables in your environment, finds any integrations that support a Sightings
Search, then executes these searches
Threat Look Up Performs threat intelligence lookups to determine whether one or more observables are associated with known security
threats
Email Search and Delete Returns the number of threat emails from an email server search and, optionally, returns details for each email found. After
the email search is completed, you can delete the emails.
Enrich CI Enrich data for configuration items associated with a security incident

Enrich Observable Allows you to enrich observables with additional information from a variety of sources using implementation workflow

Isolate Host Restricts system connections to other devices. Isolate host is executed against a configuration item (CI)

MISP Enrichment Results Enrich observables with additional information from various MISP sources during incident response investigations
*(Threat Intelligence)

*may require additional licensing

Integrations: Solution approach

Transaction
Integration Type Contacts
Estimates

Communication
Location Documentation
Direction

Process/Sequence
Integration Methods Data Mapping
Flow
Security Incident Response (SIR) Store Apps
Sample integrations with SIR
BitSight Security
Agari Phishing Defense ArcSight ESM Armis
Ratings

Carbon Black Cloud Cofense (Triage) Cortex Xpanse CounterACT

Crowdstrike Falcon Identity Cybersixgill

Cyberint Threat Command Cyberreason
Protection Actionable Alerts
Elastic
DarkTrace Ent Immune System Darktrace TIP Digital Risk Protection
Security/SIEM
LogRhythm
Flashpoint Google Chronicle Honeywell
Enterprise
Netskope Cloud Ticket
MS Azure Sentinel MS Graph Security API Proofpoint
Orchestrator
Recorded Future
QRadar SIEM/SOAR RadarFirst Privacy Rapid7 Threat Command
Threat Intelligence
SentinelOne Singularity Splunk Enterprise
SecureWorks Counter Threat SNYPR
Platform Security
ZTAP Sync for
TruStar Vectra XDR for SIR Zscaler Internet Access
Security Operations

For a listing of possible integrations with SIR refer here

Integration Plugin Installs
Capabilities Requested Integration Store
Apps?
All
Setup Assistant
Block Request
• Select the Email Search and Delete
integration based
on Capabilities Enrich Configuration item

Enrich Observable
• Download
Plugins from the Get Network Statistics
ServiceNow Store Get Running Processes

• Install Isolate Host

Publish to Watchlist

Sightings Search

Threat Lookup
CMDB and Security Incident Response
Detection
Logical CIs
• Business Applications Wizard
• Application Services Driven
• Services Mail Server End
• Service Offerings User Reported Phish

Integration
Discoverable CIs

3rd-party data sources IntegrationHu CMDB Security

b
Incident
CI matching
Response
Application Service to CI Service Configuration item Field
mappings Mapping

Servers, network gear, IRE

applications, cloud Discovery Engine
resources, etc

Agent Client Change Management

Computers Collector Foundation data
• LDAP
Service Graph • Active Directory
3rd party API Connectors • 3rd party apps (Okta)
A Healthy CMDB for Security Incident
population
CMDB Workspace Data Manager
Duplication, Lifecycle, Certification Data Foundations Dashboards CMDB Workspace - Health

• Integrations use the Configuration Item (CI) field on the Security

incident to indicate the affected CI or service

• This value provided by the integration is used to match the IDs of

your assets with the information stored in the Now Platform CMDB

• When a security incident is created, and a profile is run either

automatically or manually, the CMDB is searched to retrieve the
hostname and/or IP address based on the value of the CI field
State Flow Process Definitions

Inputs Outputs
• Review Process Definitions • Detailed story requirements for
configuration
• Select Process Definitions (NIST
Stateful, NIST Open) • Activate and/or update current
state flows
• Understand current state flow
Security Incident Process definition

Review and
Create SIR Update SIR
Close SIR
Record Record
Record

Detect Analysis Contain – Eradicate - Review and Closed

• Manually •
Recover •
Initial Assignment Playbook response
• Playbook response actions actions
• Create from other • Monitor and analyze
records • Create change, problem tasks • Create change, problem
• Identify malware, virus tasks
• External monitoring by cross reference • Security Response
and tracking systems Orchestration • Security Response
• Work note tracking Orchestration
• Event Management • Document work performed
alert rules • Routing and Escalation • Document work
• Utilize common workspace performed
• Service Catalog item • Identify affected
business services • Workflow remediation • Utilize common
• User Reported workspaces
Phishing Email • Knowledge management
• Workflow and
• Bridge calls, Teams Chat remediation
Connector
• Knowledge management
Security Incident Response Definition States

• Security Incident Response Process

Definition replaces state flows and
provides end users and service
desks with the status of a problem

• Process definition helps track the

security incident through its life
cycle

• Security Incident Response is a

Service Management (SM)
application, which has its own set
of states. Invalid states are
reported as part of the Process
Selection

• The default process definition is

(NIST Stateful, called via Script
Include

• It is not needed to change this flow

even for our most complex
customers
NIST – 2 models
NIST supports the following two models:

This process definition enables analysts to move from one state to another in a
sequential order without skipping any step NIST-800 based, states vary based on
current state.
NIST Analyst starts with the Draft state, then the sequential order of this process
Stateful definition is Draft>Analysis>Contain>Eradicate>Recover

(DEFAULT) The NIST Stateful process definition is unidirectional and enables analysts only
to progress only to the forward states.

This process definition enables analysts to move from one state to another, either
forward or backward. NIST-800 based flow, with states always available for easy
workflow integration

NIST Open Analyst starts with the Analysis state, then the order of the process definition can
either be Analysis>Contain>Eradicate>Recover or Analysis>Draft.

NIST Open process definition is bidirectional and enables analysts to move to the
forward or backward states depending on their requirements.
Security Incident Response States
• The following recommended state model options are available which follow generally
accepted Security Frameworks from NIST and SANS:

NIST SANS Description

Draft Draft The request initiator adds information about the security incident.

Identificatio
Analysis The incident has been assigned and the issue is being analyzed.
n
The issue has been identified and the security staff is working to contain it and perform
Contain Contain damage control actions (taking servers offline, disconnecting from the Internet, verifying
that backups exist).
Eradicate Eradicate The issue has been contained and the security staff is taking steps to fix the issue.

The issue is resolved, and the operational readiness of the affected systems is being
Recover Recover
verified.
The security incident is complete, and all systems are back to normal function, however, a
Review Review
post incident review is still needed.
The incident is complete but before a security incident can be closed, you must fill out the
Closed Closed
information on the Closure Information tab.
Cancelled Cancelled The incident was cancelled.
Process Definition Selector

Does your process

definition need to be
sequential and analysts
to move from one state
to another without
skipping any step?

Does your process

definition need to be
bidirectional and
enable analysts to move
to the forward or
backward states
depending on their
requirements?
Security
Incident
Creation
Security Incident Creation Definitions

Inputs Outputs
• Incident creation methods • Detailed story requirements for
configuration
• Email Parsing details – Inbound
email ingestion • Configure incident creation
methods
• Current processes
• Email ingestion
• Define Security Catalog items
needed • Configure catalog items
Security Incident Creation Methods

Manually from Security Incident

1 Use the “New” button and manually create record
List

User reported via a Record producer from portal

Create a Security Incident through 2 1.Report Factory Cybersecurity Incident
Most vendors
the portal 2.Report Loss or Exposure of Data support
1 or 2 levels
Created through Incident 3 We can create a Security Incident through an Incident.

Security Incidents (SIR) can be created from inbound

Inbound emails and emails and integrations such as Azure Sentinel and
4
Integration [From 3rd party Kudelski.
tool]

3rd party Monitoring Systems

Example Methods of Security Incident Creation

Manual Catalog item

Event
Management

User Reported Phishing Integrations Alerts

Escalate Incident to a Security Incident
Incident Management Form

On the Incident form in Incident

management, click Create Security
Incident to create a new security
incident.

Decision
Needed
Create Security Incident button is
not in Service Workspace Incident
Add or Hide the
Form
Create Security
Incident Button?
Security Incident Catalog

Users in your company can

use the Security Incident
Catalog to request various
types of security-related
analysis

Will the Security Incident

Catalog be used?

What Security-related Catalog

Items should be available?

What variables/questions do
we need for each Catalog
Item?
Inbound Email Parsing

• Generate new Security Incident

records from external detection
systems using Email Parsing

• This feature provides a method

for integrating information from
external tools such as malware
detection, vulnerability
detection, firewalls, threat
intelligence, and more

• External detection systems

(malware detectors,
vulnerability, and so on) can
send emails that report on
multiple items at one time. The
email parser supports separators
within the email.
A malware detector could send you an email
report about all systems within your network
infected by a particular malware with
information about the malware first, followed
by a list of the systems affected.
Email Parsers for Alert Ingestion

Setup Assistant
• Generate new security
incidents or events from
email alerts

• Integrates information
from external tools, such
as SIEMs, firewalls, and
threat intelligence
platforms

• Destination table –
Security Incident Table
User Reported Phish

Automates the creation of Security Incidents

from emails that are sent or submitted to
ServiceNow as potential phishing attacks “This looks
suspicious!”
Extracts key Observables from email headers,
subject, body, and file attachments to enable
additional threat lookups and enrichment

The original phishing email submitted is stored

as a Phishing Email Record in a new table.

Security Analysts can view details of the original

phishing email
Rules are extensible to accommodate attribution
and data that may be unique to a customer
environment
Security Incident Creation Discussion
What incident creation methods What needs configured?
do you want to use?
3rd Party, Inbound Email, ServiceNow app

• Select the
methods of
creation

• Review
integrations
capabilities
Discuss your current Security Incident
processes
What teams perform Security monitoring to detect potential
1 Security Incidents?

What is the current process if any from which a detected

2 Security event/alert becomes a Security Incident?

3 How are Security Incidents currently created?

4 How are Security Incidents reported by the User community?

Discuss your current Security Incident
processes

1 What email parsers need to be configured?

2 What email parsing inboxes are to receive alert emails?

3 What rules for identifying emails are forwarded from your mail
server carrying user reported phishing?

4 What inbound email actions define the actions an instance takes

when receiving emails?
Security Incident Calculation and Scoring

Inputs Outputs
• Incident criticality and priority • Detailed story requirements for
configuration
• Score and Calculations of
Business Impact • Configure incident Severity
calculators
• Define Security Catalog items
needed • Define Risk Scores
• Configure catalog items
 Incident Calculator Group
Configure the criteria that determine incident criticality and priority

Severity User criticality Business Impact

Gives business impact to users
Calculators to
based on the department, group, Calculates business impact
set impact,
address or any defined condition on
priority, risk, and
the related list below . Can be used
severity
in calculation of "risk score" in
security incidents

• Set Priority with category and • Get user criticality • Aggregate from Severity
services Calculators
• Get user group criticality
Incident • Set priority with observables
Calculators • Critical service Changes

• Multi Attack Vendors

• Business Impacted
• Critical service affected
Incident Severity Calculators
• When you create a security incident, the Risk
score, Business Impact, and Priority fields
contain default values. Start with OOB
configurations

• When you save the incident, a business rule

automatically validates the information in the
security incident against conditions defined in each
of your active severity calculators

• If information in the security incident matches the

conditions defined in one of the calculators, the
severity field values are updated accordingly to the
rules set up in the calculator

• The work notes are updated when the following

fields are changed (causing the risk score to be
updated)

• Business impact on the Security Incident form

• Priority on the Security Incident form Severity is hidden by default
• Severity on the Security Incident form (hidden by
default)
• Business impact on the Affected Users related list
• Business impact on the Affected Services related
list
• Business impact on vulnerabilities on
the Vulnerable items related list
Business Impact, Priority, Severity Values
Business
Priority Impact Severity
1 – High
2 – Medium
1 - Critical 1 - Critical 3 – Low

1 – High
2 - High 2 - High 2 – Medium
3 – Low

1 – High
3 - Moderate 3 – Medium 2 – Medium
3 – Low

4 - Low 4 - Low 1 – High

2 – Medium
3 – Low
Risk Score Calculator Rules

The Risk score configuration in the

Security Incident Response workspace
has been enhanced with the following
capabilities:

Set up a Risk Score Calculator from

either script or condition builders.
Apply multiple conditions while setting
up rule-based scoring

Apply weightage to each scoring line.

Weights should add up to 100.
For rule-based scoring, select table
fields and values for setting up a
condition

Capture conditions and scoring via

scripts

Manually execute risk score calculators

to recalculate after making changes
Risk Scores
The risk score is calculated to represents the
risk based on:

• Priority of a security incident

• Type of security incident
• Number of sources that triggered a failed
reputation score on an indicator

• The risk score aids in prioritizing security

incident work for the analysts

• The ”Set priority with category and

services” incident calculator is used to
calculate the risk score.
The following business rules trigger the
automatic calculation of risk scores:
The risk score is
• Calculate Severity calculated using
• Update risk score
• Update SI risk score
weights defined
in Risk score
configuration.
Risk score weights
Configure automatic calculation of scores based on various factors using the risk
score configuration

Security Security
Incident Incident
Priority Severity

Security
Incident Users Business
Business Impact
Impact

Configuration Vulnerable
Item Business Risk Score Item Business
Impact Impact
Review Available Risk Scores

Field Description
Select the type of risk score
Type
you are defining.

Specify the value

associated with the
selected type. If multiple
values are available for the
type, you may want to
Value define multiple risk score
weight records. Example:
Security Incident Priority
with a value of 1, Security
Incident Priority with a
value of 2, and so forth.

The weight associated with

the selected type/value
pair. Valid entries are
Weight
between 0 through 100,
with 0 being the lowest
weight and 100 the highest.
Risk Scoring Example

Business
Priority Risk Score
Impact

2 - High
3-
Moderate 50
Value 2 = Weight of 60 Value 3 = Weight of 40 (60 + 40)/2 = a risk score of 50

The position of the security incident in the security

incident list is then re-ordered based on its updated risk
score.
Risk Score Weighting Discussion
Risk Score Types

Configuration Item Security Incident Security Incident Security Incident Users Business Vulnerable Item
Business Impact Business Impact Priority Severity Impact Business Impact

1- Most Critical 1
1 1 1 1

2
2 - Somewhat
Critical
2 3 2 2 2

3 - Less Critical
4

3 3 3 3
4 – Not Critical 5
Security
Incident
Workspace
Demo
Security Incident Response
Workspace
Workspace navigation

Inputs Outputs
• Navigational requirements • Detailed story requirements for
configuration
• UX Menu lists and categories
• Configure menus or lists
• Highlighted values
• Align current processes to new
out of box
Workspace Navigation

Home
Lists
Dashboards
Administration
Security Incident Response Workspace
Security analysts and
Toggle between
managers perform their
Lists of Opened, Response Tasks and
day-to-day operations Closed, Assigned Security Incidents
to: Security Incidents
Find team’s work and
• Complete incident Unassigned work
investigation

• Get an overview of
the security
incidents, response
tasks and SLAs
assigned to the
security analyst and
team.
Toggle between Card
• Analyst can view and list view
Triage, own,
toggle between
investigate and list view
remediate security and card view
incidents and open filtered
list in new Drill down to the
tab within Security
workspace​ Incident Record,
in list view
Security Incident Response Interface overview
Widgets to filter
by group,
priority, etc

You can assign or reassign

the security incidents or
response tasks directly from Reassign
the Card view by clicking on without opening
the ellipse icon and selecting security incident
the Assign/Reassign

View security incidents by

Priority, State and category
Card View
Card View
Upcoming section
• Reminds agents of the upcoming tasks for the same day and next day
• Displays the security incidents and response tasks that are due as on today and tomorrow. The list of
security incidents and response tasks are based on the due date field and SLA definition defined for these
records
Quick Links Section
• Quick links work like bookmark links. You can add external URLs and quickly access them from within
the workspace
• Quick links are specific to a user
• User can control the order in which they are being displayed
Security Incident Record Lists
Click this 3-dotted line icon in
chrome toolbar to open list menu. This
icon is always visible within SIRW
workspace

My lists show user defined custom

list menu items. ​

SIRW list menu contains different

menu items such as Security
Incidents, Response Tasks,
Assessments and User Reported
Phishing.​

Users can create a custom list using My List -> New

List-> select an existing list from the List, give a
custom name, select lists of columns and add filters.
UX List Categories

List order can be changed;

however, most customers find the
out-of-the-box configuration
sufficient. This is changed for the
entire team, not by the user.

Do you want to change the order

in the list view?

Requires [sn_si.admin]
role
UX List menu configuration

Filtered views can be changed;

however, most customers find the
out-of-the-box configuration
sufficient. This is changed for the
entire organization, not by the user.

Do you want to change the filtered

lists that appear in the list view?

Requires [sn_si.admin] role

Highlighted value fields in Lists
Fields on list view can be highlighted based on conditions.

Role Required: System Administrator (admin) or Security Incident Administrator role

Quick filters
• Quick Filters are accessible on
the security incident and
response task list

• When user clicks on any of

these filters, the list is updated
with configured conditions

• These quick filters can be

configured at run-time or
design time by Security Analyst

• OOTB quick filters

• Incidents opened Today

• Incidents open > 24h
• Open Incidents with
Priority = Critical
• Risk score >= 80
• Open Phishing Incidents
Security Incident Record List Changes

Add/Remove/Update Name Comments

Update or change • Order of the list headers –
swap response tasks and
security incidents
Update • Record Header
Daily Status Reporting
You can create a Daily
Status Report from the
As an admin, create report template as per your
SIR Workspace’s organizational needs.
Administration section.

Dependencies required
for enabling this
feature:
• ‘Security Incident
Response
Workspace’
(sn_si_aw)
• ‘Reporting UI
Component for
Workspace’
(sn_sec_reporting)
• ‘Rich Text Editor
Component for By default, two non-editable templates have been
bundled with this feature.
Security Operations’
(sn_escm_rte)
Report Templates
• Create new
template by
providing Name
and Description.

• Select field(s) to
include in the
report.

• Preview report
template as
PDF.

• Publish
template for
leveraging it
during report
creation.
Reports
• Create a new Report
from Security
Incident Response
record.

• Select from the

available list of
published templates

• Edit report name,

preview report, and
add additional fields
directly on the report

• Publish report.

• Download report as
needed.
Conference
Call
Integrations
Conference Call Integration

• Conference Call integration enables you to

manage and initiate a conference call directly
from a security incident

• Collaborate with your customers and peer

agents to resolve security incidents

• Initiate conference calls using provided third-

party communication channels such as
Microsoft Teams, Cisco Webex or Zoom
meetings through Notify plugin integration
Launch Conf Calls
• Call recordings can be accessed within the SIR
workspace
SIR Conference Calls with Microsoft Teams

Prerequisites

Install the following Integration Hub plugins on ServiceNow

instance:
• Notify plugin (com.snc.notify)
• Microsoft Teams Communications spoke plugin
(sn_msteams_com_spk).
• Azure Active Directory User Mapping plugin (sn_now_azure).
• Notify UI Components for Configurable Workspaces

Configure Microsoft Teams integration using:

• Pre-configured app - Integrate Notify connector pre-published

app

• Self-configured app – Integrate Notify connector self-

configured app
SIR Conference Calls with Zoom

Prerequisites

To configure the Conference Call Integration using Zoom as

Conference bridge, install the following Integration Hub plugins
on ServiceNow instance:
• Notify plugin (com.snc.notify)
• Zoom Spoke (sn_zoom_spoke)
• Notify Zoom (sn_notify_zoom)
• Notify UI Components for Configurable Workspaces
SIR Conference Calls with Cisco Webex

Prerequisites

To configure the Conference Call Integration using Cisco Webex

as Conference bridge, install the following Integration Hub
plugins on ServiceNow instance:
• Notify plugin (com.snc.notify)
• Notify Cisco Webex Connector (sn_notify_webex)
• Cisco Webex Teams Spoke (sn_cisco_teams_spk)
• Notify UI Components for Configurable Workspaces
Conference Call Requirements
Decision(s) Required:
• What Conference system are we integrating?
Zoom, or Cisco, or Teams?

Insights:
ServiceNow Documentation

• Integrate SIR with third-party communication channels

• Configure Notify Cisco Webex Connector

• Configure Notify Zoom connector in Notify

• Integrate Notify connector pre-published app with Microsoft Teams

• Integrating Notify connector self-configured app with Microsoft

Security
Incident
Record
Configuration
Workspace Navigation and Response
Workflows
Inputs Outputs
• Navigational requirements • Detailed story requirements for
configuration
• Incident Form Record Inputs
• Response Task Templates
• Layouts
• Playbooks
• Runbooks
Security Incident Record Details
Lists of Opened, Closed,
Assigned Security
Incidents
Work Notes
Navigation and Activity
Tabs

Security
Incident
Details

Follows NIST
• Send emails Stateful
Knowledge Articles
• Document work

• Find KB Articles

• Create Response Tasks

• Categorize security
incidents
Security incident form recommended fields
Below are descriptions of the best practice recommended fields for the Security Incident Response Form. Utilize the form
below to detail whether to include the field in your form, and whether the field is mandatory
Field Name Description Field Name Description
Short Description A description of the Security Incident Priority Order in which to address this incident

Description Detailed description of the Security incident Business impact Importance to your business

Number Auto generated Security Incident number Risk Score The risk score as calculated

Risk score
Opened Date time that Security Incident was opened Override the automatic update
override
Draft, Analysis, Contain, Eradicate, Recover,
State Source Security control that raised the alert
Review, Closed
Pending Problem, Pending Change,
Substate Alert Sensor SIEM or another sensor
Pending Incident
Assignment
Category Security Incident Category Group responsible for working this task
Group
Sub-Category List of case state conditions Assigned To Person responsible for working this task
Configuration Configuration item affected by the Security Enforce
Check box
Item Incident Restriction
Affected User User affected by the Security Incident Secure Notes (Encrypted notes)

Location Where the caller or service is located Related Records Part of Security Operations Workspace

Requested By The person that raised the Security Incident Other Records Part of Security Operations Workspace
Security Incident Record Header

Configurable Incident Record Header

The record header is

configurable

Secondary Values
under the header
are configurable

Is out of the box

sufficient to meet
business processes?
Security Incident Response categories
• Confidential personal identity data exposure • Un-patched vulnerability
• Criminal Activity/investigation • Unauthorized access
• Denial of Service • Web/BBS defacement
• Digital Millennium Copy right ACT (DCMA) • Shared Intelligence
• Equipment loss • Failed Login
• Malicious code activity • Lost or stolen Laptop
• No incident • Malware
• Policy violation • Insider Breach
• Privilege Escalation
• Reconnaissance activity
• Rogue server or service
• Spam source Recommendation:
Use out of box categories and sub-categories. Only
• Phishing adjust if strong business case.
Security Incident Response subcategories
Confidential Personal Identity Data Exposure

• Credit Card information • Other

• Identify theft • Social Security Numbers with or without
names

Criminal Activity/Investigation

• Child pornography • Subpoena, search warrant, or other court

order
• Online theft, fraud
• Threatening communication
• Physical theft, break-in
Security Incident Response subcategories
Denial of Service

• Inbound or outbound • Outbound Ddos

• Single or distributed (DoS or DDos) • Inbound DoS
• Inbound DDos • Outbound DoS

Digital Millennium Copy right ACT (DCMA violation)

• Illegal distribution of copyrighted or licensed material

• Illegal possession of copyrighted or licensed material
• Official DMCA notification from copyright owner or legal representative

Equipment Loss
• Lost equipment
• Stolen equipment
Security Incident Response subcategories
Malicious Code Activity

• Botnet • Rootkit
• Key logger • Worm, virus, Trojan

Malware

• C&C Communication inbound

• C&C communication outbound
• Ransomeware

No Incident
• When investigation of suspicious activity finds no evidence of a Security Incident
Security Incident Response subcategories
Phishing

• Large Campaign
• Scam e-mail activity
• Spear phishing

Policy Violation

• Company policy violation

• Personnel action/investigation
• Violation of code of conduct

Privilege Escalation
• Active Directory Domain Admin
• Application Admin
Security Incident Response subcategories
Reconnaissance Activity

• Other vulnerability scanning

• Port scanning
• Unauthorized monitoring

Rogue Server of Service

• Botnet controller
• Phishing scam web server
• Rogue file/FTP server for music, movies, pirated software etc.

Spam Source
• Spam host
• Spam relay
Security Incident Response subcategories
Un-patched Vulnerability

• Vulnerable application • Vulnerable web site/service

• Vulnerable operating system • Weak or no password on an account

Unauthorized Access

• Abuse of access privileges • Unauthorized access to data

• Brute force password cracking attempts • Unauthorized login attempts
• Stolen password(s)

Web/BBS Defacement
• Defacement of web site • Redirected web site
• Inappropriate post to BBS, wiki, blog, etc.
Workspace and record modifications

Add/Remove/Update Name Comments

Remove • Urgency/Impact

Update • Record Header

Security Incident Record Categorization
Discussion
Are there any changes needed What Security Incident categories should be
to the OOTB Security categories added or removed?
and sub-categories?

• Select the
methods of
creation

• Review
integrations
capabilities
Security
Incident
Assignment
Business Process Decisions
Business Process Description Decision
Enable/Disable Onsite Arrival Check-in for Agents

Work notes are required to close or cancel a request or

Lifecycle task
Copy task work notes to request

Apply Work Order template in draft status

Assignment method for tasks Auto-assignment or Manual?

Assignment Method
Assign requests or task based on assignment group
coverage areas
Auto-selection of agents will consider time zone for
tasks

Auto-selection of agents will consider location of agents

Scheduling and Selection
Auto-selection of agents for tasks requires them to All, Some or none (May require additional
have skills configuration to populate skills)

Auto-selection will attempt to assign the same agent to

all the tasks in a request
Escalations

Escalate a security incident to

any group associated with the
incident using Escalations

Escalate option only appears if a

escalation record for groups have
been created

Determine and Identify groups

and which groups, and who the
escalation group should be
Shift Handover Templates

Provide detailed communication

of critical information, tasks,
and updates between outgoing
and incoming personnel for a
seamless transition between
shifts by using the Shift
Handover feature. Shift
Handover templates prevents
gaps in monitoring and
response.
Each Shift Handover record is
associated with a Shift
Handover Report Template.
Shift Analysts/Owners can
create, edit, copy, or delete
Shift Handover records using
the Shift Handover records list
view.
Roles Required
• sn_escm_sh.shift_admi • sn_si.admin inherits the
n sn_escm_sh.shift_admin role
Configure Shift Handover Templates
Admin creates a new
Shift Handover template

Admin can also open an existing

template in the base system with the
name ‘Sample Shift Template’ and modify
the details and sections according to
organization requirements.

The Shift Owner can use the configured

template to create Shift Handover log
records, and then the Shift Handover
report is shared with the next active
Shift Owner and team.

Only the active Shift Handover

templates are visible for the Shift
Owner to create handover log records.
Shift Handover Records
The Shift Owner and the
respective team or user group
creates the Shift Handover log
records.

The Shift Owner has to choose

the Shift Handover template
and user group that will work on
the Shift Handover report.

After the Shift Handover report

is complete, it will be shared
with the next active Shift Owner
and team.

Draft In Progress Review Published

In the Draft shift report editor, the In the My shift handover notes In the Consolidated shift report, In the published state, shift analysts and
Shift Owner and Shift Analyst can editor, the Shift Owner and Shift only the Shift Owner can review owners can see a preview of the Shift
update the details of the security Analyst can update the required the Shift Handover report and Handover report with the latest updates
incidents and users. They can format details for all the sections like make the required changes. If on the Preview pane.
the report with all the options in the security incident and user details. further updates are required then
editor, like fonts, colors, bullets, links, the Shift Owner can change the After publishing the Shift Handover
and attachments. state back to ‘In Progress’ report, the Shift owner can modify the
content, but they can’t change the record
state.
Security Incident Response – Now Assist

Expedite triaging of security incidents

with long activity streams by reviewing
work notes and contextual information
quickly in a concise, easy-to-read
format

Preview security incident details, their

potential impact, and any key actions
already taken with security incident
summaries using generative AI

Automatically generate closure notes

for security incidents using generative
AI

Access summaries and closure notes

from the Now Assist panel, security
incident records, or from the Security Requires Professional or Enterprise Plus License
Incident Response Workspace
Generate resolution notes with Now Assist -
Workspace

• Automatically generate detailed

resolution notes, saving time and
ensuring thorough incident details
• Ensure consistent and accurate
resolution notes, reducing the risk
of human error

Requires Professional or Enterprise Plus License

Generate resolution notes with Now Assist –
Native UI
• Automatically generate resolution
notes or enhance existing
comments. Refine to elaborate or
shorten the auto generated
resolution notes, thus saving time
and ensuring thorough incident
details

Configure and activate a skill for Now Assi

st for Security Incident Response
Speed up investigations via natural language
queries

• Trigger incident
summarization and
resolution notes
within Now Assist
panel
• Receive immediate,
relevant answers to
specific questions
about security
incidents
Now Assist for Security Operations

Optional: Now Assist for Security Operations

Subscription Required

Required plugins and products:

• Now Assist for Platform v5.0.1
• Security Incident Response Core: v13.5.1
• Security Incident Response (SIR)
Workspace: v1.6.0 if you are using the SIR
workspace

Data sharing improves ServiceNow AI

products. You can opt out of data sharing from
the Now Assist Admin console Settings page.
Correlation Insights
Get correlated insights into Configuration Items, Affected Users and Observables with the help of Now
Assist. Expedite invetigations by analysing correlated data from Incidents, Problems, Change Requests and
Vulnerabilities associated with the selected option.

• Get Related
Record names,
links, and
description that
provides valuable
context for
investigations.

• Analysts are
empowered with
related record
data from the
last 30 days.
Configuring Now Assist Skills for Security
Operations
 SIR Standard+

SIR Sidebar Chat

•Using Sidebar, security analysts can

collaborate with others in real-time
based on a Workspace task-based or
interaction-based record
•These Sidebar discussions facilitate
the exchange of information and
knowledge to help resolve issues
faster and with higher-quality
outcomes
•Activate the Omni-Experience
Standard Feature Set plugin
Setting up Sidebar

Enable participant suggestions in the

Sidebar to display a list of knowledgeable
users who can help with the issue

Configure who Sidebar decides is

knowledgeable user and which groups have
access

After installing Sidebar, activate and

configure Sidebar so agents can collaborate
with others to resolve issues

Navigate to All > Conversational Interfaces

> Settings>Sidebar and configure the
options
Integrate Sidebar and Microsoft Teams

Enable conversations between Sidebar and

Microsoft Teams users Emojis, files and
messages can be exchanged

Discussions will be initiated only from Sidebar

to Teams

Select the teams member account (see Team’s

icon next to name

Type your message

  Step1 : Install the latest release of 'Omni Experience -
Standard Feature Set’ from Admin>Application Manager

 Step 2 : Create the Microsoft Teams developer account and

Azure app account.

What do you  Step 3 : Create the Microsoft Teams app.

need for the  Step 4 : Enable the Microsoft Teams integration in Sidebar
Sidebar- console
Teams  Step 5 : Provide access to Teams users to be added into
integration? Sidebar discussions by setting the appropriate value
(true/false) in table sys_cs_collab_user

Note:
• Follow KB article KB1225842 for detailed steps to follow
for Step1, 2, and 3 above.
• Follow the link for Step 4:
Enable the Microsoft teams integration.
Security Incident Record Investigation

Entry points relate to the

security incident detection and
creation method Compose
List of Notes and
observables Emails, track
Key entry points are provisioned , CIs, etc activity
for the security analysts within
the base system:

• Associated Observables
• Configuration Items
• Affected Users
• Associated Phish Emails
• Email Search

Configure the entry points by Entry Point

adding or modifying or removing Lists
the entry points as applicable
Viewing Associated Information
The Security Analyst will want to
look at the associated
information of each entry point

Associated information is related

to the capability of integrations
like Microsoft Defender or Crowd
Strike

View Associated Info about each

entry point. These are to be
adjusted based on your
integration capabilities

• Threat Lookup Results

• Sandbox Submission Results
• Observable Enrichment
Results Associated information is
• Sighting Search Data related to your
• CrowdStrike Sightings Details integration capabilities
• Microsoft Defender Indicators (Block Request, Email
• MISP Enrichment Results Search and Delete, etc)
Integration Capabilities
Capability Definition
Block Request Blocks communication with an Observable associated with a Security Incident on a firewall, web proxy or other control point

Get Network Statistics Retrieves a list of active network connections from a Host or Endpoint

Get Running Processes Retrieves a list of running processes on a Configuration Item (CI) from a Host or Endpoint

Isolate Host or Endpoint Restricts system connections to other devices

Publish to Watchlist Adds Observable associated with a Security Incident to a Watchlist

Sightings Search Determines the presence of malicious Observables in your environment, finds any integrations that support a Sightings
Search, then executes these searches
Threat Look Up Performs threat intelligence lookups to determine whether one or more observables are associated with known security
threats
Email Search and Delete Returns the number of threat emails from an email server search and, optionally, returns details for each email found. After
the email search is completed, you can delete the emails.
Enrich CI Enrich data for configuration items associated with a security incident

Enrich Observable Allows you to enrich observables with additional information from a variety of sources using implementation workflow

Isolate Host
Restricts system connections to other devices. Isolate host is executed against a configuration item (CI)
MISP Enrichment Results Enrich observables with additional information from various MISP sources during incident response investigations
*(Threat Intelligence)

*may require additional licensing

Associated Information – Unified framework
Brings together the various integration 1 2
capabilities
Found in the Associated Information dropdown
in the Investigations canvas
Results fetched from these integrations are
very similar, however, each integration may
present the results in different ways
Applicable only for those integrations and
orchestration activities that fall within the
capability framework Implementations Common Inputs
Consists of modal screens with three steps:
3
1. Implementations
2. Common Inputs
3. Run time details
Note: Not all three steps are always required. Run time details
Depending on the capability and the type of
inputs required, the runtime details step and
common inputs step will be visible.
Entry points and Associated Observables
The list of entry points and associated information is configurable

Review the entry points and

associated lists thoroughly before
deciding to make changes – this
should be based on the
integrations
Observable List actions
Capability actions, unlink, download, link, new, multiple new and upload secure attachments.

Upload secure attachments action

Multiple new action

Download action
Response tasks

• Response Tasks are created to track separate actions

to be performed in response to the Security Incident
• Response Tasks can be created through manual or
automated methods using Workflows
• Can be assigned to external remediation teams
• The analyst will be able to:
– create a new response task
– assign response tasks to self or others
– delete response tasks
New Response Task Creation

Response Tasks can be

Security Analyst may manually create assigned to Security team
and assign tasks to other security members or external
teams like “Directory Infrastructure Remediation teams that
Security” help support the Incident
response process
They will select a Ready or Assigned
state

The Assigned to field can be picked up

and assigned to a member of the
Assignment group

Once assigned, investigated then

other response tasks can be added or
utilized like Playbooks to contain,
eradicate and recover
Security Task Response Definition States
The following process definitions are used for security incident tasks

The ticket is being created and not yet submitted but

Draft
saved

The task is ready to be worked on after it’s assigned to an

Ready agent

Assigned The task is assigned to an agent

Work in
The assigned agent is working on the task
Progress

Closed
The task is complete
Complete

Closed
The task was closed but not work not completed
Incomplete

Canceled The task was canceled

Response Task Creation
Security Analysts can select
several responses after they
have started the investigation
on a previously created security
incident

• Add Playbook
• Open Associated Workflow(s)
• Create Other Records
• Email
• Create Incident
• Create Change Request
• Create Problem
• Create Outage
• Calculate Severity
• Associate MITRE ATT&CK
Technique

The responses may require

creating a “Related record”
Associate a MITRE-ATT&CK Technique
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework
documents and tracks various adversarial techniques that are used during different stages
of a cyberattack.
By using the MITRE-ATT&CK framework's knowledge base, the cyber threat intelligence
community can quickly identify threats and coordinate cyber attack responses
MITRE-ATT&CK Technique Benefits
How your organization can benefit from MITRE-ATT&CK in Security Operations:

Respond Automate Prioritize Analyze

Equip Security Analysts Automate the incident Prioritize indicators of Understand the high-level
with MITRE ATT&CK workflows using the compromise and threat security posture of the
information to better playbook for detecting and hunting with MITRE company in the context of
analyze and respond to containing threats ATT&CK information the MITRE ATT&CK
incidents framework

Using the MITRE-ATT&CK framework can help your organization do the following:
• Equip Security Analysts with MITRE-ATT&CK tactics, techniques, and procedures (TTPs) to better analyze
and respond to Security Incidents
• Automate the Incident Workflows using the Playbook for detecting and containing threats in the context
of the MITRE-ATT&CK framework
• Prioritize Indicators of Compromise (IoC) and threat hunting with MITRE-ATT&CK information
• Understand the high-level security posture of your organization in the context of the MITRE-
ATT&CK framework
Discuss your Security Requirements

What Groups should be able to be assigned Response

1 Tasks that are created automatically?

Should the whole Group be able to see the Response

2 Task or just the User assigned the task?

3 How should the Response Task assigned Group/User be

notified of a new Response Task?
Related Records

The following related

lists groups that are
available as a part of
the base system
Search using Related list name Apply Filter on
related list
You can modify these
groups or create groups
List Group
within the application Categories
and their respective
actions
List
Create new records, Menu
link, or unlink existing
records or new records
against the related list
group as applicable
Workspace Related Records
Related List Grouped item
Business Impact • Configuration Items
• Affected Users
• Related Configuration Items
• Related Users
• Affected Services
Endpoint Detection and Response (EDR • Host Details
• Running Processes
You can modify these • Running Services
groups or create new • Logged On Users
• Network Statistics
groups • Get File
• Isolate Host Entries
• Additional Actions On Endpoint
• Microsoft Defender for Endpoint-Related Machines Details
Observable Enrichment Observable Enrichment Results
Associated MISP Events
MISP Enrichment Results

•Associated Phish Emails

Phishing
•Associated Phish Headers
Workspace Related Records
Related List Grouped item
Related Security Incidents Parent Security Incident
Child Security Incident
Similar Security Incident
Sighting Search Sightings Search Results
Sightings Search Details
Sighting

You can modify these SLA Records Task SLAs

groups or create new Source events or alerts are the SIEM integration enabled related list such as
groups Source Email, LogRhythm Drill Down Logs, LogRhythm Events, Aggregated IBM
QRadar Offense, etc
Source Events/Alerts
Note: This list is depending on the integration that you have in your instance.
To view the relevant SIEM integration related list, you must install the latest
version.
• Associated Observables
Threat Intel • Threat Lookup Results
Related Lists Layout

Related lists can be represented in following layouts :

Horizontal ​ This is default layout. Related list view configured for the current user
role will be rendered as Horizontal tabs​
Stacked​ Related list view configured for the current user role will be rendered
in "Related Records" tab using content tree experience​
Grouped Related lists will be categorized into groups and rendered in "Related
Records" tab using content tree experience​

How would you like your Related Lists displayed?

If change, it displays same for all Security Analysts and
Managers
Horizontal Related List Layout

Related
list are on
top and
not on the
side
Stacked Related List Layout

Related
Lists are on
the side,
and the
records are
listed in a
list view
Related Lists Experience (Stacked & Grouped)

Stacked and Grouped the

Related Records are on
the left side and the
related lists are grouped
underneath
Other Record Creation from an Investigation

A security analyst during the

investigation phase choose
to create “Other Records”
during the investigation
phase.

Other records include:

• Compose Email
• Create Incident Note: SIR record can only have a 1 to 1 relationship
• Create Change Request with a Change, Incident, Problem, or Outage
• Create Problem
• Create Outage
Other Records

Security Analysts can

add records that
relate to the incident
if they did not create
a response task at the
security incident
creation

Knowledge records or
emails may be added
to the security
incident record
throughout the life of
• Link Incident, Problem, Outage and Change
the security incident records

• Compose emails directly from security

incidents – Response templates

• Knowledge Records
Email Quick Messages and Response
Templates
Within the Email form, click Quick
Messages to view the quick
messages which is displayed on the
right side of the Compose
Emails section.

Configure Quick Messages to

create multiple quick responses

Within the Email form,

click Response icon to view the
Response templates which is
displayed on the right side of
the Compose Emails section.

Configure Response templates to

create multiple responses
Knowledge Articles - Runbooks

• Share security information,

document the types of cyber threats
that your organization faces, and
provide answers and responses to
these threats.
• Organize knowledge articles into
runbooks, which create associations
between the articles and specific
tasks.
• Knowledge articles in runbooks can
also be associated with specific
tasks in a playbook.
Runbook Documents
33 baseline Knowledge Articles
Baseline Knowledge Articles – Needs Reviewed
Category Phishing - Playbook Submit attachment to malware sandbox and review the results
Manual Response Task: Verify system logs to identity new
Observables Automation Activity: Reset the user credentials and sent an email
Notify affected users and/or their managers about the remediation to the user
plan for the devices Failed Login Playbook – Manual Runbook
Handling security incidents with configuration items
Notify user and update them on the conclusions of the
Automated Action: Create Block Requests for Malicious IPs and investigation
URLs Does the event require company wide notification ?
Acknowledge User Submission and ask user if they interacted with
the email Are there endpoints that are offline ?
Does email have threat indicators ?
Automated Activity To Run Threat Lookup and Observable
Initiate a full system scan on the endpoint
Enrichment
Prevent further recurrence of the threat Update AV signatures, AV Engines and the AV Policy on endpoints

Post-incident review Handling high severity security incidents

Create an IT ticket to rebuild the device Automated Activity To Perform Sighting Search
Delete phishing mails using Automation
Should a malware playbook be triggered ?
Containment procedure for business impacting security incidents
Are there related incidents for the threat ?
Check the status of the endpoints affected by the attack
Send email to other groups that need to be in the know (HR , Legal
Search for mails from the same sender and matching subject line , Sponsors)
Analysis procedure and handling of business impacting security
Handling a low severity security incident incidents
Isolate or lockdown infected Host Is User Account Compromised?

Did the full system scan remediate infections associated with the
attack ?
Security Incident Templates
• Review the pre-created
templates

• Configure the templates with:

– Priority
– Workflow
– Assignment group
– Add Incident Response
templates
– Emails
– Knowledge
Workflows
• Review the pre-created
workflows

• Configure the workflows with:

– Tasks
– Steps to address security
incident
Relationship Graph

You can create a node

relationship graph in
Security Incident
Response Workspace for
a better understanding
of an existing incident
by correlating it with
malicious observables,
related configuration
items and others. Export
Relationship
to PDF

Configurable nodes Toggle between

to showcase Hierarchical and
relationships Graphical view
System Property

You can modify the System

Property
sn_si_aw.defaultCategorie
s to configure the categories Select the tables for which
available for linking nodes we want to show the
categories
Role required:
sn_si.analyst
Sub-Nodes
To create sub-nodes under a parent node, follow these steps:
• Select 'Link Nodes' and choose from the available categories
• In the list view of related records, select the records to be added as sub-nodes

ServiceNow
documentation

Create a Relationship Grap

h for incident
Playbooks
Playbook resources

Security Incident Response provides a rich set of Playbook resources that include a comprehensive
library of Playbooks, Sub flows, and Actions. You can create or configure Playbooks quickly and easily
without writing complicated code. You can use these Playbooks to resolve Security threats in a step-
by-step manner.
Playbook resources include the following:
Security Incident Response Playbooks Security Incident Response Playbook Action
s
The Playbooks provided with the base system are designed Complex actions that are critical for building Playbooks are
to accelerate the Security Incident investigation process by available as Action Libraries. These Action Libraries
automating complex and mundane tasks. enable Security Administrators to create Playbooks without
Playbooks are highly configurable and are built using writing any complicated code.
ServiceNow's Flow Designer technology. To configure, copy
the Playbook provided with the base system and modify it
using the simple drag-and-drop graphical interface.
Integration Use cases and Playbook templates

Integration Types by Use Case

Create Security Incident Publish to Watchlist Collaboration Actions (chat, file
repository, conf)
Threat Lookup/Enrich Observable Email Search and Delete
MITRE ATT&CK Mapping
Sandbox Response Actions(e.g. block
IP/block URL/isolate host) Attack SImulation
Sightings Search

Example Playbook Templates

Automated Phishing Vulnerable Item State Approval Ransomware Playbook

Confidential Data Exposure Legal Request Reset password for affected user

Denial of Service Malware Response Rogue Server or Service

Lost Equipment Manual Phishing SecOps 'Have I been pwned?'

Malicious Software Phishing Spam

Malware for phishing response Policy Violation Unauthorized Access

Reconnaissance Web Defacement

Security Incident Playbook – SIR Workspace

Invoke the security incident

playbook flow:

• Manually
• Automatically

A Playbook is visible only if

at least one playbook is
associated with a security
incident

The playbook component

works only for the Workflow
Studio Playbooks built
processes and not for the
flow designer-built flows Security Agents utilize playbooks with progressive guidance on when and
where in the process they currently are, insight into the previous and precise
info on the next steps
Manually Invoking a Playbook
• Within the playbook, the
analyst can filter the playbook
cards by status

• The analyst can cancel a

playbook by selecting it from
the ellipse icon

• Within each activity, the

analyst will be able to perform
the actions defined within the
activity cards such as Skip,
Mark as complete, Cancel, or
Orchestration actions such as
Submit to sandbox or Search
Emails for example

• Each of these actions is

defined within the activity
definition, and the complete
card visible is customizable at
the time of building the
activity definition itself.
 Workflow Studio Playbooks

Process Definitions

Stage
Lane/Process
Phases

For a Playbook to be invoked

automatically, a process needs to
be defined using this Workflow
Studio Playbooks
Activity
Sample Playbooks

• You can create or configure

playbooks for SIR Workspace
quickly and easily without
writing complicated code

• You can use these playbooks

to resolve security threats in a
step-by-step manner. You can
invoke the security incident
playbook flow automatically
or manually

• Review and determine if any

out of box playbooks will help
you with automating your
processes
 Legal Request Playbook

• As an Incident Manager, you can use the Legal

Request playbook to inform the legal team
about the latest summary of an MSI so that
they can notify the SEC for material breaches

• Provides step-by-step guidance

• Use the Workflow Studio Playbook templates

to perform the steps in the Legal Request
playbook and inform the Legal team
accordingly

• Activate the Legal Request playbook on PAD

and then perform all the tasks, such as
analysis, contain, eradicate, and review. The following are the lanes of the
process definition :
• Analysis
• Contain
• Eradicate
• Review
Orchestration Workflow templates
Provided with Security Incident Response (SIR) Orchestration to allow you to perform basic Security
operation-related analysis procedures. Templates can be used as-is or you can customize them to create
Workflows to better suit your specific needs. Templates are deactivated by default.
• Security Incident - Confidential Data Exposure – Template
• Security Incident - Denial of Service – Template
• Security Incident - Lost Equipment – Template
• Security Incident - Malicious Software – Template
• Security Incident - Phishing – Template
• Security Incident - Policy Violation – Template
• Security Incident - Reconnaissance – Template
• Security Incident - Rogue Server or Service – Template
• Security Incident - Spam – Template
• Security Incident - Unauthorized Access – Template
• Security Incident – Web/BBS Defacement – Template
Closing Security Incidents

When a Security Incident has transitioned to the Review state, it is possible to close it and
enter an appropriate closure code
• Investigation Completed • Invalid Vulnerability
• Threat Mitigated • Not Resolved
• Patched Vulnerability • False Positive
Post Incident Review

Post incident review

appears when an
incident is moved to a
Review state

The Post incident

review consists of the
following sections:

• Assessments
• Reports

From the Security

Incident Response
workspace, you will be
able to request and
take assessments
Post incident review – Assessments

• Assessments can be
configured to collect
critical response
information from
various teams
• Assessment results
automatically added to
Post Incident Review
• Assessment responses
are related to the
Security Incident
record
Configure Post Incident Review Assessments

The OOTB Post Incident Review configuration automatically assigns a Post Incident
assessment to the Security Incident assignee for every Security Incident

The final product of the Post Incident review is the Post Incident report. When closing the
Security Incident, a PDF of the report is created and attached to the Security Incident

Are there any situations where you do not the want the Post
1 Incident assessment automatically assigned?

Are there any modifications needed to the OOTB Post

2 Incident review assessment questions?
Security Incident recommended notifications

Security Incident assigned to my group Security Incident assigned to me

Subject: Security Incident ${number} notification Subject: Security Incident ${number} has been
assigned to you
Short Description: ${short_description} Short Description: ${short_description}

Click here to view Incident: ${URI_REF} <hr/> Click here to view Incident: ${URI_REF} <hr/>

Severity: ${severity}
Category: ${category}
Category: ${category}
Comments: ${comments} Comments: ${comments}
Notification criterion
Enable creating conditional notifications – special handling notes that apply to a Security
Incident that meets a set of conditions:
• Category
• State change or dwell time
• High-value assets
• Enrichment data available
• Asset group
• Time
Discuss your current Security Incident
processes
How should a Group/User be notified if a Security Incident is
1 assigned to them?

2 Do you have any notification templates currently?

Are there any circumstances where the notification should be

3 generated based on the scoring or the contents of another field on
a Security Incident?

4 How should Stake Holders and Management be notified?

Service Level Agreements
Records define a set amount of time for a task to reach a certain condition. For Security
Incidents, it is recommended that the following SLAs be established:

Initial Response SLA Resolution Response SLA

• Period designated to acknowledge the • Period designated to resolve the

incident incident
• Once a task record has been assigned • If a user re-opens the task record, the
to an individual, the SLA is met and SLA clock picks up where it was last
goes inactive stopped
SLA escalation workflow
Task SLA
Default SLA Workflow includes:
• Automated reminders to complete the task within the 100% BREACH
SLA timeframe Notify Assignee & Manager

• Alerts to the assignee at 50%, 75%, and 100% of SLA

75% Notify Assignee
• Escalation to Assignee’s Manager at 100% of SLA
(Breach)

50% Notify Assignee

25%
Security Incident Response SLA
Define a Service Level Agreement (SLA) for Security Incident Response

• Review and modify (as needed)

security incident SLAs and
response task SLAs

• The Security Incident Response

base system includes a series of
useful Service Level Agreements
(SLA).

• You can create others, as

needed, or modify SLAs to
ensure that SLA timing and
duration information is accurate.
SLA Configuration Decisions

SLA Start Condition Pause Condition Stop Condition

Reporting: definition

Inputs Outputs
• Existing report samples • Detailed requirements in stories
to build out a Dashboard using
• Decision to purchase
“Reports”
Performance Analytics
• Pre-configured CISO, Security
Incident Manager
Available Base Reports

• Review the pre-created Reports

• Update if needed and assign to

• Create Dashboards and add

widgets
Provided Baseline Reports
• New Security Incidents (Running 7 days) • Security Incidents Not Updated for More Than 30 Days by
Assignment Group and State
• New Security Incident This Week
• Security Incidents Open for More Than 30 Days by
• Security Incident Assignment Heatmap Assignment Group and State
• Security Incident Close Codes • Security Incidents With Assignee That is not Active
• Security Incident Closures by Priority • Security Incidents, Requests, Tasks assigned to me
• Security Incident Enrichment Audit Log By Date • Services with Security Incidents By Criticality
• Security Incident Map • Team Critical Priority Security Incidents
• Security Incidents • Team High Priority Security Incidents
• Security Incidents Assigned to me • Trend of All Security Incidents
• Security Incident Assigned to me by State • Trend of Security Incidents by Priority
• Security Incidents by Attack Category • Unassigned Security Incidents, Requests, Tasks
• Security Incidents by CI Class, last 3 months • Unauthorized Access Security Incidents
• Security Incidents by CI, last 3 months • Weekly Closed Security Incidents
• Security Incidents Closed (Running 7 days) • Weekly Closed Security Incidents
• Security Incidents Closed This Week • Weekly New Security Incidents
• Weekly New Security Incidents
Available CISO Reports
Name Visual Description
The average time it takes to
Average Time to Contain Single score contain all security
incidents.
The average time it takes to
Average Time to Contain
Using the free out of box reports Single score contain all critical security
Critical
incidents.
users with the Security Incident The average time it takes to
CISO may view the Security Incident Average Time to Identity Single score identify all security
CISO Reports incidents.
Business services with
Business Services with
security incidents with
Security Incidents - Business Treemap
These CISO reports are provided in Impact
available groupings by
the base system business criticality.
The number of security
New Security Incidents
Single score incidents opened within the
(Running 7 Days)
A dashboard may be created with last 7 days.
these reports added New Security Incidents This
The number of new security
Single score incidents opened in the
Week
current week.
Contains real-time reporting Security Incident Close Security incident close
Trend
Codes codes over time.
The number of security
Security Incidents Closed
Single score incidents closed within the
(Running 7 Days)
last 7 days.
The number of security
Security Incidents Closed
Single score incidents closed in the
This Week
current week.
Weekly Closed Security The security incidents
Trend
Incidents closed on a weekly basis.
Weekly New Security The new security incidents
Trend
Incidents opened on a weekly basis.
Performance Analytics for Security Incident
Response
• Performance Analytics for Security Incident Response contains pre-configured best practice
dashboards
• The dashboards present important metrics for analyzing your Security Incident Response
processes, such as new security incidents or the average age of open security incidents
• Additional Licensing Cost to use (Security Incident Response Performance Analytics
Content Pack)
• Needs data and scheduled jobs
CISO Dashboard
Name Visual Description
The 7-day average time it takes to contain a security
Average Time to Contain (Weekly) Trend
incident over time.
The 7-day average time it takes to eradicate a security
Average Time to Eradicate (Weekly) Trend
incident over time.
The 7-day average time it takes to identify a security
Average Time to Identity (Weekly) Trend
incident over time.
When the Count Map Number of security incidents per region.
Performance Analytics Daily New Security Incidents vs Closed Security
Security Incident Trend New and Closed security incident counts over time by day.
Incidents
Response Content The minimum and maximum numbers of security incidents
Min/Max Count Color Spectrum Bar
Pack Plugin is per region represented by a color spectrum bar.
purchased and The number of security incidents opened within the last 7
New Security Incidents (Running 7 Days) Single score
activated days.
The number of new security incidents received in the
New Security Incidents This Week Single score
current week.
These CISO reports
Percentage of Count Map Percentage of the total incident count per region.
are provided with the
activated plugin Business services with security incidents with available
Security Incident Business Impact Treemap
groupings by business criticality.
Security Incident Close Code Trend Full count of closure codes over time.
Contains trending
over-time reports Security Incident Location Map Regional location of the security incidents.
The number of security incidents closed within the last 7
Security Incidents Closed (Running 7 Days) Single score
days.
The number of security incidents closed in the current
Security Incidents Closed This Week Single score
week.
Weekly New Security Incidents vs Closed Security
Trend New and Closed security incidents over time by week.
Incidents
CISO Dashboards

This dashboard
reveals the overall
security posture of
your organization,
including security
vulnerability and
incidents
Security Operation Efficiency Dashboard

This dashboard uses

advanced Platform
Analytics visualizations to aid
security managers to track the
volume, performance and
progress of security incidents
from initial analysis/detection
to containment, eradication,
and recovery.
Security Incident Manager Dashboard

With this dashboard, security

managers can easily track the
volume, performance and
progress of security incidents
from initial analysis/detection
to containment, eradication,
and recovery.
Security Incident Explorer Dashboard

When the Performance

Analytics Security
End user and goal Required role Benefits
Incident Response Security Response Manager:
Can review the overall security
Content Pack Plugin is Needs clear visibility into the
overall state and volume of sn_si.manager
posture with the ability to adjust
the members of assignment
purchased and security incidents associated
with applications and services.
groups.
activated Security Response Administrator:
Needs to pinpoint areas of Can adjust risk calculation
concern quickly and have full parameters to ensure vulnerable
The Security Incident control over all Security Incident
Response data while
sn_si.admin items that are most pertinent to
the organization are being
Explorer reports are administering territories and
skills, as needed.
addressed first.

provided with the Tier 1 and 2 security analysts

activated plugin Security Response Analysts:
Need to quickly prioritize which
work on security incidents. They
can create and update security
vulnerabilities to focus on based sn_si.analyst incidents, requests, and tasks, as
upon criticality to the well as problems, changes, and
organization. outages related to their
incidents.
Measurement for benefit realization
To ensure the expected benefits of the ‘improved’ Security Incident Response processes are
achieved:

Ensure Document
data to metric
support requirement
metrics s
(Stories)
Current Security Incident Response metrics
that you track?
• Mean time to (process stage)
• Average dwell time per process stage
• Average reassignments
• Detection to Assignment
• Detection to Resolution
• False Positive rate by detecting device
• Individual handler statistics:
– Assignment to close
– Average volume by week
– Volume by severity
Security Incident Response process metrics
• Provide visibility to changes that require oversight and/or management intervention to
ensure efficiency and effectiveness of the process
• Are best represented as trend lines and tracked over time

Metric Purpose
Security
Incident
Response
Health
Resources

Now Create

Optimize and Orchestrate Enterprise Security Operations

Security Incident Response Workspace Demo

How-To Transform Emails into Security Incidents

How to Automate – Security Incident Response

Resolve Security Incidents Faster with ServiceNow and Crow

dStrike
Release Notes Leading Practice:
Store releases Check the ServiceNow store often.
You do not have to wait for improvements of
• Make conference calls including team members,
ServiceNow products through the family releases,
customers, and other stakeholders to resolve
customer issues. more and more will be released through the store.
(See our Major Security Incident Management
Workshop Presentation)

• Capture MTTR (Mean time to repair) information

through usage and definition metrics for security
incidents

• Monitor scan requests and report security incidents

as a risk event to the Risk Management team from
the Security Incident Response Workspace

• Create a customer service case for the security

incident directly from the Security Incident Response
Workspace, which will be tracked by the Customer
Service Management (CSM) team

• VirusTotal integration is provided with an option to

send URLs as hashes for threat lookup, to protect the
users' privacy on the integration.
Questions?
 SIR Standard+

Security Incident Response

Health Dashboard
Improved reliability and
visibility into the health of the
product
1 Obtain detailed information on alert
sensors and their operational
performance

2 Gain visibility into customization

Identify and highlight any issues or

3
errors within the environment
Next Steps

1 Transition into what’s next – homework, action items, next steps

2 Create Stories to capture requirements

3 Review stories

5
Thank you