Security Incident Response

Implementation Guide

Asset number: 0004131

Updated: April 2025

Table of Contents
Overview................................................................................................................................. 4
ServiceNow Security Operations..........................................................................................4
Security Incident Response.................................................................................................. 4
Process Flow – Security Incident Response...........................................................................5
Document scope..................................................................................................................... 5
Prerequisites........................................................................................................................... 5
Minimum Prerequisites......................................................................................................... 5
Summary of implementation steps......................................................................................... 6
Implementation steps............................................................................................................. 6
Step 1 - Installing the Security Incident Response application from the ServiceNow store...6
Step 2 – Configure Security Incident Response using the Setup Assistant............................6
System administration............................................................................................................ 9
Step 3 – Assign Security Incident Response Administrator Role...........................................9
Security Incident Response administration...........................................................................11
Step 4 – Add or Review Roles.............................................................................................11
Step 5 – Configure Groups and Users.................................................................................12
Step 6 – Set Up Incident Escalations...................................................................................17
Step 7 – Set up Security Incident Calculator Groups...........................................................19
Step 8 – Set up Security Incident Risk Score Calculators....................................................23
Step 9 – Set Up Service Level Agreements.........................................................................25
Step 10 – Set Up Security Incident Process Definitions.......................................................29
Step 11 – Set Up Security Incident Process Definitions Selection.......................................30
Step 12 – Set Up Post Incident Review Process..................................................................31
Step 13 – Configure Security Incident Response Operations..............................................34
Security Incident email settings............................................................................................ 39
Step 14 – Set Email Parsing Inbox......................................................................................39
Step 15 – Set Up Email Parsers for Alert Ingestion.............................................................40
Step 16 – Set Up Email Matching Rules for User-Reported Phishing...................................50
Step 17 – Set Up Email Inbound Actions.............................................................................52
Setup Security Incident Response process-based playbooks................................................53
Step 1 – Set Up Playbook.................................................................................................... 54
Step 2 – Add stages............................................................................................................ 57
Step 3 – Add Activities........................................................................................................ 59
Step 4 – Test Playbook....................................................................................................... 61

2
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 Verify that your playbook works as expected by running the playbook with test trigger
data. Identify and resolve all errors before activating your playbook.................................61
Step 5 – Activate Playbook................................................................................................. 62
Post verification publish your playbook to allow Security Incidents that match the trigger
criteria to leverage the newly created playbooks...............................................................62
Security Incident runbook settings........................................................................................ 63
Step 18 – Review and Set Up Runbook Documents............................................................63
Step 19 – Set Up Security Incident Workflows....................................................................66
Reference Information........................................................................................................... 70
Additional Documentation.................................................................................................. 70

3
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
Overview
ServiceNow Security Operations
ServiceNow Security Operations is a security orchestration, automation, and response
engine built on the Now Platform. Security Operations for the purpose of this document
describes how the ServiceNow Security Incident Response, Vulnerability Response,
Configuration Compliance, and Threat Intelligence applications work together to help you
anticipate, understand, and close your vulnerabilities and move quickly to respond to critical
incidents. These Security Operations applications help organizations connect security and IT
teams, respond faster and more efficiently to threats, and get a definitive view of their
security posture. It connects the workflow and systems management capabilities of the Now
Platform with security data from leading vendors to give your teams a single platform for
response that can be shared between security and IT. With orchestration, automation, and
better visibility, teams can respond more efficiently, reducing business risk.

Security Incident Response

Security Incident Response (SIR) is one of the applications of ServiceNow Security
Operations suite that permits you to manage the life cycle of your security incidents from
initial analysis to containment, eradication, and recovery. With analytic-driven dashboards
and reporting SIR enables you to get a comprehensive understanding of incident response
procedures performed by your analysts and understand trends and potential deficiencies in
those procedures. Through integrations with third-party cyber security solutions and partner-
developed integrations from the ServiceNow Store it provides security incident enrichment,
automation and orchestration for greater efficiency and accuracy in responding to incidents.

Process Flow – Security Incident Response

4
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 1)
Document scope
This Implementation Guide serves as an aid to provide instructions to perform the basic set
up of the Security Incident Response application. The objectives of this document are to
provide the minimum required steps to perform a successful out of the box implementation
as outlined in the Security Incident Response – Setup Assistant. Completion of the step-by-
step instructions defined in this document will provide the essential setup requirements for a
functional Security Incident Response environment. Additional integrations, capability
configurations and product enhancements are not covered in this document.

Prerequisites
Before beginning a new implementation of Security Incident Response there are a few pre-
requisites that are required and must be addressed. Listed below are the minimum pre-
requisites that need to be performed to provide the functionality for a basic setup.
Minimum Prerequisites
1. Download and activation of Security Incident Response from the ServiceNow store
2. Email sending enabled by System Administrator (System Properties > Email Properties)
3. Email receiving enabled by System Administrator (System Properties > Email Properties)

5
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
Summary of implementation steps
Provided below are the general steps for implementing Security Incident Response:
1. Install the Security Incident Response
2. Start Security Incident Response Setup Assistant
3. Assign the Security Incident Response Administrator role to a user or group
4. Configure and review the basic roles for Security Incident Response
5. Configure users and groups and assign Security Incident Response roles (analyst, basic,
ciso)
6. Create escalation paths to handle escalation of security incidents from group to group
7. Set up Security Incident Calculator Groups
8. Set up Security Incident Risk Score Calculators
9. Configure and review Service Level Agreements
10. Select a Security Incident Process Definition
11. Set up the Post Incident Review Process
12. Configure Business Processes for Security Incident Response Operations
13. Configure Assignment of Security Incidents
14. Configure Add-ons for documentation
15. Set up Security Incident Response Email Parsing Inboxes
16. Set up Email Parsers for Alert Ingestion
17. Set up Email Matching Rules for User-Reported Phishing
18. Set up Email Inbound Actions
19. Review and set up Runbook Documents
20. Set up Security Incident Workflows and Workflow Triggers

Implementation steps

Step 1 - Installing the Security Incident Response application from the

ServiceNow store
A. Obtain an entitlement for Security Incident Response. This is a “license” and is
only necessary for production instances. Instructions for this are located in
ServiceNow documentation: Get entitlement for a Security Operations product or
application – Yokohama
B. Activate Security Incident Response. This is a two-step process, activating a
dependencies plugin and activating the Security Incident Response application. The
procedures for both of these are described in ServiceNow documentation: Activate a
ServiceNow Store application – Yokohama

Step 2 – Configure Security Incident Response using the Setup Assistant

1. Navigate to Security Incident > Setup > Analyst Workspace Setup (Next Experience
Workspace) > Setup Assistant
**NOTE – accessing the Security Incident Response navigation modules may require logging
out and back in.
6
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 1)

2. Use the table in Figure 2.2 to familiarize yourself with the different portions of the Setup
Assistant from Figures 2 & 2.1

(Figure 2)

7
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 2.1)

Item Description

A Overall percentage of the SIR setup that has been completed

B Role required to modify or edit the section

C Title of the section

D Setup tasks within a section

Total number of tasks and the number completed in section and how many have been
E
completed

F Back button to navigate out of a task back to the main Setup Assistant page

G Description of the actions needed to be taken to complete the task

Button used to close out the current task. *It remains grayed out until the specified
H
action has been completed
(Figure 2.2)

**NOTE – Security Incident Response Setup Assistant consists of five distinct sections. Only
the first four sections are covered in this implementation guide.

8
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
System administration
**NOTE – Role Required: System Administrator

Step 3 – Assign Security Incident Response Administrator Role

1. Open the “Security Incident Response Users and Groups” task

(Figure 3)

2. Choose how to assign the Security Incident Response Administrator role by

selecting “Assign roles to a user” radio button OR “Assign roles to a group” radio
button
**NOTE - (Depending on your selection the dropdown changes between User and Group)

(Figure 4)

3. Open the “Select a User” dropdown to display a list or use the search bar to search for
the User or Group to whom you want to assign the role and then select them
**NOTE - (You can add as many Users and Groups by repeating this step)

9
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 5)

4. Once you’ve selected a User or Group they are populated in the list at the bottom and a
notification banner will pop up. You can select the “Mark as Complete” button that is
now active to finish the task and then navigate back to the main Setup Assistant page.

(Figure 6)

5. In the Setup Assistant page, you’ll notice that the Overall Percentage Complete and
Tasks in the Section have been incremented, and the Task has been checked to show
completion.

10
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 7)

**NOTE: (We will be skipping the “Integration Plugin Installation” task for this guide)

Security Incident Response administration

Step 4 – Add or Review Roles
1. Select the “Add or Review Roles” task.

(Figure 8)

2. Review the 15 out of the box Security Incident Response roles. You can edit current roles
or create new ones as needed, then select “Mark as Complete” when finished.

11
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 9)

Step 5 – Configure Groups and Users

1. Open the “Configure Groups and Users” task.

(Figure 10)

12
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Review the current Security Incident Response groups and select “New” to create a new
group.

(Figure 11)

3. On the “New Group” form, fill out any necessary fields. At a minimum fill out the
“Name”, “Type” (as security incident) and “Description” fields. Select “Submit” when
finished.

(Figure 12)

13
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
4. Now in the main page select your new group from the list.

(Figure 13)

5. In the “Roles” related list, select “Edit”.

(Figure 14)

14
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
6. In the search field enter “sn_si.admin” to find the Security Incident Administrator role.
Use the arrows or double-click the role to move it to the “Roles List” on the right side,
adding the role to your new group. Once finished select “Save”.

(Figure 15)

7. Navigate back to your group from the main page, and this time scroll down until you see
the “Group Members” related list and select “Edit”.

15
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 16)

8. Use the arrows or double-click the user(s) to move them to the “Group Members List”
on the right side, adding them to your new group. Once finished select “Save”.

(Figure 17)

16
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
9. Repeat Step 5 as necessary to create groups and assign users and roles. Select “Mark
as Complete” to finish the task.

(Figure 18)

Step 6 – Set Up Incident Escalations

Escalations allow you to define the path a Security Incident will take when being escalated
from one analyst to another in the event more expertise is required.

1. Open the “Set Up Incident Escalations” task.

(Figure 19)

2. Select “New” to create a new Escalation.

(Figure 20)

17
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. Enter the name for the “Initial group” or use the spyglass to see a pop-up list of
available groups, then select the group.

(Figure 21)

4. Perform the same steps done for “Initial group” for the “Escalation group”. Once
you’ve finished select “Submit”.

(Figure 22)

18
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
5. Check that your new “Escalation” is correct and select “Mark as Complete” to finish
the task.

(Figure 23)

Step 7 – Set up Security Incident Calculator Groups

Security Incident Calculator Groups contain groups of calculators that are alike based on the
criteria used in the calculators. Calculators define criteria that when met will modify or
update fields on the Security Incident form (i.e. – Severity, Priority). Three groups come out
of the box.

6. Open the “Set up Security Incident Calculator Groups” task.

(Figure 24)

19
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
7. Review the out of the box calculator groups. If new groups are desired, select “New”.

(Figure 25)

8. Fill in required fields “Name”, “Table” and “Target Field”. A “Description” is

recommended. Select “Submit” when finished.

(Figure 26)

20
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
9. Now select your new “Security Incident Calculator Group” to configure calculators.

(Figure 27)

10. In the “Security Incident Calculators” related list, select “New”.

(Figure 28)

21
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
11. Enter a “Name” for the calculator, ensure “Active” is checked and set the “Order” (The
first calculator that matches will be the one that is run.)

(Figure 29)

12. Use the condition builder under “When this condition is met” to set conditions that
must to be met for the calculator to run.

(Figure 30)

22
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
13. Now under “Set these values” set the fields and values to modify them to when the
conditions in the calculator are met. When you’re finished select “Submit”.

(Figure 31)

14. Review your “Security Incident Calculator Group” and “Security Incident
Calculator” conditions then select “Mark as Complete”.

(Figure 32)

Step 8 – Set up Security Incident Risk Score Calculators

Risk score calculators allow you to define a weight (0-100) for values in specific fields that
help to calculate the overall Risk Score for a Security Incident. The six fields that are
weighted are Security Incident Business Impact, Security Incident Priority, Security Incident
Severity, Configuration Item Business Impact, Vulnerable Item Business Impact and User
Business Impact. The values and weights for these fields are configured out of the box.
1. Open the “Set up Security Incident Risk Score Calculators” task.

23
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 33)

2. Review the “Risk Score Weights” available out of the box. To modify an entry simply
select the one you’d like to edit.

(Figure 34)

24
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. From here you can modify the “Type” of Risk Score, the “Value” of that score and the
“Weight” to give that value. Once you’ve made any modifications select “Update”.

(Figure 35)

4. When you’ve finished making any modifications select “Mark as Complete”.

(Figure 36)

Step 9 – Set Up Service Level Agreements

Service Level Agreements (SLAs) are used to track and measure specified amounts of time
until set conditions have been met. They can provide valuable metrics that can be used in
reports to identify deficiencies. Two Service Level Agreements are provided out of the box.

25
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
1. Open the “Set Up Service Level Agreements” task.

(Figure 37)

2. Review the two out of the box SLAs. You can modify an existing SLA by selecting on it or
creating a new one by selecting “New”.

(Figure 38)

26
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. Fill in appropriate fields for the SLA such as “Name”, “Duration”, “Schedule” and
“Active”.

(Figure 39)
**NOTE: Workflows run along with SLAs to track their progress. Duration is the amount of
time the SLA will track. Schedule source is the schedule the SLA will measure against.

4. In the “Start condition” tab set the “Start condition” for the SLA and “When to
cancel”.

(Figure 40)

(Figure 41)

27
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
5. In the “Pause condition” tab you can set conditions for the SLA to pause and resume.

(Figure 42)

6. In the “Stop condition” tab you will set conditions for when the SLA should stop.

(Figure 43)

7. In the “Reset condition” tab you can set conditions for when a new SLA should start.

(Figure 44)

28
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
8. Once you’re finished select “Submit” to save the SLA and then “Mark as Complete”.

(Figure 45)

Step 10 – Set Up Security Incident Process Definitions

Process Definitions define the process for handling the Security Incident lifecycle. Three
process definitions are provided out of the box. (NIST Stateful, NIST Open and SANS Open).
It is highly recommended to use one of these three process standards.

1. Open the “Set Up Security Incident Process Definitions” task.

(Figure 46)

29
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Review the Process Definitions and select “Mark as Complete” when finished.

(Figure 47)

Step 11 – Set Up Security Incident Process Definitions Selection

In this step you will select one of the three out of the box process definitions to use.
**NOTE: Again, you can create your own Process Definition, but it is highly recommended to
use one of these three industry standards.

1. Open the “Set Up Security Incident Process Definitions Selection” task.

(Figure 48)

30
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Use the spyglass to search for available process definitions. Select the definition you
want to use and then select “Update” to set it as your process. Once you’ve updated
select “Mark as Complete”.

(Figure 49)

Step 12 – Set Up Post Incident Review Process

Post Incident Reviews provide you with a method to collect and review information around
the origins and handling of a Security Incident. It will also provide a post incident report
including an audit trail and drafts of any knowledge base articles created from an incident.
The Post Incident Review Process allows you to dynamically assign and present post incident
questionnaires to a specific individual when certain conditions you have defined are met.

1. Open the “Set Up Post Incident Review Processes” task.

(Figure 50)

31
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Create a new “Post Incident Review Assignment Rule” by selecting “New”.

(Figure 51)

3. Fill in the “Name” field and ensure “Active” is selected. You can also set the “Order”
here.

(Figure 52)

4. Using the conditions builder set the “Condition(s)” that must be met to trigger this rule.

(Figure 53)

32
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
5. Select the “Paddle Lock” to unlock “Assign to users”.

(Figure 54)

6. Search for users by “Lookup using list”, “Add Email address” or “Add me”. Select
“Submit” when finished.

(Figure 55)

33
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
7. Review your new “Post Incident Review Assignment Rule” and then select “Mark as
Complete” when finished.

(Figure 56)

Step 13 – Configure Security Incident Response Operations

The “Configure Security Incident Response Operations” task allows you to configure
how Security Incident Response handles day to day operations through a series of different
settings. The task contains three separate tabs, “Business Process”, “Assignment” and “Add-
ons” that each consist of different settings.

1. Open the “Configure Security Incident Response Operations” task.

(Figure 57)

34
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. The “Business Process” tab is broken down into three different sections, “Lifecycle”,
“Catalog and Request Creation” and “Notifications”.

(Figure 58)

(Figure 59)

35
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. Use the toggle switches and dropdowns to modify the settings in the “Lifecycle” and
“Catalog and Request Creation” sections. Modify the settings in the “Notifications”
section using the dropdowns and “Add recipient” related links.

(Figure 60)

(Figure 61)

36
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
4. The “Assignment” tab is broken down into four different sections, “Assignment
Methods”, “Group Coverage”, “Scheduling” and “Additional Factors”.

(Figure 61)

(Figure 62)

37
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
5. Use the dropdowns to modify the settings in the “Assignment Methods”. To modify the
settings in the “Group Coverage” and “Scheduling” sections use the toggle switches
and in the “Additional Factors” section by using the dropdown and toggle switches.

(Figure 63)

(Figure 64)

38
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
6. The “Add-ons” tab consists of only one section. Use the toggle switches to modify the
settings in the “Documentation” section. Review the changes you’ve made in each tab
and select “Save” to finalize them. Select “Mark as Complete” once you’re finished.

(Figure 65)

Security Incident email settings

Step 14 – Set Email Parsing Inbox
You can specify email addresses to use in order to differentiate tools from the various
Security Operations modules, (Security Incident, Vulnerability Response and Threat
Intelligence). Setting specific email addresses for your tools allows you to differentiate when
ingesting and parsing inbound alerts and messages.
1. Open the “Set Email Parsing Inbox” task.

(Figure 66)

39
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Enter the email addresses to use for each of the four inboxes (Security Operations tools,
Security Incident tools, Vulnerability Response tools and Threat Intelligence tools). Select
“Save” to confirm and then “Mark as Complete” to finish the task.

(Figure 67)

(Figure 68)

Step 15 – Set Up Email Parsers for Alert Ingestion

Email parsers provide an easy way to ingest email alerts from external tools such as SIEMs,
firewalls and threat intelligence platforms. These ingested email alerts can then be used to
create Security Incidents or Alerts and parsed to populate different fields on the forms.
There are three email parsers that are provided out of the box that can be used as
templates.

40
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
1. Open the “Set Up Email Parsers for Alert Ingestion” task.

(Figure 69)

2. Create a new email parser by selecting “New”.

(Figure 70)

41
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. At a minimum set the “Name” and “Destination table”. “Description” is also
recommended.

(Figure 71)

4. Set the following fields:

i. “Email is from” à sender’s email address

(Figure 72)

42
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 ii. “Email is to” à recipient’s email address

(Figure 73)

iii. “Email subject contains” à the subject of the email

(Figure 74)

43
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 iv. “Record Separator” à the character separating multiple records in an email

(Figure 75)

v. “Order” à the first parser to match based on order will be used

(Figure 76)

44
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 vi. Use the spyglass to search for a “Duplication rule”. If none have been created, you
can generate new rules by selecting “New” in the Duplication Rules search list.

(Figure 77)

5. Once you’ve finished editing all the fields select “Submit” to save the parser.

(Figure 78)

45
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
6. Select your newly created parser to now create “Field Transforms”. The field
transforms will allow you to parse the email for data and store it in a specific field.

(Figure 79)

7. Within the email parser select “New” in the “Field Transforms” related list.

(Figure 80)

8. Using the “Store value in a field or a related list” dropdown select where you want
the parsed value to be stored.

(Figure 81)

46
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
9. Enter the “Field” that you want to store the value in or use the spyglass to search for a
field.

(Figure 82)

10. Using the “Search for value” dropdown select where to find the value to be parsed.

(Figure 83)

47
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
11. In “Value prefix” enter any label or text that might precede the value to parse. (This is
helpful if you have labels or name value pairs)

(Figure 84)

12. Using the “End of value” dropdown select what will indicate the end of the value to
parse.

(Figure 85)

48
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
13. Using the “Value type” dropdown select how you want to insert the parsed value in the
field.

(Figure 86)

14. Modify the “Order” if needed and review the “Email transform” and “Destination
table” fields to ensure they match your email parser and that “Active” is selected.
Using the “Value transform” you can specify how to transform the value and
standardize it prior to inserting it.

(Figure 87)

49
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
15. Review the information in your Field Transform and when finished select “Submit” to
save. Repeat the previous steps for additional Field Transforms. Select “Mark as
Complete” to finish.

(Figure 88)

Step 16 – Set Up Email Matching Rules for User-Reported Phishing

Email matching rules provide a method for handling user-reported phishing emails that have
been sent to the security team. If an email matches a rule you’ve defined it will trigger one
of two Inbound Email Actions (Forwarded emails and New emails), parsing the email and
automatically creating a new Security Incident.

1. Open the “Set Up Email Matching Rules for User-Reported Phishing” task.

(Figure 89)

50
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Select “New” to create a new Email Matching Rule.

(Figure 90)

3. Enter a “Name” for your new matching rule, then using the condition builder set the
“Conditions” the email must match to trigger this rule. Select “Submit” when you’re
finished.

(Figure 91)

51
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
4. Review your new matching rule and select “Mark as Complete” when finished.

(Figure 92)

Step 17 – Set Up Email Inbound Actions

Email Inbound Actions allow you to further define actions the system will take when
receiving an email. These actions include parsing data from the email, inserting it into a field
or statically assigning a value to a field. You can also create or update records such as
Security Incidents.
**NOTE: A System Administrator is required to create or modify Inbound Actions. The
Security Incident Response Email Parsers have been created to supersede the need to use
Inbound Actions for Security Operations.

1. Open the “Set Up Email Inbound Actions” task.

(Figure 93)

52
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Review the two User Reported Phishing “Email Inbound Actions” and select “Mark as
Complete” when finished.

(Figure 94)

Setup Security Incident Response process-based

playbooks
The playbooks provided with the base system are designed to accelerate the security
incident investigation process by automating complex and mundane tasks. You can invoke
the security incident playbook flow automatically or manually. The playbook component
works only for the Workflow Studio built processes and not for the flow designer-built flows.
Security Incident Response provides the following playbooks with the base system -
 Playbook for Manual Phishing
 Playbook for Automated Phishing
 Playbook for Manual Malware
 Playbook for Automated Malware
 Playbook for Failed Login Manual

53
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
Step 1 – Set Up Playbook
1. Select All > Process Automation Designer > >Workflow Studio

(Figure 95)

2. Select New and select Playbook

(Figure 96)

54
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. Enter a name for the playbook, the description, and the application for which the
playbook is being created and on Build Playbook.

(Figure 97)

4. Select Properties and Select Define your own conditions for when your process
runs and Table.

(Figure 98)

55
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 99)

5. Select Set your trigger conditions. Choose the conditions to define when your
playbook must run by selecting a table and filling in the conditions and select Done. For
example, the trigger condition is when a security incident of category Phishing is
created.

(Figure 100)

56
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
Step 2 – Add stages

1. Select Diagram View to start designing your activity sequence. Select

+ icon to add a
new stage.

(Figure 101)

2. The stage properties pane opens on the right side of the UI.

(Figure 102)

57
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. In the stage properties pane, enter the following details: Name, Description, Start
Rule condition, and indicate when to start. The Start Rule condition Starts after
fields imply when the stage would run. Once the details are populated select Save and
close.

(Figure 103)

4. To add another stage, select

+ icon to add another stage.

(Figure 104)

58
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
5. In this example, created are stages for Analysis, Contain, Eradicate, and Review
respectively. After adding the stages, you need to add process activities for each stage.

(Figure 105)

Step 3 – Add Activities

1. Select
+ icon within a particular stage (For example, Analysis stage).

(Figure 106)

59
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. The Add activity pop-up opens. In the Add activity pop-up, select the required activity
definition. Select Create new activity. After an activity definition is added select Save and
Close. It can be further configured similar to stages. Similarly, you can create other
process activities under each stage.

(Figure 107)

(Figure 108)

60
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
Step 4 – Test Playbook
Verify that your playbook works as expected by running the playbook with test trigger data. Identify
and resolve all errors before activating your playbook
3. Select Test.

(Figure 109)

4. Select a playbook trigger record to use for testing and select Run Test.

(Figure 110)

61
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 111)

Step 5 – Activate Playbook

Post verification publish your playbook to allow Security Incidents that match the trigger criteria to
leverage the newly created playbooks.
5. Select Activate.

(Figure 112)

62
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
6. Verify the Playbook status is Published.

(Figure 113)

Security Incident runbook settings

Step 18 – Review and Set Up Runbook Documents
Runbooks are used to create an association between published Knowledge Base Articles and
a Security Incident Response Task. This allows you to implement your desired Playbook by
first creating separate KB articles for each of the required tasks in the Playbook. Using the
KB articles for your Playbook’s tasks also gives you the enhanced ability to create and
present concise, descriptive tasks for your analysts.
The flow chart in (Figure 90) illustrates the relationship between Runbooks, Knowledge Base
Articles and Security Incident Response Tasks

63
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 (Figure 114)

1. Open the “Review and Set Up Runbook Documents” task.

(Figure 115)

64
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
2. Select “New” to create a new Runbook Document.

(Figure 116)

**NOTE: Knowledge Base Articles need to be created prior to this step with the Knowledge
Base set to “Security Incident Response Runbook” as it is in your new Runbook.

3. Choose the “Knowledge Base Article” that you want to associate. Ensure “Active” is
checked and the “Knowledge Base” is set to Security Incident Response Runbook.

(Figure 117)

65
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
4. In the condition builder select the “Table” the Runbook should run its conditions against.
Set the “Conditions” a new record on the table must meet in order to initiate this
Runbook and associate the Knowledge Base Article. Once you’re finished select
“Submit” to save.

(Figure 118)

5. Review your new Runbook Document and then select “Mark as Complete” when
finished.

(Figure 119)

Step 19 – Set Up Security Incident Workflows

Security Operations includes a variety of predefined workflows that can be assigned and
used to respond to multiple types of Security Incidents and threats. Workflow Triggers allow
you to set criteria that trigger a specific workflow when a new record is created, or an
existing record is changed.

66
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
1. Open the “Set Up Security Incident Workflows” task.

(Figure 120)

2. Select the “Workflows” tab to review workflows that have been provided out of the box.
You can also create new workflows or edit existing ones through the workflow editor by
selecting “New” or selecting a current workflow.

(Figure 121)

67
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
3. Select the “Workflow Triggers” tab to review triggers that have been provided out of
the box and then select “New” to create a new workflow trigger.

(Figure 122)

4. Enter a “Name” and “Description” for the workflow trigger.

(Figure 123)

68
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
5. Select the “Table” to run the conditions against and define the “Conditions” to be met.
When finished select “Submit” to save the trigger.

(Figure 124)

6. Review your new Workflow Trigger and then select “Mark as Complete” when finished.

(Figure 125)

69
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
Reference Information
Additional Documentation

Document
Document Link
Name

Understandin https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
g Security product/security-incident-response/concept/what-is-sir.html
Incident
Response

Domain https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
separation product/security-incident-response/concept/domain-separation-security-incident-
and Security response.html
Incident
Response

Get
entitlement
for a Security https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
Operations product/security-incident-response/task/entitle-secops-product.html
product or
application

Activate a
ServiceNow https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
Store product/security-incident-response/task/activate-entitled-store-app.html
application

Configure
Security
Incident
Response https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
using Setup product/security-incident-response/concept/setup-sir.html
Assistant

Manually
configure https://docs.servicenow.com/bundle/newyork-security-management/page/product/
Security security-incident-response/task/t_ConfigureSIM.html
Incident
Response

Security
Incident https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
Response product/security-incident-response/reference/installed-with-sir.html
properties

Security
Incident https://docs.servicenow.com/bundle/yokohama-security-management/page/product/
Response security-incident-response/reference/setup-assistant-reference.html
process
definition

Create a https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
security product/security-incident-response/reference/setup-assistant-
incident reference.html#title_t_CreateSecurityIncidentAdminGroup

70
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 group

Security
incident
https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
calculators
product/security-incident-response/reference/setup-assistant-reference.html
Create a
https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
security
product/security-incident-response/reference/setup-assistant-
incident
reference.html#title_t_CreateSecIncCalcGroup
calculator
group

Create a https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
security product/security-incident-response/reference/setup-assistant-
incident reference.html#title_t_CreateSecIncCalculator
calculator

Security https://docs.servicenow.com/bundle/newyork-security-management/page/product/
incident risk security-incident-response/concept/si-risk-score-calculations.html
score
calculations

https://docs.servicenow.com/bundle/newyork-security-management/page/product/
Maintain risk security-incident-response/task/maintain-risk-score-weights.html
score weights

Create a https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
Security product/security-incident-response/reference/setup-assistant-
Incident reference.html#t_CreateSecurityIncidentSLA
Response SLA

Create a https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
Security product/security-incident-response/reference/setup-assistant-reference.html#create-
Incident runbook
Response
runbook

Create rules https://www.servicenow.com/docs/bundle/yokohama-security-management/page/

to validate product/security-incident-response/reference/setup-assistant-reference.html#create-
user-reported email-matching-rules
phishing
attacks

Security https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
incident product/security-incident-response/concept/si-creation.html
creation

Assigning https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
security product/security-incident-response/reference/r_AgentAssignment.html
analysts

Create a https://docs.servicenow.com/bundle/yokohama-security-management/page/product/
security security-incident-response/task/t_CrtScrIncdtKnwArt.html
incident
knowledge

71
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.
 article

Manage post
https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
incident
product/security-incident-response/concept/c_PostIncidentReview.html
activities

Perform a
questionnaire
https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
-based post
product/security-incident-response/task/t_PerformPostIncidentReview.html
incident
review

Create rules https://www.servicenow.com/docs/bundle/yokohama-security-management/page/

to validate product/security-incident-response/reference/setup-assistant-reference.html#create-
user-reported email-matching-rules
phishing
attacks

Security
incidents https://www.servicenow.com/docs/bundle/yokohama-security-management/page/
created from product/security-incident-response/concept/urp-about.html
user-reported
phishing
emails

72
© 2025 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or
registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the
respective companies with which they are associated.