Resolve a security incident

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 3 Minuten Lesedauer

    • Chat with an AI agent in the Now Assist panel to resolve an incident.

    Vorbereitungen

    Role required: sn_si.analyst

    Warum und wann dieser Vorgang ausgeführt wird

    Wichtig:
    This agentic workflow is turned on by default. For more information, see Now Assist skills, agents, and agentic workflows on by default.

    Prozedur

    1. Navigate to All > Security Incident > Security Incident Response Workspace.
    2. Open the security incident that you want to resolve using the AI agent.
    3. Select the Now Assist (Now Assist panel for AI agent icon.) icon.
      The Resolve security incident agentic workflow is on-demand. You can enter a query in natural language to resolve a security incident by using this agentic workflow.
    4. On the Now Assist panel, ask the agent to resolve the security incident by entering Resolve this incident, Resolve this security incident, or Resolve the security incident: SIR0012345.
      The Now Assist panel provides all the actions that you can perform on the security incident.
    5. Select Resolve security incident.
      Resolution plan for a security incident.
      The AI agent analyzes the security incident and provides a summary of the incident and its current state. Additionally, by using the incident details, knowledge articles, and similar closed security incidents, the AI agent provides a resolution plan.
    6. Enter positive responses such as looks good or Ok if you agree to the resolution plan.
      For a positive response, the AI agent investigates each step in the resolution plan and assists the analyst (the user with the sn_si.analyst role) to resolve it. For each step, the AI agent provides feedback and requests for intervention from the analyst. For example, if the AI agent identifies the incident generated for a phishing email, the following agentic workflow occurs:
      Tabelle : 1. Agentic workflow for resolving a phishing email incident
      Tasks to resolve a security incident Description
      Update the state of security incident The AI agent updates the state of the security incident. For example, if the state of the security incident is Draft, the AI agent updates it to Analysis.
      Run threat lookup and observable enrichment on observable The AI agent initiates a threat lookup and observable enrichment process.

      When the analyst confirms with a positive input, the AI agent provides the Observable Analysis and Enrichment summary.
      For malicious observables, send email to management The analyst can ask the AI agent to send a mail to the management.

      The AI agent provides a draft email and asks for the recipients of the email.

      Hinweis:
      The analyst can verify the sent email in the Other Records tab.
      Check with affected user if they interacted with the phishing email The analyst manually checks with the affected user if they interacted with the phishing email.
      If user interacted with the phishing email, reset its password credentials If the affected user interacted with the phishing email, the analyst can ask the AI agent to create an incident to reset the user password.

      The AI agent provides a summary for the incident and creates an incident when the analyst approves the summary.
      Block the sender/email/URL on the email gateway The AI agent requests the analyst for blocking for sender/email/URL on the email gateway.

      The analyst can ask the AI agent to create a response task for blocking sender/email/URL on the email gateway.

      The AI agent provides the information for the response tasks and creates a response task after the analyst approves it.

      Hinweis:
      The analyst can complete the response task and mark the response task as Complete on the Response Tasks tab.

      The analyst confirms to the AI agent that the response task is complete.
      Search and delete the phishing email from all user inboxes

      The AI agent informs the analyst to delete the phishing email from all user inboxes.

      The analyst deletes the phishing email and confirms to the AI agent.
      Enroll affected user in a mandatory phishing training If the affected user has interacted with the phishing email, the AI agent informs the analyst to enroll the affected user in the mandatory phishing training.
      Perform the audit of the security incident The AI agent performs the audit of the security incident and provides the summary.
      Close the security incident The AI agent closes the incident. For more information, see Close a security incident.