Exploring correlation insights with Now Assist for Security Incident Response

  • Release version: Yokohama
  • Updated April 21, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring correlation insights with Now Assist for Security Incident Response

    Now Assist for Security Incident Response (version Yokohama, v3.0.0 and later) enables you to generate correlation insights to streamline security incident investigations. These insights help prevent duplicated efforts by identifying related affected users, configuration items (CIs), and observables, allowing you to resolve incidents more efficiently.

    Show full answer Show less

    Key Features

    • Correlation Insights Generation: You can generate correlation insights from the Security Incident Response Workspace or the Now Assist panel (including legacy UI16), selecting multiple items (Associated Observables, CIs, Affected Users) simultaneously.
    • Flexible Selection: Unlike earlier versions that defaulted to primary affected users or CIs, version 3.0.0 prompts you to choose specific CIs or affected users from related lists for correlation analysis.
    • Time Range: Correlation searches default to a 30-day lookback period, with insights stored per observable until regenerated with a different range.
    • Display: Results appear in a movable, resizable modeless dialog within the workspace or panel, maintaining visibility until the conversation is reset.
    • Skill Activation Required: The correlation insights generation skill must be activated to access these features, along with the Now Assist panel activation if it is not visible.
    • Access Control: Correlation insights rely on your access to key tables such as Configuration Item [cmdbci], Incident, Change Request, Problem, Vulnerable Item, and Associated Observable tables. For example, viewing vulnerable items requires the Vulnerability Response application and appropriate read roles.

    Practical Use for ServiceNow Customers

    By leveraging correlation insights, you can reduce investigation redundancy, quickly identify related entities across incidents, and accelerate incident resolution workflows. Ensure the necessary skills and panels are activated, verify your access permissions to relevant tables, and use the flexible selection options to tailor your correlation criteria effectively. This capability integrates seamlessly into your existing Security Incident Response Workspace and legacy UI, enhancing your incident management efficiency.

    You can generate correlation insights to help you avoid duplicating your investigation into affected users, configuration items, and observables and help you resolve the security incident that you are working on more quickly. You select the criteria from a security incident that you want to base the correlation insights on.

    Generating correlation insights from the Security Incident Response Workspace

    Starting with v3.0.0 of Now Assist for Security Incident Response, generate and view correlation insights and view the results in the Security Incident Response Workspace.

    • Previously, if you selected a configuration item (CI) or affected user to base your insights on, the lookup returned the primary affected user or primary CI associated with a security incident. Starting with v3.0.0 the agent asks you which CI or Affected user you would you like to correlate the security incident with from the related lists.
    • You can generate correlation insights from the Investigation tab for a security incident in any state in the Security Incident Response Workspace.
    • You can generate insights for multiple items simultaneously for Associated Observables, Configuration items, and Affected Users.
    • Results are displayed in a modeless dialog that you can resize and move.
    • Your time range for the lookup of correlation is 30 days.
      Note:
      After you generate an observable associated with a security incident, the insights are stored for that observable until you regenerate it with a different time range. Your insights for your new time range are displayed.

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Security Incident Response Workspace. For more information, see Configure a skill for Now Assist for Security Incident Response.

    Generating correlation insights from the Now Assist panel in the Security Incident Response Workspace and in UI (UI16)

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Now Assist panel.

    If you do not see the Now Assist panel, you must activate it. For more information, see Activate Now Assist panel standard chat.

    • You can generate correlation insights from a security incident record in any state in the Security Incident Response Workspace or in the legacy UI (UI16).
    • By default, correlation insights search for matching records from the last 30 days.
    • You can locate and review values for the Configuration item, Affected user, and Observables for correlation insights filters on the Details tab in the Security Incident Response Workspace, or on the Configuration Items, Affected Users, and Observables related lists in the legacy UI (UI16).
    • Your search criteria and results remain displayed in the Now Assist panel until you reset the conversation. To reset your conversation, select the Now Assist more options icon (More options menu icon.) in the panel and select Reset Conversation.
    • You must have access to the following tables to view these records in the generated correlation insights:
      • Configuration item [cmdb_ci] table.
      • Incident [incident] table.
      • Change request [change_request] table.
      • Problem [problem] table.
      • Vulnerable item [sn_vul_vulnerable_item] table.
      • Associate observable [sn_ti_observable] table.
    • Your results for correlation insights are based on the tables that you have access to. For example, if you want to view vulnerable items (VIT)s in your correlation insights results, you must have the Vulnerability Response application installed and the read access role (sn_vul.read_all).

    For the steps to generate correlation insights, see Generate correlation insights from the Security Incident Response Workspace with Now Assist for Security Incident Response and Generate correlation insights in the Now Assist panel with Now Assist for Security Incident Response.