Inputs and triggers for Now Assist for Security Incident Response

  • Release version: Yokohama
  • Updated January 15, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inputs and Triggers for Now Assist for Security Incident Response

    This guide details how to configure inputs and triggers for the generative AI skill in Now Assist for Security Incident Response. Inputs are data points used for skills, while triggers initiate actions, such as generating summaries for security incidents. Although inputs and triggers can be modified, the data source used by the skill remains fixed.

    Show full answer Show less

    Key Features

    • Security Incident Summarization Skill: Utilizes the Security Incident table, focusing on key fields like Short description, Description, State, Priority, Work notes, and Additional comments.
    • Resolution Notes Generation Skill: Generates resolution notes using similar input fields from the Security Incident table.
    • Security Incident Recommended Actions Skill: Also references the Security Incident table for generating recommended actions.
    • Post Incident Analysis Skill: Uses the Security Incident table for post-incident evaluations.
    • Correlation Insights Generation Skill: Pulls data from multiple tables, including Security Incident, Configuration Item, Incident, Change Request, Problem, Vulnerable Item, and Associated Observable, contingent on access permissions.
    • Security Incident Quality Assessment: Requires access permissions to records from the Security Incident, Configuration Item, Task CI, Associated Observable, Affected Users, Security Incident Task, Task SLA, and Email tables.

    Key Outcomes

    By configuring the inputs and triggers effectively, ServiceNow customers can enhance their incident response capabilities. This enables streamlined incident summarization, resolution documentation, and quality assessments, ultimately improving operational efficiency and response accuracy in security incidents.

    You can configure some of the inputs or triggers for a generative AI skill. Inputs or triggers permit you to determine how and when a skill is used.

    Inputs and triggers

    Inputs identify the data used for a skill. Inputs include the table and fields used to generate a security incident summary. A trigger initiates an action. For example, triggers determine when the system generates a summary.

    You can modify inputs and triggers, but you can't modify a skill's data source. The data source contains the tables and fields that the skill relies on.

    Security incident summarization skill

    Inputs for the security incident summarization skill identify the table and fields used when a security incident summary is generated. The following table lists the inputs for the Security Incident summarization skill from the Choose Input page in the Now Assist Admin console.

    Input Description
    Data source Security Incident [sn_si_incident] table.
    Input fields
    • Short description
    • Description
    • State
    • Priority
    • Work notes
    • Additional comments
    Related Input tables
    • Affected CIs - configuration item
    • Affected Users - Users
    • Security Incident Response Task - Short description
    • State - Any state other than Cancelled.
    • Associated Observables - Observable finding is Malicious or Suspicious.

    Resolution notes generation skill

    Inputs for the Resolution notes generation skill identify the table and fields that are used when the resolution notes are generated for a security incident. The following table lists the inputs for the resolution notes generation skill from the Choose Input page in the Now Assist Admin console.

    Input Description
    Data source Security Incident [sn_si_incident] table.
    Input fields
    • Short description
    • Description
    • Work notes
    • Additional comments

    Security incident recommended actions generation skill

    Input Description
    Data source Security Incident [sn_si_incident] table.

    Post incident analysis generation skill

    Input Description
    Data source Security Incident [sn_si_incident] table.

    Correlation insights generation skill

    Your correlation insights for a security incident can contain records from the following tables, but you must have permission to access these tables and records.

    Input Description
    Data source

    Security Incident [sn_si_incident] table.

    Configuration item [cmdb_ci] table.

    Incident [incident] table.

    Change request [change_request] table.

    Problem [problem] table.

    Vulnerable item [sn_vul_vulnerable_item] table.

    Associate observable [sn_ti_observable] table.

    Security Incident Quality Assessment

    Your Quality Assessment report for a security incident can contain records from the following tables, but you must have permission to access these tables and records.

    Input Description
    Data source

    Security Incident [sn_si_incident] table.

    Configuration item [cmdb_ci] table.

    Task CI [task_ci]

    Associated Observable [sn_ti_observable]

    Affected Users [sn_si_m2m_task_affected_user]

    Security Incident Task [sn_si_task]

    Task SLA [task_sla]

    Email [sys_email]

    Playbook Activities: sys_pd_activity_context