Madhumitha Redd
ServiceNow Employee
ServiceNow Employee

Our first SOC agent is live! Closing security incident has just become a command away!

 

Have you ever felt that closing a security incident is tedious and time taking as you will have to ensure that post incident analysis is complete, closure notes are accurately written, and appropriate close code is identified and added? If yes, our agent ‘Security incident wrap up generator’ will make you feel otherwise. Yes, now closing a security incident is just a command away as called out earlier. We have released our first Agentic AI experience with the help of our first use case named Close security incident that works with the aid of the agent Security incident wrap-up generator

 

You could watch the agent in action in this demo!

 

 

Read on to know more about our agent.

 

Here is the sneak-peak of the AI Agent studio, the admin experience powering our agent.

 

Picture1.png

 

Traditionally, you would have visited the Details tab and set the State filed to Closed that would trigger a modal experience walking you through the different steps involved in closing a security incident. Any open response tasks and mandatory post incident response assessments need to be addressed before proceeding with the closure. Any open playbook and flow actions would be auto cancelled.

 

Picture2.png

 

With the latest innovation, you can engage in a conversation with our agent via the Now Assist Panel. Go to Now Assist Panel, and type Close this incident when you have the incident open. Alternatively, you can type Close SIRxxxxx when you are working on something else. This will initiate our use-case and in-turn the agent as well. The agent will present you with the quick details of the security incident to ensure you are closing indeed the right one followed by the count of open response tasks. At this stage, you can still manually address these response tasks if required.

 

Picture3.png

 

Picture4.png  Picture5.png

 

By proceeding with the closure flow on the Now Assist Panel, the open response tasks would be auto cancelled along with the playbook and flow actions, as well as ignoring the mandatory post incident response assessments. The agent will present you with the post incident analysis with detailed Root Cause, Impact Assessment, and Learnings & Recommendations. You can refine the content by interacting with the agent if required.

 

When you confirm that the content looks good, the agent proceeds to generate the closure notes. When confirmed it finally suggests the Close Code. After all the confirmation, the agent closes the security incident with the details generated.

 

Picture6.png  Picture7.png

 

We see great benefits with the latest approach. It is very easy to close the security incident conversationally. No more multiple clicks. An incident can be closed, while working on something else important. The ability to generate and refine the documentation required to close the security incident is invaluable. Last, but not the least, closing a false positive has never been this easy. Just type in Close this security incident as false positive and the agent straight away closes it saving a lot of precious time.

 

If you want to try out this cool feature, please install the latest Now Assist for SIR app and get started. Here is the link to the product documentation. If you have more queries, please feel free to reach out to any one of us: madhumitha.reddy@servicenow.com/ antonio.challita@servicenow.com/ xinning.ju@servicenow.com