Generate correlation insights with Now Assist for Security Incident Response

  • Release version: Xanadu
  • Updated January 22, 2025
  • 2 minutes to read

    • Generate correlation insights from the Now Assist panel to help you connect past events to the security incident you are working on. You can use the related information you generate to avoid duplicating your investigation into affected users, configuration items, and observables and help you resolve the incident you are working on more quickly.

    Before you begin

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Now Assist panel.

    If you do not see the Now Assist panel, you must activate it. For more information, see Turn on the Now Assist panel.

    For more information about correlation insights searches, see Exploring correlation insights with Now Assist for Security Incident Response.

    Roles required: sn_si.analyst, sn_si.manager or sn_si.basic

    Procedure

    1. Navigate to All > Security Incident > Security Incident Response Workspace and open a security incident that is assigned to you.
    2. Alternatively, in the legacy UI (UI16), locate a security incident on the Security Incidents [sn_si_incident] table and open it.
    3. Select the Now Assist icon (AI Sparkle icon) in the top header to open the Now Assist panel.
    4. Select Generate correlation insights.
      Correlation insights are generated if one or more of the following values can be matched. The following filters to base your insights on are displayed in the Now Assist panel. Only the filters that have matches to other security incidents are displayed.
      Note:
      If you do not have a security incident record open, you are prompted to enter the number for a security incident record after you select Generate correlation insights.
      • Configuration item (CI): Records that have the same CI to help you identify potential vulnerabilities in specific systems. An example might be a user’s laptop.
      • Affected user: Past incidents that have the same user to help you see patterns such as frequent phishing attempts or multiple unauthorized access attempts. An example is a specific user’s name.
      • Observables: Records that are linked by shared observables that suggest potential ongoing attacks or repeated use of malicious infrastructure. Examples might include IP addresses, URLs, or file hashes. Note you must enter an exact value for an observable, for example, a complete file hash.

      If no matching data exists for any of these filters, none are displayed. You are prompted to add one of these values to the security incident you are working from, save it, and reset your conversation in the panel and try again.

    5. To reset your conversation, select the Now Assist reset menu icon () in the panel and select Reset Conversation.
    6. Select a filter.

      Matching results are displayed in the Now Assist panel.

      In the following example, Configuration item was requested. The search returned a high-level summary and links to records that have a matching configuration item.

      Results are grouped by record type: security incident record (SIR), incident (INC), change request (CHG), problem (PRB), and vulnerable item (VIT).
      • The Affected users filter returns: SIR, INC, and CHG records.
      • The Configuration filter item returns: SIR, INC, CHG, PRB, and VIT records.
      • The Observables filter return SIR records.
      Now Assist panel with returned records for a configuration item for correlation insights
    7. Optional: To modify the 30-day limit for the query, follow these steps:
      1. As a user with the Security Incident Manager role [sn_si.manager], navigate to sys_properties.LIST.
      2. Locate the Correlation lookback period [sn_sec_gen_ai.correlation_lookback_period] system property and open the record.
      3. Enter a number in the Value field up to 360.
      4. Save the record.
      5. Return to the security incident record and refresh the page.