Generate a post-incident analysis for a security incident with Now Assist for Security Incident Response

  • Release version: Xanadu
  • Updated January 22, 2025
  • 2 minutes to read

    • Automatically generate a post-incident analysis for a security incident that includes a root cause analysis, impact assessment, and learning and recommendations information.

    Before you begin

    You must have the post-incident analysis skill activated if you want a post-incident analysis generated automatically by Now Assist for Security Incident Response.

    If the Close notes are already populated manually prior to closing the security incident, this content is not over-written by Now Assist for Security Incident Response when analysts set the State field to Closed.

    Roles required: sn_si.analyst, sn_si.manager or sn_si.basic

    Procedure

    1. Navigate to All > Security Incident > Security Incident Response Workspace and open a security incident that is assigned to you.
    2. On the Details tab, select Closed in the State field to close the security incident.
      The Close the security incident modal opens.
    3. Optional: Select Review active tasks to review any active remediation tasks that are associated with this incident.
      A new tab opens with record(s) for your review. Use this option to verify that you are ready to close the security incident, because this action cancels any associated workflows and activities and closes the incident on any associated remediation tasks.
    4. To generate the post-incident analysis select Next.
      The post-incident analysis is displayed in the modal with three sections. Note the Now Assist icon (AI Sparkle icon) indicates the content is generated by Now Assist for Security Incident Response.
      • Root Cause Analysis
      • Impact Assessment
      • Learnings and Recommendations
      Note:
      You can use the Now Assist icon on any of the post-incident analysis options and elaborate or shorten the Root Cause Analysis/Impact Assessment/Learnings and Recommendations and replace the text. Elaborate will help you add more information to the existing text. Shorten will make the selected text more concise.

      The following screen shot depicts how Now Assist icons are used to elaborate or shorten and replace the desired post-incident analysis text.

      Post incident analysis using NACM.

    5. Review the report to check for accuracy and make any edits required.
    6. Optional: Select Take assessment and Configure/preview report to perform the post-incident review.
      Any edits you make to the post-incident review are preserved for one hour if you leave this page to take the assessment or perform another action. After one hour, you must set the State to Closed again on the incident to regenerate the post-incident analysis and close notes.
    7. Select Next to generate the resolution notes.
      The resolution notes are displayed in the Close Notes field.
    8. Select one from the list for the Close Code.
    9. Select Close Incident.
      The post-incident analysis is saved in the Post incident analysis field on the Details tab and on the Overview tab on security incidents in Security Incident Response Workspace.