Exploring correlation insights with Now Assist for Security Incident Response

  • Release version: Xanadu
  • Updated January 22, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring correlation insights with Now Assist for Security Incident Response

    Now Assist for Security Incident Response allows you to generate correlation insights to streamline your investigations into security incidents. This feature helps avoid redundant analysis of affected users, configuration items, and observables, enabling faster incident resolution.

    Show full answer Show less

    Key Features

    • Generate correlation insights from the Investigation tab in the Security Incident Response Workspace for any security incident state.
    • Correlate multiple items simultaneously, including Associated Observables, Configuration Items, and Affected Users.
    • Insights are displayed in a resizable modeless dialog and can be based on a 30-day lookup period.
    • Correlation insights must be activated to access the Generate correlation insights option.
    • Insights can also be generated from the Now Assist panel in both the Security Incident Response Workspace and the legacy UI (UI16).

    Key Outcomes

    By utilizing correlation insights, you can efficiently analyze related records and enhance your response to security incidents. Ensure you have access to relevant tables (e.g., Configuration item, Incident, Change request, and Vulnerable item tables) for comprehensive insights. This feature ultimately supports faster, more informed decision-making in security incident management.

    You can generate correlation insights to help you avoid duplicating your investigation into affected users, configuration items, and observables and help you resolve the security incident that you are working on more quickly. You select the criteria from a security incident that you want to base the correlation insights on.

    Generating correlation insights from the Security Incident Response Workspace

    Starting with version 3.2.1 of Now Assist for Security Incident Response, you can generate and view correlation insights in the Security Incident Response Workspace.

    • Generate correlation insights from the Investigation tab for a security incident in any state in the Security Incident Response Workspace.
    • The agent asks you which CI or Affected user you would you like to correlate the security incident with from the related lists. Previously, if you selected a configuration item (CI) or affected user to base your insights on, the lookup returned the primary affected user or primary CI associated with a security incident.
    • You can generate insights for multiple items simultaneously for Associated Observables, Configuration items, and Affected Users.
    • Results are displayed in a modeless dialog that you can resize and move.
    • Your time range for the lookup of correlation is 30 days.
      Note:
      After you generate an observable associated with a security incident, the insights are stored for that observable until you regenerate it with a different time range. Your insights for your new time range are displayed.

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Security Incident Response Workspace. For more information, see Configure and activate a skill for Now Assist for Security Incident Response.

    Generating correlation insights from the Now Assist panel in the Security Incident Response Workspace and in UI (UI16)

    • You can generate correlation insights from a security incident record in any state in the Security Incident Response Workspace or in the legacy UI (UI16).
    • By default, correlation insights search for matching records from the last 30 days.
    • You can locate and review values for the Configuration item, Affected user, and Observables for correlation insights filters on the Details tab in the Security Incident Response workspace, or on the Configuration Items, Affected Users, and Observables related lists in the legacy UI (UI16).
    • Your search criteria and results remain displayed in the Now Assist panel until you reset the conversation. To reset your conversation, select the Now Assist reset menu icon () in the panel and select Reset Conversation.
    • You must have access to the following tables to view these records in the generated correlation insights:
      • Configuration item [cmdb_ci] table.
      • Incident [incident] table.
      • Change request [change_request] table.
      • Problem [problem] table.
      • Vulnerable item [sn_vul_vulnerable_item] table.
      • Associate observable [sn_ti_observable] table.
    • Your results for correlation insights are based on the tables that you have access to. For example, if you want to view vulnerable items (VIT)s in your correlation insights results, you must have the Vulnerability Response application installed and the read access role (sn_vul.read_all).

    For the steps to generate correlation insights, see Generate correlation insights with Now Assist for Security Incident Response.