Using Now Assist for Security Incident Response generative AI skills

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Now Assist for Security Incident Response generative AI skills

    Now Assist for Security Incident Response leverages generative AI skills to help security analysts efficiently manage and close security incidents directly within their workflow. These AI capabilities enable quick summarization, generation of closure notes, recommended actions, post-incident analysis, correlation insights, and quality assessment reports. The integration of these skills supports faster incident investigation and improved remediation performance.

    Show full answer Show less

    Key Features

    • Domain Separation and Data Privacy: Skills operate within the user’s domain in domain-separated environments, ensuring data isolation and no co-mingling. Data remains on the instance, and generative AI services do not retain prompts or responses.
    • Role-Based Access Control: AI agents use role masking to restrict access based on assigned roles included with Now Assist applications. Security controls and data access settings must be configured accordingly to enable these roles.
    • Generative AI Capabilities:
      • Summarize incident details including underlying issues, observables, and prior actions.
      • Generate closure notes automatically.
      • Recommend next steps and generate post-incident analysis data.
      • Produce correlation insights to accelerate investigations.
      • Create quality assessment reports for incidents.
      • Generate performance metrics for remediation teams via an AI agent and related workflows.
    • Access Points for AI Skills: Security managers and analysts can invoke summaries, closure notes, recommended actions, and post-incident analysis from Security Incident records and the Security Incident Response Workspace. Summaries and closure notes are also available from the Now Assist panel; however, recommended actions and post-incident analysis are not accessible from the panel.
    • Remediation Task Creation: Only within the Security Incident Response Workspace can generated recommended actions be used to create remediation tasks.
    • Customization: Input fields for Now Assist skills can be tailored to fit specific organizational requirements, enhancing relevance and usability.

    Key Outcomes

    • Security analysts can quickly understand and act on incident details through concise AI-generated summaries.
    • Automated closure notes and recommended actions reduce manual documentation effort and improve incident resolution speed.
    • Post-incident analysis and correlation insights provide deeper understanding and continuous improvement opportunities.
    • Role-based access and domain separation ensure data security and compliance within multi-domain environments.
    • Integration within existing Security Incident Response interfaces streamlines workflow and adoption.

    Security analysts can close security incidents quickly from within their flow of work with the generative AI skills supported by Now Assist for Security Incident Response.

    Skills in global domain reuse

    By default, all skills exist in the global domain. When you use Now Assist in a domain-separated environment, users are only able to access data in their domain. For example, if a user uses the summarization skill, Now Assist only uses material that exists in the user's domain when generating that summary. Additionally, there is no co-mingling of data for domain-separated instances when using generative AI skills. The data resides only on the instance, and the shared services used for generative AI do not persist any requests (prompts) and responses. For more information, see Domain separation in the Now Assist Admin console. (Note that global domain is not the same as global scope. For more information, see Exploring Next Experience pickers.)

    AI agents use role masking to determine which users can access them and what data they have access to. Ones installed with Now Assist applications have specific roles that come included with the application. If you select Users with specific roles for user access, you must configure the security controls to include these roles. Data access settings must also include these roles. For the instructions to change the security controls, see Define security controls for an AI agent.

    Important:
    Some Now Assist skills, agents, and agentic workflows are turned on by default. For more information, see Now Assist skills, agents, and agentic workflows on by default.
    Note:
    Depending on your license, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents. For more information, see ServiceNow product tiers.

    With generative AI skills with Now Assist for Security Incident Response, your security analysts have the option to:

    • Summarize security incident details and review the context quickly in a concise, easy-to-read format.
    • Generate closure (resolution) notes.
    • Generate recommended actions for a security incident
    • Generate post incident analysis data
    • Generate performance metrics for your remediation teams.

      This skill is activated for use with an AI agent. See Analyze security operations metrics agentic workflow for more information.

    • Generate correlation insights to speed up incident investigation.
    • Generate a quality assessment report of a security incident

    Security managers and analysts can request security incident summaries and closure notes from the following locations:

    • Security incident records
    • Security Incident Response Workspace
    • The Now Assist panel.
      Note:
      The security incident recommended actions and post-incident analysis skills are not available from the Now Assist panel.
    Security managers and analysts can generate recommended next steps and post-incident analysis data from the following locations:
    • Security incident records
    • Security Incident Response Workspace

    Security managers and analysts can create remediation tasks from generated recommended actions only from security incidents in the Security Incident Response Workspace.

    Security managers and analysts can request security incident summaries and closure notes from the following locations:

    • Security incident records
    • Security Incident Response Workspace
    • The Now Assist panel.
      Note:
      The security incident recommended actions and post-incident analysis skills are not available from the Now Assist panel.
    Security managers and analysts can generate recommended next steps and post-incident analysis data from the following locations:
    • Security incident records
    • Security Incident Response Workspace

    Security managers and analysts can create remediation tasks from generated recommended actions only from security incidents in the Security Incident Response Workspace.

    1. Summarize a security incident with Now Assist for Security Incident Response

      Generate a summary for a security incident that includes the underlying issue, incident details, related lists data (observables), and key actions already taken.

    2. Generate recommended actions for a security incident with Now Assist for Security Incident Response
    3. Generate a post-incident analysis for a security incident with Now Assist for Security Incident Response
    4. Generate correlation insights in the Now Assist panel with Now Assist for Security Incident Response
    5. Generate a quality assessment report for a security incident
    6. Generate closure notes for a security incident with Now Assist for Security Incident Response

      Automatically generate the closure notes for a security incident.

    7. Request generative AI skills in the Now Assist panel for Now Assist for Security Incident Response

      Generate summaries and closure notes from the Now Assist panel.

      Note:
      The security incident recommended actions and post-incident analysis skills are not available from the Now Assist panel.
    8. Customize a Now Assist for Security Incident Response skill

      Customize the input fields of a skill to suit the requirements of your environment.