Exploring correlation insights with Now Assist for Security Incident Response

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring correlation insights with Now Assist for Security Incident Response

    Now Assist for Security Incident Response (version Australia, updated March 12, 2026) enables you to generate correlation insights that help prevent duplication of investigation efforts across affected users, configuration items (CIs), and observables. This functionality accelerates the resolution of security incidents by identifying related elements and historical correlations within a 30-day timeframe.

    Show full answer Show less

    Key Features

    • Correlation Insight Generation: You can generate insights from any security incident in any state within the Security Incident Response Workspace or the legacy UI (UI16).
    • Select Specific Items for Correlation: Starting with version 3.0.0, you can choose which specific CI or affected user from related lists to base the correlation on, rather than only the primary affected user or CI.
    • Multiple Item Analysis: Generate insights simultaneously for multiple associated observables, configuration items, and affected users, with results shown in a resizable, movable dialog.
    • Now Assist Panel Integration: Correlation insights can be generated and reviewed within the Now Assist panel in the Security Incident Response Workspace or legacy UI, retaining search criteria and results until the conversation is reset.
    • Access Controls: Viewing correlation results depends on your access to relevant tables such as Configuration item [cmdbci], Incident, Change request, Problem, Vulnerable item, and Associate observable tables. For example, access to Vulnerable Items requires the Vulnerability Response application and the appropriate read role.
    • Skill Activation Required: The correlation insights generation skill and the Now Assist panel must be activated to access these features.

    Practical Usage for ServiceNow Customers

    This feature helps your security teams efficiently identify and correlate related incidents, affected users, and configuration items, reducing redundant investigation efforts and speeding up incident resolution. It integrates seamlessly with your existing Security Incident Response Workspace and supports legacy UI environments, providing flexibility in how your team accesses and utilizes correlation insights.

    Ensure that the required skills and panels are activated and that users have appropriate access roles to maximize the value of correlation insights. Use the Investigation tab or the Now Assist panel to generate and review insights, and take advantage of the ability to select multiple criteria and extend your investigation scope within a 30-day lookback period.

    You can generate correlation insights to help you avoid duplicating your investigation into affected users, configuration items, and observables and help you resolve the security incident that you are working on more quickly. You select the criteria from a security incident that you want to base the correlation insights on.

    Generating correlation insights from the Security Incident Response Workspace

    Starting with v3.0.0 of Now Assist for Security Incident Response, generate and view correlation insights and view the results in the Security Incident Response Workspace.

    • Previously, if you selected a configuration item (CI) or affected user to base your insights on, the lookup returned the primary affected user or primary CI associated with a security incident. Starting with v3.0.0 the agent asks you which CI or Affected user you would you like to correlate the security incident with from the related lists.
    • You can generate correlation insights from the Investigation tab for a security incident in any state in the Security Incident Response Workspace.
    • You can generate insights for multiple items simultaneously for Associated Observables, Configuration items, and Affected Users.
    • Results are displayed in a modeless dialog that you can resize and move.
    • Your time range for the lookup of correlation is 30 days.
      Note:
      After you generate an observable associated with a security incident, the insights are stored for that observable until you regenerate it with a different time range. Your insights for your new time range are displayed.

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Security Incident Response Workspace. For more information, see Configure a skill for Now Assist for Security Incident Response.

    Generating correlation insights from the Now Assist panel in the Security Incident Response Workspace and in UI (UI16)

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Now Assist panel.

    If you do not see the Now Assist panel, you must activate it. For more information, see Activate the Now Assist panel standard chat.

    • You can generate correlation insights from a security incident record in any state in the Security Incident Response Workspace or in the legacy UI (UI16).
    • By default, correlation insights search for matching records from the last 30 days.
    • You can locate and review values for the Configuration item, Affected user, and Observables for correlation insights filters on the Details tab in the Security Incident Response Workspace, or on the Configuration Items, Affected Users, and Observables related lists in the legacy UI (UI16).
    • Your search criteria and results remain displayed in the Now Assist panel until you reset the conversation. To reset your conversation, select the Now Assist more options icon (More options menu icon.) in the panel and select Reset Conversation.
    • You must have access to the following tables to view these records in the generated correlation insights:
      • Configuration item [cmdb_ci] table.
      • Incident [incident] table.
      • Change request [change_request] table.
      • Problem [problem] table.
      • Vulnerable item [sn_vul_vulnerable_item] table.
      • Associate observable [sn_ti_observable] table.
    • Your results for correlation insights are based on the tables that you have access to. For example, if you want to view vulnerable items (VIT)s in your correlation insights results, you must have the Vulnerability Response application installed and the read access role (sn_vul.read_all).

    For the steps to generate correlation insights, see Generate correlation insights from the Security Incident Response Workspace with Now Assist for Security Incident Response and Generate correlation insights in the Now Assist panel with Now Assist for Security Incident Response.