Exploring correlation insights with Now Assist for Security Incident Response

  • Release version: Zurich
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring correlation insights with Now Assist for Security Incident Response

    Now Assist for Security Incident Response (version Zurich, v3.0.0 and later) enables ServiceNow customers to generate correlation insights that help avoid redundant investigations of affected users, configuration items (CIs), and observables. These insights accelerate the resolution of security incidents by identifying related records and patterns within a 30-day time range.

    Show full answer Show less

    Key Features

    • Flexible correlation criteria selection: Users can select specific CIs or affected users from related lists to base correlation insights on, rather than relying solely on primary affected users or primary CIs.
    • Multi-item insight generation: Generate correlation insights simultaneously for multiple associated observables, configuration items, and affected users.
    • Accessible from multiple interfaces: Correlation insights can be generated from the Investigation tab of a security incident in the Security Incident Response Workspace or from the Now Assist panel, available both in the Workspace and legacy UI (UI16).
    • Interactive results display: Insights are shown in a modeless dialog that can be resized and moved, with results retained until the conversation is reset.
    • Configurable time range: Insights default to searching records from the last 30 days, with the option to regenerate insights using different time ranges.
    • Skill activation required: The correlation insights generation skill must be activated to enable the "Generate correlation insights" option and access the Now Assist panel.
    • Access control: Insight generation and viewing depend on the user’s access to relevant tables such as Configuration item [cmdbci], Incident [incident], Change request [changerequest], Problem [problem], Vulnerable item [snvulvulnerableitem], and Associate observable [sntiobservable]. Appropriate roles and applications (e.g., Vulnerability Response for VIT data) must be installed and assigned.

    Practical Use and Benefits

    ServiceNow customers leveraging Now Assist for Security Incident Response can efficiently correlate related records across multiple data types to minimize duplicated investigation effort, gain comprehensive incident context, and expedite incident resolution workflows. By integrating correlation insights directly into their Security Incident Response Workspace and legacy UI, analysts maintain continuity and improved situational awareness when managing security incidents.

    You can generate correlation insights to help you avoid duplicating your investigation into affected users, configuration items, and observables and help you resolve the security incident that you are working on more quickly. You select the criteria from a security incident that you want to base the correlation insights on.

    Generating correlation insights from the Security Incident Response Workspace

    Starting with v3.0.0 of Now Assist for Security Incident Response, generate and view correlation insights and view the results in the Security Incident Response Workspace.

    • Previously, if you selected a configuration item (CI) or affected user to base your insights on, the lookup returned the primary affected user or primary CI associated with a security incident. Starting with v3.0.0 the agent asks you which CI or Affected user you would you like to correlate the security incident with from the related lists.
    • You can generate correlation insights from the Investigation tab for a security incident in any state in the Security Incident Response Workspace.
    • You can generate insights for multiple items simultaneously for Associated Observables, Configuration items, and Affected Users.
    • Results are displayed in a modeless dialog that you can resize and move.
    • Your time range for the lookup of correlation is 30 days.
      Note:
      After you generate an observable associated with a security incident, the insights are stored for that observable until you regenerate it with a different time range. Your insights for your new time range are displayed.

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Security Incident Response Workspace. For more information, see Configure a skill for Now Assist for Security Incident Response.

    Generating correlation insights from the Now Assist panel in the Security Incident Response Workspace and in UI (UI16)

    The correlation insights generation skill must be activated before you can see the Generate correlation insights option in the Now Assist panel.

    If you do not see the Now Assist panel, you must activate it. For more information, see Activate the Now Assist panel standard chat.

    • You can generate correlation insights from a security incident record in any state in the Security Incident Response Workspace or in the legacy UI (UI16).
    • By default, correlation insights search for matching records from the last 30 days.
    • You can locate and review values for the Configuration item, Affected user, and Observables for correlation insights filters on the Details tab in the Security Incident Response Workspace, or on the Configuration Items, Affected Users, and Observables related lists in the legacy UI (UI16).
    • Your search criteria and results remain displayed in the Now Assist panel until you reset the conversation. To reset your conversation, select the Now Assist more options icon (More options menu icon.) in the panel and select Reset Conversation.
    • You must have access to the following tables to view these records in the generated correlation insights:
      • Configuration item [cmdb_ci] table.
      • Incident [incident] table.
      • Change request [change_request] table.
      • Problem [problem] table.
      • Vulnerable item [sn_vul_vulnerable_item] table.
      • Associate observable [sn_ti_observable] table.
    • Your results for correlation insights are based on the tables that you have access to. For example, if you want to view vulnerable items (VIT)s in your correlation insights results, you must have the Vulnerability Response application installed and the read access role (sn_vul.read_all).

    For the steps to generate correlation insights, see Generate correlation insights from the Security Incident Response Workspace with Now Assist for Security Incident Response and Generate correlation insights in the Now Assist panel with Now Assist for Security Incident Response.