Inputs and triggers for Now Assist for Security Incident Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inputs and Triggers for Now Assist for Security Incident Response

    This document outlines the configuration of inputs and triggers for the generative AI skills within Now Assist for Security Incident Response. Inputs define the data used by the skills, while triggers determine when actions, such as generating summaries, are initiated. While inputs and triggers can be modified, the underlying data sources cannot be changed.

    Show full answer Show less

    Key Features

    • Security Incident Summarization Skill: Utilizes the Security Incident [snsiincident] table with specific fields to generate incident summaries.
    • Resolution Notes Generation Skill: Generates resolution notes based on the same Security Incident table and relevant fields.
    • Post Incident Analysis Generation Skill: Also relies on the Security Incident table for analysis generation.
    • Correlation Insights: This skill pulls data from multiple tables (e.g., Configuration item, Incident, Change request) to enhance incident insights, requiring appropriate permissions.
    • Quality Assessment: Generates assessments from various tables related to the security incident, contingent on the user's access rights.

    Key Outcomes

    By configuring inputs and triggers effectively, customers can ensure that the Now Assist skills accurately reflect the necessary data and respond appropriately to incidents. This leads to improved incident management, quicker resolution times, and enhanced insights for better decision-making. Understanding these configurations allows ServiceNow customers to optimize their use of the Security Incident Response capabilities.

    You can configure some of the inputs or triggers for a generative AI skill. Inputs or triggers permit you to determine how and when a skill is used.

    Inputs and triggers

    Inputs identify the data used for a skill. Inputs include the table and fields used to generate a security incident summary. A trigger initiates an action. For example, triggers determine when the system generates a summary.

    You can modify inputs and triggers, but you can't modify a skill's data source. The data source contains the tables and fields that the skill relies on.

    Security incident summarization skill

    Inputs for the security incident summarization skill identify the table and fields used when a security incident summary is generated. The following table lists the inputs for the Security Incident summarization skill from the Choose Input page in the Now Assist Admin console.

    Input Description
    Data source Security Incident [sn_si_incident] table.
    Input fields
    • Short description
    • Description
    • State
    • Priority
    • Work notes
    • Additional comments
    Related Input tables
    • Affected CIs - configuration item
    • Affected Users - Users
    • Security Incident Response Task - Short description
    • State - Any state other than Cancelled.
    • Associated Observables - Observable finding is Malicious or Suspicious.

    Resolution notes generation skill

    Inputs for the Resolution notes generation skill identify the table and fields that are used when the resolution notes are generated for a security incident. The following table lists the inputs for the resolution notes generation skill from the Choose Input page in the Now Assist Admin console.

    Input Description
    Data source Security Incident [sn_si_incident] table.
    Input fields
    • Short description
    • Description
    • Work notes
    • Additional comments

    Security incident recommended actions generation skill

    Input Description
    Data source Security Incident [sn_si_incident] table.

    Post incident analysis generation skill

    Input Description
    Data source Security Incident [sn_si_incident] table.

    Correlation insights generation skill

    Your correlation insights for a security incident can contain records from the following tables, but you must have permission to access these tables and records.

    Input Description
    Data source

    Security Incident [sn_si_incident] table.

    Configuration item [cmdb_ci] table.

    Incident [incident] table.

    Change request [change_request] table.

    Problem [problem] table.

    Vulnerable item [sn_vul_vulnerable_item] table.

    Associate observable [sn_ti_observable] table.

    Security Incident Quality Assessment

    Your Quality Assessment report for a security incident can contain records from the following tables, but you must have permission to access these tables and records.

    Input Description
    Data source

    Security Incident [sn_si_incident] table.

    Configuration item [cmdb_ci] table.

    Task CI [task_ci]

    Associated Observable [sn_ti_observable]

    Affected Users [sn_si_m2m_task_affected_user]

    Security Incident Task [sn_si_task]

    Task SLA [task_sla]

    Email [sys_email]

    Playbook Activities: sys_pd_activity_context