AI SOC Solution

the ai soc solution is an end to end investigation package for security operations, powered by hero ai for triage and investigation it combines ingestion, enrichment, and case handling workflows so alerts and reported phishing investigations become consistent, triage ready signals with guided investigation steps analysts get a single place to triage, investigate, and escalate, with less manual context gathering and more consistent outcomes what’s included prebuilt applications, playbooks, dashboards, and reports centered on signal triage , threat intelligence , signal routing rules (new in this solution), case management , and knowledge base articles ai ingestion is a separate application for bringing data in it stores records of ingestion configurations (for example, vendor, api spec, components generated), and its custom widget guides you through building connector and ingestion components the solution standardizes how investigations run and supports automation through rules and playbooks how hero ai fits in hero ai is built into the solution and drives triage and investigation in two main ways plan generation hero ai uses signal context (alert data, observables, threat intelligence, knowledge base) to generate triage and investigation plans tailored to each alert analysts run plan steps from the signal triage ui to validate and respond plans to playbooks ai generated plans can be turned into repeatable playbooks, so successful investigations become reusable automation for future signals hero ai also provides verdict classification (malicious, suspicious, benign, unknown) and recommendations to support analyst decisions end to end flow alerts and phishing reports are ingested and normalized into signals; observables are enriched with threat intelligence; hero ai can generate plans and verdicts; analysts triage and investigate in signal triage, then escalate to cases when needed not every signal becomes a case—escalation is conditional (by rule or analyst decision) the same workflows support both one off investigation and automation at scale what is ai soc? ai soc is a comprehensive security operations center solution that accelerates threat detection, investigation, and response through ai powered automation it transforms traditional soc workflows by automating triage and analysis with hero ai powered investigation plans standardizing investigations with consistent workflows and knowledge base integration reducing mean time to respond (mttr) through automated enrichment and correlation improving analyst efficiency by eliminating manual context gathering enabling continuous learning through verdict tracking and knowledge base articles key capabilities alert and phishing ingestion multi source ingestion receive alerts from siem, xdr, edr, and other security tools via webhook, api, or scheduled bulk ingestion phishing email processing automatically process reported phishing emails, extract observables, and render safe email previews observable extraction automatically identify and extract ips, domains, urls, hashes, and other indicators from alerts and emails normalization convert vendor specific alert formats into standardized signal records threat intelligence enrichment multi provider support enrich observables with multiple threat intelligence providers simultaneously primary provider configuration set trusted primary providers per observable type (ip, domain, hash, etc ) automatic enrichment observables are automatically enriched when signals are created ad hoc enrichment manually enrich observables from the threat intelligence application enrichment aggregation combine results from multiple providers for comprehensive threat context ai powered analysis investigation plan generation hero ai analyzes signals and generates step by step investigation plans tailored to each alert plans to playbooks turn ai generated plans into repeatable playbooks for consistent automation knowledge base integration hero ai uses knowledge base articles to inform plans and recommendations verdict classification automated threat classification (malicious, suspicious, benign, unknown) with confidence scores mitre att\&ck mapping automatic mapping of threats to mitre att\&ck techniques and tactics remediation guidance generate remediation plans for confirmed malicious threats continuous learning ai improves over time based on analyst verdicts and investigation outcomes signal routing and automation intelligent routing rules automatically route signals to appropriate playbooks based on conditions (source, severity, observables, alert name, etc ) playbook automation pre built and custom playbooks automate investigation steps, enrichment, and response actions rule based workflows create rules that trigger specific actions when signals match defined patterns marketplace integration install and use components from the swimlane marketplace to extend functionality case and incident management centralized case management manage signals and cases in a unified application lifecycle tracking full audit trail from signal creation through case resolution evidence management attach and track evidence, investigation notes, and remediation actions escalation workflows escalate signals to cases when sustained investigation is needed metrics and reporting track soc performance with dashboards and reports knowledge base integration investigation procedures create and maintain knowledge base articles for common attack patterns and procedures automatic linking knowledge base articles are automatically linked to signals based on observable patterns context provision articles provide immediate context to analysts during triage false positive documentation document known false positives to improve ai accuracy correlation and context signal correlation automatically correlate related signals to identify broader incidents historical context link signals to previous investigations and cases pattern recognition identify recurring attack patterns across signals contextual enrichment combine threat intelligence, knowledge base articles, and historical data for comprehensive context key components signal triage (sig) ingests alerts from siem, xdr, edr, or other sources, extracts observables, and creates signals in the signal triage application phishing triage processes reported phishing emails, extracts observables, and creates signals for investigation threat intelligence (ti) enriches observables using one or more intelligence providers and updates ti records linked to signals; it is the analog of the threat intel application in the prior soc solution case management (case) is the central application for managing signals and cases across the full lifecycle in this solution it replaces "case and incident management" so the bundle can be installed alongside an existing soc; every alert or phishing email creates a signal triage record first, and escalation to a case is conditional hero ai analysis in signal triage provides ai generated summaries, verdict classification, and investigation guidance ai ingestion (ai) is the application for building and tracking alert ingestion each record represents an ingestion configuration (vendor product, api specification, components generated) use the custom widget in the application to create connector components and run the ingestion process (including hero ai–assisted teds mapping) use the audit tab to review ingestion configurations and activity for the full workflow, see docid 0p9qwz3o 0j5dnkpjugmq how ai soc works ai soc follows a consistent workflow from ingestion through resolution ingestion alerts and phishing emails are ingested via webhook, cron, or email connectors through alert triage and phishing triage signal creation signals are created in signal triage with extracted observables enrichment observables are enriched via threat intelligence providers analysis hero ai generates investigation plans and verdicts when enabled investigation analysts review signals in signal triage , execute plan steps, and document findings escalation signals are escalated to cases when sustained investigation is needed resolution cases are mitigated and closed with full audit history for analysts, the day to day entry point is signal triage the ai alert analysis panel on each signal is where most hero ai work happens—verdicts, plans, and automation signals created by ingestion playbooks appear there, along with context, evidence, and ai recommendations what you can do with ai soc use the ai soc solution to complete the full investigation lifecycle ingest alerts and phishing emails into signal triage review and enrich signals with threat intelligence and knowledge base context generate investigation plans and run steps to validate scope and impact make a verdict decision and document findings escalate to a case when sustained investigation or response is needed create triage rules and playbooks to automate future signals next steps use the following guides depending on where you are true 330,331left unhandled content type left unhandled content type left unhandled content type left unhandled content type left 1 1 unhandled content type left 1 1 unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type suggested path after install complete docid b7njxu5xnzyrjcngqg5j , then follow docid\ p7qjquayekczhpxeppwcp for your first signal investigation use docid\ uosuzrpsl6hfe9d6br5az s to learn the record layout and docid\ dsdgtaqeg95dseaf2iat for day to day workflows if you need to build or configure alert ingestion for new sources (connectors, teds mapping), see docid 0p9qwz3o 0j5dnkpjugmq after installation—or use the table above to jump to any guide