AI SOC Solution

the ai soc solution is an end to end investigation package for security operations, powered by hero ai for triage and investigation it combines ingestion, enrichment, and case handling workflows so alerts and reported phishing investigations become consistent, triage ready signals with guided investigation steps analysts get a single place to triage, investigate, and resolve or hand off work in case management , with less manual context gathering and more consistent outcomes what's included prebuilt applications, playbooks, dashboards, and reports centered on case management (primary triage and investigation with hero ai), threat intelligence , routing rule , kb article , and related automation ai ingestion is a separate application and workspace for bringing data in it stores records of ingestion configurations (for example, vendor, api spec, components generated), and its custom widget guides you through building connector and ingestion components the solution standardizes how investigations run and supports automation through rules and playbooks how hero ai fits in hero ai is built into the solution and drives triage and investigation in two main ways plan generation hero ai uses alert and case context (observables, threat intelligence, knowledge base) to generate triage and investigation plans tailored to each record analysts run plan steps from the case management ui to validate and respond plans to playbooks ai generated plans can be turned into repeatable playbooks, so successful investigations become reusable automation for future signals hero ai also provides verdict classification (malicious, suspicious, benign, unknown) and recommendations to support analyst decisions end to end flow alerts and phishing reports are ingested and normalized into case management records (tracking prefix case ); observables are enriched with threat intelligence; hero ai can generate plans and verdicts; analysts triage and investigate in case management escalation and sustained response still use case workflow within the same application when your process requires it the same workflows support both one off investigation and automation at scale what is ai soc? ai soc is a comprehensive security operations center solution that accelerates threat detection, investigation, and response through ai powered automation it transforms traditional soc workflows by automating triage and analysis with hero ai powered investigation plans standardizing investigations with consistent workflows and knowledge base integration reducing mean time to respond (mttr) through automated enrichment and correlation improving analyst efficiency by eliminating manual context gathering enabling continuous learning through verdict tracking and knowledge base articles key capabilities alert and phishing ingestion multi source ingestion receive alerts from siem, xdr, edr, and other security tools via webhook, api, or scheduled bulk ingestion phishing email processing automatically process reported phishing emails, extract observables, and render safe email previews observable extraction automatically identify and extract ips, domains, urls, hashes, and other indicators from alerts and emails normalization convert vendor specific alert formats into standardized signal records threat intelligence enrichment multi provider support enrich observables with multiple threat intelligence providers simultaneously primary provider configuration set trusted primary providers per observable type (ip, domain, hash, etc ) automatic enrichment observables are automatically enriched when signals are created ad hoc enrichment manually enrich observables from the threat intelligence application enrichment aggregation combine results from multiple providers for comprehensive threat context ai powered analysis investigation plan generation hero ai analyzes signals and generates step by step investigation plans tailored to each alert plans to playbooks turn ai generated plans into repeatable playbooks for consistent automation knowledge base integration hero ai uses knowledge base articles to inform plans and recommendations verdict classification automated threat classification (malicious, suspicious, benign, unknown) with confidence scores mitre att\&ck mapping automatic mapping of threats to mitre att\&ck techniques and tactics remediation guidance generate remediation plans for confirmed malicious threats continuous learning ai improves over time based on analyst verdicts and investigation outcomes signal routing and automation intelligent routing rules automatically route signals to appropriate playbooks based on conditions (source, severity, observables, alert name, etc ) playbook automation pre built and custom playbooks automate investigation steps, enrichment, and response actions rule based workflows create rules that trigger specific actions when signals match defined patterns marketplace integration install and use components from the swimlane marketplace to extend functionality case and incident management centralized case management manage signals and cases in a unified application lifecycle tracking full audit trail from signal creation through case resolution evidence management attach and track evidence, investigation notes, and remediation actions escalation workflows use case management status and routing (for example escalated or pending resolution) when sustained investigation or formal handling is needed metrics and reporting track soc performance with dashboards and reports knowledge base integration investigation procedures create and maintain knowledge base articles for common attack patterns and procedures automatic linking knowledge base articles are automatically linked to signals based on observable patterns context provision articles provide immediate context to analysts during triage false positive documentation document known false positives to improve ai accuracy correlation and context signal correlation automatically correlate related signals to identify broader incidents historical context link signals to previous investigations and cases pattern recognition identify recurring attack patterns across signals contextual enrichment combine threat intelligence, knowledge base articles, and historical data for comprehensive context key components case management (case) is the primary analyst application alerts and phishing email from ingestion playbooks create records here (tracking prefix case ) the case analysis tab holds triage fields, evidence, hero ai ( ai analysis widget), and lifecycle controls application description in the package where cases are triaged with support from hero ai phishing triage (ingestion playbooks) processes reported phishing emails, extracts observables, and creates case management records for investigation threat intelligence artifact (tia) appears in the ui as threat intelligence it enriches observables using one or more intelligence providers and updates ti records linked to case records routing rule (rule) defines routing logic that maps case records to playbooks in prose, documentation may refer to signal routing rules for clarity kb article (kb) appears as knowledge base articles in many environments; it stores investigation guidance and procedures hero ai analysis in case management provides ai generated summaries, verdict classification, and investigation guidance (shown as ai alert analysis on the record when viewing the ai analysis widget output) ai ingestion (ai) is the application for building and tracking alert ingestion each record represents an ingestion configuration (vendor product, api specification, components generated) use the custom widget in the application to create connector components and run the ingestion process (including hero ai–assisted turbine schema mapping) use the audit tab to review ingestion configurations and activity for the full workflow, see ai soc ingestion how ai soc works ai soc follows a consistent workflow from ingestion through resolution ingestion alerts and phishing emails are ingested via webhook, cron, or email connectors (alert and phishing ingestion playbooks) record creation ingestion creates case management records with extracted observables enrichment observables are enriched via threat intelligence providers analysis hero ai generates investigation plans and verdicts when enabled investigation analysts review records in case management , execute plan steps, and document findings escalation use your case workflow when sustained investigation or formal case handling is required (within case management ) resolution records are mitigated and closed with full audit history for analysts, the day to day entry point is case management the ai alert analysis panel (from the ai analysis widget on the record layout) is where most hero ai work happens—verdicts, plans, and automation records created by ingestion playbooks appear there, along with context, evidence, and ai recommendations what you can do with ai soc use the ai soc solution to complete the full investigation lifecycle ingest alerts and phishing emails; they appear as records in case management review and enrich records with threat intelligence and knowledge base context generate investigation plans and run steps to validate scope and impact make a verdict decision and document findings move the record through your case management workflow (for example escalated status or pending resolution) when sustained investigation or coordinated response is needed create routing rules and playbooks to automate future signals next steps use the following guides depending on where you are if you want to… go to install and configure the solution (assets, hero ai, ingestion playbooks) docid b7njxu5xnzyrjcngqg5j build ingestion connectors and turbine schema mapping (ai ingestion widget) docid 0p9qwz3o 0j5dnkpjugmq run your first investigation (step by step walkthrough) docid\ p7qjquayekczhpxeppwcp learn the applications (case management, ti, kb, routing rules, ai ingestion) docid\ uosuzrpsl6hfe9d6br5az do daily tasks (claim, verdict, escalate, run plan steps, create rules) docid\ dsdgtaqeg95dseaf2iat monitor operations (dashboards and reports) docid\ devhsmat40h1mlpucmenr improve how you use ai soc docid\ ww gfwujljt7opjduu8vg see example investigations (phishing, malware, insider threat) docid\ mg9xuakoaxk0hy1tlf5dm connect your tools (siem, edr, threat intelligence) docid\ vm1j5 5rzqx4lc0hqoaiv fix issues (hero ai, plan generation, rbac, playbooks, ti) docid\ cknuxqv85k9lu0ocqv218 suggested path after install complete docid b7njxu5xnzyrjcngqg5j , then follow docid\ p7qjquayekczhpxeppwcp for your first signal investigation use docid\ uosuzrpsl6hfe9d6br5az to learn the record layout and docid\ dsdgtaqeg95dseaf2iat for day to day workflows if you need to build or configure alert ingestion for new sources (connectors, turbine schema mapping), see docid 0p9qwz3o 0j5dnkpjugmq after installation—or use the table above to jump to any guide