Solutions and Applications
AI SOC Solution
Architecture and Data Flow
this topic summarizes how data moves through the ai soc solution ingestion, normalization, enrichment, hero ai, routing, and case handling diagrams are conceptual ; playbook names, component counts, and automatic escalation or closure depend on your installed package and configuration for procedures and ui steps, use ai soc solution , getting started , and ai soc ingestion end to end workflow high level path from alert sources through triage to closure primary triage and investigation use case management (tracking prefix case ) ai soc overview ingestion channels and case entry ai soc uses two internal event channels to separate alert shaped and email shaped traffic before both converge on case management ingest alert alert shaped payloads from webhook and bulk alert cron flows ingest email email shaped payloads from phishing cron and test email flows template and production flows emit onto these channels (for example ingest webhook alert , ingest bulk alerts , ai soc – phishing ingestion (cron) – template , and ai soc – test email ingestion (webhook) ) the entry flows ingest alert to case record (event) and ingest email to case record (event) normalize payloads and create or update case records alert ingestion pipeline typical path for siem and similar alerts ingest, map to a teds alert , enrich, correlate, then case management the ingest webhook alert and ingest bulk alerts flows both publish to the ingest alert channel alert schema store (awss) caches example payloads and teds field mappings so repeat vendor formats map consistently the downstream flow ingest alert to case record (event) reads from ingest alert and materializes or updates work in case management phishing ingestion pipeline reported phishing email path through parsing, teds email object, enrichment, and case management for phishing style traffic, a scheduled template playbook wraps a flow that searches unread teds mailbox items, retrieves email objects, and emits each one onto ingest email using emit teds email actions a separate test webhook playbook forwards lab messages to the same channel the ingest email to case record (event) flow consumes ingest email events and creates or updates phishing case records threat intelligence enrichment multi provider enrichment, merged scores, turbine risk score , and verdict fed back to the case under investigation