Architecture and Data Flow

this topic summarizes how data moves through the ai soc solution ingestion, normalization, enrichment, hero ai, routing, and case handling diagrams are conceptual ; playbook names, component counts, and automatic escalation or closure depend on your installed package and configuration for procedures and ui steps, use ai soc solution , getting started , and ai soc ingestion end to end workflow high level path from alert sources through triage to closure primary triage and investigation use case management (tracking prefix case ) ingestion channels and case entry ai soc uses two internal event channels to separate alert shaped and email shaped traffic before both converge on case management ingest alert alert shaped payloads from webhook and bulk alert cron flows ingest email email shaped payloads from phishing cron and test email flows template and production flows emit onto these channels (for example ingest webhook alert , ingest bulk alerts , ai soc – phishing ingestion (cron) – template , and ai soc – test email ingestion (webhook) ) the entry flows ingest alert to case record (event) and ingest email to case record (event) normalize payloads and create or update case records alert ingestion pipeline typical path for siem and similar alerts ingest, map to a turbine schema alert, enrich, correlate, then case management the ingest webhook alert and ingest bulk alerts flows both publish to the ingest alert channel alert schema store (awss) caches example payloads and turbine schema field mappings so repeat vendor formats map consistently the downstream flow ingest alert to case record (event) reads from ingest alert and materializes or updates work in case management phishing ingestion pipeline reported phishing email path through parsing, a turbine schema email object, enrichment, and case management for phishing style traffic, a scheduled template playbook wraps a flow that searches unread mailbox items for turbine schema email ingestion, retrieves email objects, and emits each one onto ingest email using emit teds email actions a separate test webhook playbook forwards lab messages to the same channel the ingest email to case record (event) flow consumes ingest email events and creates or updates phishing case records threat intelligence enrichment multi provider enrichment, merged scores, turbine risk score , and verdict fed back to the case under investigation hero ai analysis hero ai consumes case context (observables, threat intelligence, knowledge base) to produce summaries, verdicts, investigation plans, and optional remediation guidance on case management records ai ingestion (connectors and schema mapping) the ai ingestion application and custom widget support building vendor connectors from api specifications and mapping raw alert data to turbine schema for downstream playbooks for step by step usage, see ai soc ingestion signal routing rules routing rule records express conditions that map case management workload to playbooks for enrichment, correlation, and automated response signal status lifecycle case management records move through statuses such as processing , new , in progress , and closed , with escalated and other outcomes driven by your pending resolution flows and tenant configuration