Configure Custom Assets

ai soc uses several custom configuration assets (key value pair assets) that are not tied to a vendor these control sla, threat intelligence, and correlation behavior find them under orchestration → assets ; the input names must match the action input keys used by playbooks and components to change when signals are automatically escalated to a case or closed (for example, confidence thresholds), edit the pending signal resolution flow in orchestration → playbooks ; that behavior is not configured via assets ai soc general configuration the ai soc general configuration asset controls service level agreement (sla) timing used by the solution navigate to orchestration → assets find and open ai soc general configuration under asset inputs , configure sla hours alert sla in hours for alerts (default 6) phishing triage sla in hours for phishing triage signals (default 6) manual sla in hours for manually created items (default 6) adjust these values to match your organization’s response targets save the asset after making changes ai soc threat intelligence configuration the ai soc threat intelligence configuration asset controls which observables are enriched, which are ignored, which threat intelligence providers are used and their weights, and how risk scores map to verdicts configure this asset before enrichment will behave as expected navigate to orchestration → assets find and configure the ai soc threat intelligence configuration asset configure the following sections observable types to enrich specify which observable types are sent for enrichment only listed types are enriched common types ip public, ip private, domain, email, url, hash, sha256, md5 (exact names may vary by install; use the values offered in the asset) add types such as ip private if you have your own threat intelligence for private ip ranges remove types you do not want to enrich observable parser ignore list configure ignore lists so certain observables are excluded from extraction and enrichment (alerts still ingest; matching observables are skipped and no ti lookups or ti records are created for them) regex regular expression patterns to match and exclude observables (default empty) use for fine grained exclusions ip cidr ranges comma separated ip cidr ranges to exclude (default e g 10 0 0 0/8, 172 16 0 0/12 for common private ranges) domains comma separated domains to exclude (default e g outlook com, gmail com, o365 com, exchange com) threat intelligence providers define which ti providers are used and their weight for aggregation (used when calculating the turbine risk score and combined verdicts) for each provider, add an array entry with name must exactly match the provider name used in the enrichment component (e g "virustotal", "recorded future", "urlhaus", "ipqualityscore", "abuseipdb", "threatgrid") case sensitive weight numeric weight (e g 1–30) higher weight gives that provider more influence in the aggregated result add a default entry (name default, weight e g 5) for any provider that does not have a matching name in the list you can add or remove providers to match the ti sources you use turbine risk score thresholds set the thresholds used to convert the calculated risk score into a verdict benign upper bound for benign (default 0) scores at or below this are benign suspicious threshold above which the verdict is suspicious (default 300) typically, scores from 300 up to the malicious threshold are suspicious malicious threshold at or above which the verdict is malicious (default 600) risk scores above these thresholds drive the threat intelligence verdict classification used in signal triage ai soc correlation configuration ai soc correlation configuration the ai soc correlation configuration asset controls how signals are correlated with each other and with existing records navigate to orchestration → assets find and open ai soc correlation configuration under asset inputs , configure as needed (defaults are often sufficient) days to correlate number of days back to consider for correlation (default 7) correlations to return maximum number of correlations to return per signal (default 10) minimum string match ratio threshold for string similarity when matching (for example, 1 = exact match) minimum record match ratio threshold for overall record similarity (for example, 0 5 = 50% match) correlation delay minutes delay in minutes before correlation runs (for example, 5) maximum records to search how many sig records to compare against the current record default 1000 maximum 5000 values above 5000 are capped at 5000 adjust these if you need more or fewer correlations, a longer lookback window, or different match sensitivity save the asset after making changes