Example Investigation Workflow

this example shows how a typical alert moves through ai soc from ingestion to resolution scenario a siem alert indicates suspicious network activity from an internal host to an external ip address ingestion the siem alert is ingested via webhook and a signal record is created in signal triage observable extraction observables are automatically extracted source ip (internal host) destination ip (external ip) timestamp and protocol information threat intelligence enrichment observables are enriched with ti providers external ip is flagged as malicious by multiple providers threat intelligence verdict malicious enrichment status complete signal review analyst opens signal triage and reviews severity high intelligence verdict malicious observables source and destination ips correlation no similar signals found plan generation analyst clicks generate plan preparation phase enrich destination ip with additional ti providers, get endpoint details for source host analysis phase search siem for related activity, check for similar infections, get user details determination phase generate verdict investigation execution preparation steps confirm the external ip is malicious analysis steps reveal the internal host has multiple connections to the malicious ip user details show the account belongs to a standard user (not admin) verdict generation determination step generates verdict ai verdict malicious confidence 8/10 analysis indicates potential c2 communication escalation analyst escalates to case creates case for sustained investigation attaches evidence (ti results, siem logs, endpoint details) documents findings in case comments remediation analyst generates remediation plan isolate affected endpoint block malicious ip at firewall reset user credentials scan for additional infections automation analyst creates a triage rule condition external ip matches known malicious ips from ti action automatically escalate to case future similar signals will be automatically routed resolution case is tracked through mitigation and closed with full audit trail related documentation docid\ p7qjquayekczhpxeppwcp your first signal investigation docid\ uosuzrpsl6hfe9d6br5az detailed application walkthroughs docid\ devhsmat40h1mlpucmenr monitoring and metrics docid\ ww gfwujljt7opjduu8vg optimization and efficiency tips docid\ cknuxqv85k9lu0ocqv218 common issues and solutions