Example Investigation Workflow

this example shows how a typical alert moves through ai soc from ingestion to resolution scenario a siem alert indicates suspicious network activity from an internal host to an external ip address ingestion the siem alert is ingested via webhook and a case management record is created (tracking prefix case ) observable extraction observables are automatically extracted source ip (internal host) destination ip (external ip) timestamp and protocol information threat intelligence enrichment observables are enriched with ti providers external ip is flagged as malicious by multiple providers threat intelligence verdict malicious enrichment status complete triage review analyst opens case management and reviews severity high intelligence verdict malicious observables source and destination ips correlation no similar signals found plan generation analyst clicks generate plan preparation phase enrich destination ip with additional ti providers, get endpoint details for source host analysis phase search siem for related activity, check for similar infections, get user details determination phase generate verdict investigation execution preparation steps confirm the external ip is malicious analysis steps reveal the internal host has multiple connections to the malicious ip user details show the account belongs to a standard user (not admin) verdict generation determination step generates verdict ai verdict malicious confidence 8/10 analysis indicates potential c2 communication response and status analyst continues on the same case management record attaches or references evidence (ti results, siem logs, endpoint details) per your layout documents findings in investigation comments (and linked case comments if your workflow uses a linked record) status may move to escalated when pending case resolution and your tenant rules apply remediation analyst generates remediation plan isolate affected endpoint block malicious ip at firewall reset user credentials scan for additional infections automation analyst creates a triage rule condition external ip matches known malicious ips from ti action run associated playbooks (for example notify, set priority, or containment steps your organization defines) future matching case management records are processed by the rule when enabled resolution record is tracked through mitigation and closed with full audit trail related documentation docid\ p7qjquayekczhpxeppwcp your first signal investigation docid\ uosuzrpsl6hfe9d6br5az detailed application walkthroughs docid\ devhsmat40h1mlpucmenr monitoring and metrics docid\ ww gfwujljt7opjduu8vg optimization and efficiency tips docid\ cknuxqv85k9lu0ocqv218 common issues and solutions