Solutions and Applications
AI SOC Solution
Example Scenarios
this guide provides detailed walkthroughs of common security scenarios in ai soc each scenario demonstrates how signals flow through the investigation lifecycle from ingestion to resolution these scenarios are illustrative examples actual investigation steps, verdicts, and confidence scores will vary based on signal context, available data, and hero ai analysis the specific numbers, threat names, and step sequences shown are examples only scenario 1 phishing email investigation scenario a user reports a suspicious email that appears to be from a trusted vendor requesting payment information step by step investigation 1\ ingestion and signal creation user forwards the phishing email to the security team email is ingested via the ingest email to sig record playbook a signal record is created in signal triage with signal type phishing signal source email extracted observables sender email address, urls in email body, attachment hashes (if any) 2\ threat intelligence enrichment observables are automatically enriched sender email domain checked against ti providers urls extracted and checked for malicious reputation attachment hashes (if present) checked against malware databases threat intelligence verdict suspicious (url flagged by multiple providers) 3\ initial triage analyst opens the signal in signal triage reviews meta panel intelligence verdict suspicious signal source email reviews evidence panels threat intelligence url is flagged as suspicious by virustotal and abuse ch urlhaus knowledge base no matching kb articles found correlation no similar signals found 4\ plan generation analyst clicks generate plan in the ai alert analysis panel hero ai generates investigation plan preparation phase enrich sender email domain with recorded future enrich urls with virustotal check email headers for spoofing indicators analysis phase search email security gateway for similar emails sent to other users check if sender domain is legitimate vendor domain (typo squatting check) review email content for social engineering indicators check if any users clicked the malicious links determination phase generate verdict using hero ai analysis 5\ investigation execution preparation steps sender domain is confirmed as suspicious (typo squatting of legitimate vendor) urls confirmed malicious by multiple ti providers email headers show spoofing indicators analysis steps email security gateway search reveals multiple other users received similar emails some users clicked the malicious links email content matches known phishing template determination ai verdict malicious confidence high analysis indicates credential harvesting campaign targeting vendor relationships 6\ response actions analyst escalates to case for coordinated response remediation plan generated block malicious urls at email security gateway block sender domain notify affected users who clicked links reset credentials for affected users add sender domain to blocklist create awareness communication about vendor impersonation 7\ automation analyst creates a triage rule condition email contains urls matching known malicious patterns and sender domain matches vendor impersonation pattern action automatically escalate to case and notify security team rule order high priority 8\ knowledge base update analyst creates a kb article documenting vendor impersonation phishing pattern common indicators (typo squatting domains, payment requests) investigation steps for similar emails response procedures 9\ resolution case is resolved after all affected users notified and credentials reset malicious urls and domains blocked awareness communication sent kb article created for future reference scenario 2 malware detection investigation scenario an edr alert indicates suspicious process execution on an endpoint, with network connections to an external ip address step by step investigation 1\ ingestion and signal creation edr (crowdstrike) sends alert via webhook to ai soc alert is ingested via ingest webhook alert playbook signal record created with signal type alert signal source crowdstrike severity high extracted observables source ip (internal endpoint) destination ip (external c2 server) process hash (suspicious executable) domain (c2 domain) 2\ threat intelligence enrichment observables automatically enriched destination ip flagged as malicious by multiple ti providers process hash matches known malware family domain flagged as c2 infrastructure threat intelligence verdict malicious 3\ initial triage analyst opens signal in signal triage reviews context severity high intelligence verdict malicious observables multiple malicious indicators reviews correlation panel similar signals found from recent timeframe same malware family, different endpoints 4\ plan generation analyst clicks generate plan hero ai generates investigation plan preparation phase enrich destination ip with multiple ti providers (abuseipdb, recorded future, virustotal) get endpoint details from crowdstrike (hostname, user, os, last seen) enrich process hash with virustotal analysis phase list all crowdstrike detections for the impacted endpoint search crowdstrike for processes connecting to the malicious ip search siem (splunk) for network connections to the malicious ip search siem for dns queries to the c2 domain search siem for outbound data transfers from the endpoint search for similar malware infections across other endpoints get user details from identity provider (okta) check for lateral movement indicators determination phase generate verdict using hero ai analysis 5\ investigation execution preparation steps destination ip confirmed malicious (c2 server) endpoint details retrieved (hostname, user, os, last seen) process hash confirmed as known malware variant analysis steps crowdstrike shows additional detections on the same endpoint siem search reveals multiple connections to the c2 ip dns queries show communication with c2 domain outbound data transfers detected (potential data exfiltration) similar infections found on other endpoints (same malware family) user account has standard privileges (not admin) no lateral movement detected yet determination ai verdict malicious confidence very high analysis confirms active malware infection with data exfiltration 6\ response actions analyst immediately escalates to case (critical severity) remediation plan generated immediate containment isolate affected endpoint from network disable user account block c2 ip and domain at firewall investigation scan all other potentially infected endpoints review data exfiltration scope check for credential theft recovery reimage affected endpoints reset user credentials restore from clean backup if needed prevention update endpoint detection rules block malware hash globally review email security (initial infection vector) 7\ automation analyst creates triage rule condition signal contains process hash matching known malware families and destination ip flagged as malicious action automatically escalate to case, set priority to critical, notify security team analyst creates playbook automatically isolate endpoint when malware detected block malicious ips and domains generate remediation plan notify security team 8\ case management case created and tracked through containment phase (endpoints isolated) investigation phase (scope assessment) eradication phase (endpoints reimaged) recovery phase (systems restored) post incident review 9\ resolution case resolved after all infected endpoints reimaged user credentials reset c2 infrastructure blocked detection rules updated post incident review completed lessons learned documented in kb article scenario 3 insider threat investigation scenario a siem alert indicates unusual data access patterns from a user account, with large file transfers to external cloud storage step by step investigation 1\ ingestion and signal creation siem sends alert via webhook alert indicates user accessed unusually large number of files in short timeframe large data transfers to external cloud storage access occurred outside normal business hours signal created with signal type alert signal source siem severity high extracted observables user account source ip (corporate network) destination (cloud storage api) file access patterns 2\ threat intelligence enrichment observables enriched user account checked against hr records source ip is legitimate corporate ip cloud storage api is legitimate service (not flagged) threat intelligence verdict unknown (no malicious indicators, but suspicious behavior) 3\ initial triage analyst opens signal in signal triage reviews context severity high (potential data exfiltration) intelligence verdict unknown signal source siem (behavioral analytics) reviews correlation panel no similar signals found user has no previous security incidents 4\ plan generation analyst clicks generate plan hero ai generates investigation plan preparation phase get user details from identity provider (okta) check user's role and access permissions review user's recent activity timeline check if user is on termination list or has given notice analysis phase review files accessed (sensitive data classification) check file access patterns (normal vs bulk download) review data transfer volumes and destinations check for similar activity from other users review user's email and communication for indicators check for unauthorized access attempts review user's device and location information determination phase generate verdict using hero ai analysis 5\ investigation execution preparation steps user is a sales manager with access to customer data user has standard permissions (not admin) user activity timeline shows normal patterns until 2 days ago hr confirms user gave 2 week notice (termination in progress) analysis steps files accessed include sensitive business data (customer lists, reports, pricing) access pattern shows bulk download (not normal browsing) large data transfer detected to personal cloud storage account no similar activity from other users email review shows user forwarding company data to personal email all activity from corporate issued laptop activity occurred during off hours determination ai verdict suspicious confidence high analysis indicates potential data exfiltration by departing employee 6\ response actions analyst escalates to case (requires hr and legal coordination) remediation plan generated immediate actions disable user's access to sensitive systems revoke cloud storage access secure user's laptop for forensic analysis notify hr and legal teams investigation forensic analysis of user's laptop review all data transfers assess data sensitivity and regulatory impact interview user (if appropriate) legal/hr coordinate with legal for potential legal action work with hr on termination process assess need for data breach notification 7\ case management case created and tracked through investigation phase (forensic analysis) legal review (data sensitivity assessment) hr coordination (termination process) remediation (access revocation, data recovery if possible) documentation (incident report) 8\ automation analyst creates triage rule condition user on termination list and unusual data access patterns and large external transfers action automatically escalate to case, set priority to high, notify security and hr teams 9\ knowledge base update analyst creates kb article documenting insider threat indicators (departing employees, bulk data access) investigation procedures for data exfiltration coordination with hr and legal prevention measures (access reviews, offboarding procedures) 10\ resolution case resolved after user access revoked laptop secured and analyzed legal assessment completed hr termination process completed incident report documented offboarding procedures updated to prevent future incidents scenario comparison true 165,165,165,166left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type key takeaways common investigation patterns always review correlation before starting investigation to avoid duplicate work complete threat intelligence enrichment before generating plans for better ai analysis document findings in investigation comments as you go create automation for patterns you see frequently update knowledge base with lessons learned from each investigation escalation criteria phishing escalate when multiple users affected or confirmed malicious malware escalate immediately for active infections, especially with lateral movement insider threat escalate when data exfiltration confirmed, requires hr/legal coordination automation opportunities create triage rules for known attack patterns automate containment actions for high severity threats create playbooks for common investigation workflows set up automatic notifications for critical incidents related documentation docid\ p7qjquayekczhpxeppwcp your first signal investigation docid\ dsdgtaqeg95dseaf2iat daily operational tasks docid\ uosuzrpsl6hfe9d6br5az application walkthroughs docid\ ww gfwujljt7opjduu8vg optimization tips