Getting Started

this guide walks you through your first signal investigation in ai soc follow these steps to understand the workflow and key features prerequisites before starting your first investigation permissions configuration work with your organization to configure role based permissions for ai soc so users see the right actions (see permissions configuration below) access you have access to the signal triage application and ai soc workspace hero ai hero ai is enabled for your tenant (required for plan generation) permissions you have appropriate permissions to view signals, generate plans, and update records assets threat intelligence providers are configured (optional but recommended) permissions configuration user role permissions for ai soc control what each role can see and do in the ai alert analysis panel on signal triage records (that's the panel title analysts see when viewing a signal) to configure these permissions open applications & applets → signal triage → form layout → signal analysis tab, select the ai analysis widget in the layout (it appears as “ai analysis” in the form; on signal records it displays as “ai alert analysis”), then click edit widget in the widget editor you set role based access control (rbac) each option can be enabled or disabled and restricted to specific role names (use to allow all roles) there are four default permissions (create, read, update, delete) as a baseline; you can customize them or use grant full permissions to grant full access for a role the widget also exposes these ai soc–specific options (aligned with the widget configuration) true 330,331left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type how to configure in the widget editor, each option can be turned on or off and limited to specific role names use for an option to allow all roles; enter one or more role names (comma separated if supported) to restrict that option to those roles the four baseline permissions (create, read, update, delete) apply to the widget as a whole; use grant full permissions for a role if that role should have full access to the panel without per option limits example to let analysts view the summary and plan and run steps, but restrict automation and marketplace to admins enable summarysection , plansection , generateplan , modifyplan , and executeplan for analyst roles (or ), and enable automationsection and usemarketplace only for admin or automation roles adjust to match your organization’s roles configure these so that analysts have the access they need without exposing actions that should be restricted (for example, automation or marketplace use) to roles that should not have them if you do not see ai features (for example, generate plan button or plan section) this is often due to hero ai not being enabled or to rbac/widget configuration in troubleshooting , see hero ai service issues (generate plan button missing or does nothing) and configuration issues (rbac features not visible or accessible) there you will find step by step checks (1) verify hero ai and the feature flag are enabled for your tenant (2) review the ai alert analysis widget configuration and confirm your role is in the allowed roles for the sections and actions you need (3) verify your role assignments and application permissions doing these checks early avoids confusion when the button or sections do not appear your first signal investigation step 1 open signal triage and select a signal navigate to application records → signal triage review the signal list to find a signal to investigate tip start with a signal that has status new or in progress (avoid processing for your first run—see below) has observables (ips, domains, hashes, urls) has completed threat intelligence enrichment (check threat intelligence status ) click on a signal record to open it about processing new signals start in processing until threat intel enrichment and signal evaluation (correlation, kb linking, hero ai analysis) complete only then does status move to new , closed , or escalated if you open a signal in processing, wait for it to leave processing before generating a plan or expecting an ai verdict what to look for signal tracking id (for example, sig 1234) for reference signal source to understand where the alert originated first created timestamp to see how long the signal has been open step 2 review key fields on the signal start by understanding the signal's basic information and current state on the signal record, review these fields current owner is the signal assigned? if not, you may want to claim it organization which organization does this signal belong to? signal type alert, phishing, or triage signal source where did this alert come from? (siem, edr, email, etc ) intelligence verdict what does threat intelligence say? (malicious, suspicious, benign, unknown) status current workflow state ( processing , new, in progress, resolved, etc ) processing means enrichment and signal evaluation are still running; the signal will move to new, closed, or escalated when done priority business priority (low, medium, high, critical) severity technical severity (informational, low, medium, high, critical) classification analyst classification (true positive, false positive, unknown) manual verdict has an analyst set a verdict? (malicious, suspicious, benign, unknown) actions to take if the signal is unclaimed and you're investigating it, click claim in the controls area update status to in progress if you're actively working on it review priority and severity to ensure they're set appropriately step 3 check evidence and context before generating a plan, review the evidence and context available on the signal record in the ui these are in the same section (not in separately labeled "panels") knowledge base articles purpose shows linked kb articles that provide investigation guidance what to look for articles that match this signal type or observable patterns action if relevant kb articles are linked, review them for standard procedures tip kb articles provide baseline context that helps ai generate better plans threat intelligence purpose shows enrichment results for observables (ips, domains, hashes, urls) what to look for threat intelligence verdict overall verdict from ti providers observables list of extracted observables and their verdicts enrichment status are enrichments complete or still pending? action if enrichments are pending, wait for them to complete before generating a plan review observable verdicts to understand threat context click on an observable to view detailed ti information correlation purpose shows related signals and cases what to look for similar signals that may have already been investigated related cases that might contain relevant context correlation status (pending, processing, complete) action review similar signals to see how they were handled check if a case already exists for related activity use correlation to avoid duplicate work rules purpose shows routing rules that matched this signal what to look for which rules triggered and what playbooks ran action understand what automated processing has already occurred step 4 generate an investigation plan once you've reviewed the evidence, generate an ai powered investigation plan scroll to the ai alert analysis panel on the signal record pre plan view if no plan exists yet, you'll see ai verdict summary (if available) confidence meter mitre att\&ck context guidance message generate plan button click generate plan wait for hero ai to analyze the signal and generate investigation steps the plan will appear organized into phases preparation , analysis , and determination what happens during plan generation hero ai analyzes the signal data, observables, threat intelligence, and knowledge base articles it generates investigation steps based on the signal context steps are mapped to available tools and integrations steps that require missing integrations will show an install option if plan generation fails check that hero ai is enabled (see troubleshooting) verify observables exist on the signal ensure threat intelligence enrichment has completed check browser console for errors step 5 review and execute plan steps the investigation plan is organized into phases work through them systematically preparation phase purpose validate observables and confirm alert context typical steps enrich observables with multiple ti providers, get endpoint details action review each step before running click review to see what the step will do click run for individual steps or run all steps for the entire phase wait for steps to complete and review results analysis phase purpose verify scope, impact, and lateral movement typical steps search siem/edr for related activity, check for similar infections, get user details action execute steps to gather evidence review results in the step timeline (data from all executed steps, in any phase, is saved to the record and written to the timeline) add notes if you modify or skip steps document findings in investigation comments in the linked case (comments and evidence are added to the case record, not the signal record) determination phase purpose finalize the verdict typical step generate verdict using ai soc signal hero ai analysis action run the verdict generation step review the ai verdict, confidence, and reasoning set a manual verdict if you disagree with the ai verdict add investigation comments explaining your decision in the linked case (not on the signal record) tips for executing steps steps that show install need integrations to be installed first use mark as done if you've completed a step manually outside the system use delete step to remove steps that aren't relevant use add additional step to include custom investigation steps step 6 generate remediation plan (if malicious) if the verdict is malicious or suspicious , you can generate a remediation plan in the ai alert analysis panel, find the remediation plan section click generate remediation plan when it is enabled (see note below) review the ai generated remediation steps execute remediation steps as appropriate document any remediation actions taken in the linked case note the generate remediation plan button is disabled only when (1) the investigation plan section does not exist, (2) a plan is currently being generated, or (3) a remediation plan has already been generated in all other scenarios the button is enabled; you decide whether to generate a plan step 7 document and resolve after completing the investigation, document your findings and resolve the signal comments and evidence cannot be added to the signal record; add them in the linked case for this signal document findings (in the linked case) open the case linked to this signal and add investigation comments explaining what you found why you reached your verdict any actions taken recommendations for follow up update investigation summary with key findings in the case attach any relevant evidence files in the case if needed set the verdict (on the signal) on the signal record, set manual verdict malicious confirmed threat requiring response suspicious needs further investigation benign false positive, no threat unknown insufficient data to determine set classification (true positive, false positive, unknown) update status set status to resolved when investigation is complete if the signal requires sustained investigation, escalate to case instead step 8 create automation (optional) if this signal pattern will repeat, create automation to handle similar signals in the future create a triage rule in the ai alert analysis panel, go to the automation section and click create a triage rule what gets created a record is created in the signal routing rules application (for example, rule 29) a link to the new rule record is shown—click it to open the record you can also open, edit, and enable the rule from application records → signal routing rules or from the routing rule management dashboard what you configure on the record rule name (pre populated from the signal name; edit as needed), rule application (for example, signal triage), description (optional), and enabled (off by default—turn on when ready) in the if section, define conditions (for example, signal name contains "x", severity, source, observables) using the condition builder (and/group for multiple criteria) in associated playbook , select a playbook that uses the emit trigger and has only one flow ; that playbook runs when the rule matches the new rule is assigned the next available rule order automatically save the record, then enable the rule when ready what it does when enabled the rule evaluates incoming signals when a signal meets all of the rule's conditions, the associated playbook runs to test without waiting for new signals, use run this rule against pending signals from the rule record's support tab to reorder, enable, or edit rules later, use the routing rule management dashboard (see ai soc applications) create a playbook in the automation section, click create a playbook the playbook opens in a new window (not a slider) the playbook builder opens with suggested components from your plan review and customize the playbook, then save after you save, the associated routing rule is updated with this playbook links to the rule record and the playbook are shown so you can click to open either one enable the rule to run it on future signals to test immediately, use run this rule against pending signals from the routing rule's support tab note playbook creation requires browser pop ups to be enabled for your swimlane domain if components are missing, check pop up blocker settings or see troubleshooting step 9 escalate to case (if needed) if the signal requires sustained investigation or response, escalate it to a case in the controls panel, click escalate to case a case will be created and linked to the signal navigate to case management to continue investigation add case details, comments, and evidence track the case through resolution when to escalate confirmed malicious activity requiring response multi signal incidents requiring coordination complex investigations needing extended time incidents affecting critical assets or users common first time mistakes to avoid mistake 1 generating plan before enrichment completes problem plan may be incomplete without ti context solution wait for threat intelligence status to show complete before generating plan mistake 1a expecting a plan or verdict while status is processing problem signals in processing have not yet completed evaluation; generate plan and ai verdict are not ready solution wait until status changes to new , closed , or escalated before generating a plan or judging readiness mistake 2 not claiming signals problem multiple analysts may work on the same signal solution always claim signals you're investigating mistake 3 skipping evidence and context problem missing important context from kb articles, threat intelligence, or correlation solution review all evidence areas (knowledge base, threat intelligence, correlation, rules) before generating plan mistake 4 not documenting deviations problem future investigations may repeat unnecessary steps solution add notes when you skip or modify ai suggested steps mistake 5 forgetting to set manual verdict problem signals resolved without verdicts do not improve ai learning solution always set manual verdict when resolving signals next steps after completing your first investigation review the workflow understand how signals flow through your soc explore dashboards check the signal triage dashboard to see your signal in context read best practices review docid\ ww gfwujljt7opjduu8vg for optimization tips learn about applications see docid\ uosuzrpsl6hfe9d6br5az for detailed application walkthroughs understand troubleshooting bookmark docid\ cknuxqv85k9lu0ocqv218 for common issues