Installing and Configuring AI SOC Solution

this guide covers installing and configuring the ai soc solution the ai soc solution is a complete bundle that includes all necessary components for ai powered security operations install from the content library navigate to library → swimlane content select ai soc solution and click install keep all required content selected to avoid incomplete installs if you are prompted to overwrite content, deselect only items you do not want to replace removing required items can lead to missing functionality verify installation after installation, verify that all components are present applications confirm the following applications exist case management (primary triage; package acronym case) threat intelligence (may appear as threat intelligence artifact in the ui) signal routing rules (may appear as routing rule in the ui) knowledge base articles (may appear as kb article in the ui) ai ingestion (separate ai ingestion workspace ; acronym ai ) soc reporting ( soc reporting workspace ) roi calculator ( roi calculator workspace ) ai features open case management and verify the ai alert analysis panel is present generate plan button is visible hero ai components are available workspaces verify the ai soc workspace exists (it may be labeled ai soc or ai soc workspace in your environment) and the ai ingestion workspace exists for ingestion tooling playbooks check orchestration → playbooks to ensure ingestion and enrichment playbooks are installed assets check orchestration → assets and confirm tenant connectivity assets are present ai soc tenant configuration (cookie based swimlane api access) turbine tenant credentials (personal access token–based api access) custom configuration assets confirm ai soc general configuration , ai soc threat intelligence configuration , and ai soc correlation configuration are present see configure custom assets docid\ qdckijlols 7dwzjgrbqk choose your ingestion path use this table to pick the right guide when you connect alert or email sources both paths produce turbine schema objects that downstream ai soc playbooks consume your situation use this path guide packaged siem or xdr with an existing ai soc template (webhook or cron) duplicate and configure an ingestion template playbook configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la reported phishing email from a mailbox (graph, imap, and similar) configure the phishing cron template and email emit flow configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la net new vendor api with openapi spec; you need connector components and turbine schema mapping use the ai ingestion widget to generate components and ingestion pipelines ai soc ingestion docid 0p9qwz3o 0j5dnkpjugmq lab or proof of concept before production routing test webhook or test case generator playbooks configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la and integration examples docid\ vm1j5 5rzqx4lc0hqoaiv ai ingestion supports alert ingestion only (not email ingestion) for phishing email, use ingestion template playbooks on the ingest email channel see architecture and data flow docid\ kwciabpwqozqcjd2eztic after ingestion is configured, alerts and emails flow through ingest alert or ingest email to case management records for flow level detail, see playbook flow reference docid\ zlfipkihfjknqgchw7sxb configure hero ai ai soc requires hero ai to be enabled for plan generation and verdict analysis verify hero ai status confirm hero ai is enabled for your tenant verify hero ai services are running and accessible test hero ai connectivity if needed if hero ai is disabled or unavailable, the ai alert analysis panel in case management will not generate plans or show ai output contact your administrator to enable hero ai if ai features are missing configure assets configure assets for the security tools and threat intelligence providers you will use threat intelligence providers configure assets for threat intelligence providers such as virustotal recorded future abuse ch urlhaus ipqualityscore other ti providers you use steps navigate to orchestration → assets create or configure assets for each ti provider enter api keys, tokens, or credentials as required save each asset; you can confirm it works when enrichment runs (for example, on a signal with observables) security tools configure assets for security tools you will integrate siem platforms (for alert ingestion) edr/xdr platforms (for endpoint data) email security gateways (for phishing ingestion) identity providers (for user data) steps navigate to orchestration → assets create assets for each tool configure authentication (api keys, oauth, and similar) verify the asset is saved; you can confirm it works when you use it in an ingestion playbook or other component rbac and platform permissions analysts need appropriate role based access control (rbac) for case management widget options and for turbine components (or orchestrator access in legacy rbac ) misaligned permissions can cause missing tools after generate plan (for example automation actions that do not list ai soc case hero ai analysis ) see rbac considerations for ai soc docid\ jl6dsw0qjbkpq iojdglp configuration topics complete these guides after install and asset setup topic guide tenant connectivity and correlation assets configure custom assets docid\ qdckijlols 7dwzjgrbqk case management and ti field mappings configure custom field mappings docid\ k9encyoqjvzkfdrcjkn e ingestion template playbooks (webhook, cron, phishing) configure ingestion playbooks docid\ b1 f6uepz95dfn5nnl0la threat intelligence providers and enrichment configure threat intelligence enrichment docid wafaim1sg 7z1uzmvr p swimlane content, user content, and marketplace swimlane content, user content, and integrated marketplace docid\ rkp6n65muhpghybplfbaf next steps if you want to go to run your first investigation getting started docid\ p7qjquayekczhpxeppwcp understand data flow and diagrams architecture and data flow docid\ kwciabpwqozqcjd2eztic build connectors with the ai ingestion widget ai soc ingestion docid 0p9qwz3o 0j5dnkpjugmq map playbook flows after import playbook flow reference docid\ zlfipkihfjknqgchw7sxb set roles and permissions rbac considerations for ai soc docid\ jl6dsw0qjbkpq iojdglp