Investigation Plan Workflow

the generate plan action creates an ai powered investigation plan organized into phases understanding how to use each phase effectively improves investigation efficiency understanding plan phases preparation phase purpose validate observables and confirm alert context when to use first phase after generating a plan typical steps enrich observables with multiple ti providers (abuseipdb, recorded future, virustotal) get endpoint details from edr/xdr platforms validate observable types and values best practice complete preparation before moving to analysis to ensure you have accurate context analysis phase purpose verify scope, impact, and lateral movement when to use after preparation is complete typical steps search siem/edr for related activity check for similar infections across endpoints get user and asset details search for network connections and data transfers review web activity logs best practice execute analysis steps systematically to build a complete picture determination phase purpose finalize the verdict based on collected evidence when to use after analysis is complete typical step generate verdict using ai soc signal hero ai analysis best practice review all evidence before generating the final verdict automation phase purpose create automation for repeatable signal patterns when to use after resolving signals that will likely recur options create a triage rule route similar signals automatically create a playbook automate investigation steps best practice create automation for patterns you see frequently remediation plan purpose generate post investigation remediation guidance when to use after confirming a malicious verdict how to use click generate remediation plan in the ai alert analysis panel best practice review remediation steps before executing, especially those that modify systems working with plan steps before running steps review each step to understand what it will do check if required integrations are installed verify you have appropriate permissions consider the impact of steps that modify systems while running steps monitor step execution in the timeline review results as they complete add notes if steps produce unexpected results document any manual actions taken outside the system after running steps review all step results before making decisions update investigation comments with findings re run analysis if new evidence changes the context mark steps as done if completed manually managing steps add additional step insert custom steps specific to your organization delete step remove steps that aren't relevant to this investigation mark as done record steps completed outside the system mark as open reopen completed steps to run again plan generation best practices before generating ensure threat intelligence enrichment has completed review evidence panels (knowledge base, threat intelligence, correlation) verify observables are present on the signal check that hero ai is enabled and available during generation wait for plan generation to complete (may take 30 60 seconds) don't navigate away from the page during generation check browser console if generation fails after generation review the plan before executing steps understand what each step will do identify any missing integrations consider adding custom steps if needed