Knowledge Base Articles (KB)

knowledge base articles (application kb article ) store institutional investigation guidance hero ai uses linked articles for generate plan , investigation steps, and verdict context create articles with the right scope so each record applies only where it should choose your path if you want to go to create a new kb article (ui steps) how to create kb articles /#how to create kb articles decide global versus source versus alert content types of kb articles /#types of kb articles understand scope and matching value scope how articles match cases /#scope how articles match cases format guidance for plan generation kb article best practices for plan generation docid 7zdgwrtvm6yi0lunjl4jp field reference record fields /#record fields copy paste examples examples by scope /#examples by scope how to create kb articles use this workflow whenever you add or update a kb article record in the tenant open the kb application navigate to application records → knowledge base articles click add to open new record on the article tab choose scope before you write pick the narrowest scope that fits your content do not put a single alert runbook in global , and do not put organization wide tool lists in signal name if your content is set scope to matching value organization tools, policies, whitelists, classification rules for all alerts global leave empty (not required for global kb articles) default triage for one vendor or platform (all alerts from that source) signal source exact signal source on the case (case sensitive) steps for one detection rule that covers several alert titles signal rule exact rule name or id on the case full procedure for one alert title only signal name exact signal name / alert name on the case see types of kb articles /#types of kb articles for what to write in guidance for each type complete required fields turn enabled on when the article should be active enter title (required) use a name that reflects scope (for example organization environment and tooling or jumpcloud login failure detected ) set record type to case management for ai soc triage and generate plan select category (required) industry frameworks , best practices , or memos select scope and matching value per the table above enter context summary (recommended) one or two sentences on when this article applies enter guidance in the rich text editor scope appropriate content and investigation steps (see kb article best practices for plan generation docid 7zdgwrtvm6yi0lunjl4jp ) set read only only if the record must not be edited click save for non global articles, matching value must match the case field exactly if scope is signal source but the value does not match the case signal source , the article does not auto link and hero ai may not use it for that alert verify the article works this verification applies to new case records (for example a newly ingested test alert) auto linking and generate plan behavior may not reflect kb changes on cases that were created before the article was saved or updated ingest a test alert or open a new case management case that should match the article confirm the article appears under knowledge base on the case when scope and matching are correct run generate plan and confirm steps reflect your guidance and installed connectors types of kb articles good kb articles are scoped , operational , and non duplicative organization facts stay global, vendor behavior stays at signal source , and single alert triage stays at signal name or signal rule type (authoring model) scope in the ui what to include in guidance do not include global global customer or tenant environment/tools idp, edr, siem, ticketing; swimlane connectors you use; default lookback (for example 24 hours, extend to seven days when findings are suspicious); approved domains, scanners, and break glass notes; organization wide classification principles (for example do not mark malicious from threat intelligence alone without corroborating case evidence) steps for one alert title; full vendor only runbooks (use signal source ) source specific signal source what the product is; reliable and noisy fields; where to investigate in the console or siem; entity mapping (user, host, ip, process, hash); recommended enrichment order and turbine components; common false positives for that source entire org tool list (use global ); login failure only logic for one title (use signal name ) rule specific signal rule procedures shared by alerts from the same detection rule (several alert names under one rule) org wide policies (use global ); one off alert title detail (use signal name ) alert specific signal name what this alert usually means in your environment; numbered investigation steps; evidence to collect; if \[condition], then classify as \[verdict] rules (benign, suspicious, malicious, unknown); remediation when required crowdstrike wide or okta wide steps (use signal source ); org facts (use global ) do not bloat global if your organization has hundreds of alert types, a single global article cannot list login failure logic, edr process chains, and cloud exfiltration steps for each split content by signal source , signal rule , or signal name scope how articles match cases on the kb record, scope defines which case field is compared to matching value scope (ui) applies when matching value global organization wide context for all cases leave empty signal source any alert from one platform or integration exact signal source string (for example crowdstrike ) signal rule alerts from one detection rule exact rule identifier or name on the case signal name one specific alert title only exact signal name / alert name record fields field required purpose title yes human friendly name record type yes use case management for ai soc and generate plan category yes industry frameworks , best practices , or memos scope yes global , signal source , signal rule , or signal name matching value depends on scope matched value on the case; empty for global context summary recommended when the article applies guidance recommended procedures and classification rules ( article tab) enabled — article is active when on read only — optional lock against edits the article tab shows audit fields after save history and support tabs are available on saved records what to include in guidance topic why it matters security control or platform role helps hero ai interpret alert context use within swimlane connectors, components, and playbooks installed in your tenant investigation steps phase based, one action per line, explicit product names key data points case or alert fields used for lookups whitelists and blocklists approved assets, domains, scanners, or patterns to treat as benign classification principles clear if \[condition], then classify as \[verdict] statements reference only integrations installed in your tenant so plan generation does not suggest unavailable components examples by scope global — organization environment field example value title organization standards and tooling category best practices scope global matching value (empty) guidance jumpcloud for identity, crowdstrike for endpoint, elastic for siem, jira for ticketing; use crowdstrike components for hosts and jumpcloud for users; 24 hour lookback, seven days when suspicious; approved domains and internal scanners; do not classify malicious from virustotal alone signal source — crowdstrike endpoint security field example value title crowdstrike endpoint security triage category best practices scope signal source matching value crowdstrike context summary crowdstrike is our endpoint platform; default steps for all crowdstrike sourced cases guidance enrichment order, falcon queries, entity mapping, common false positives, containment components signal name — login failure field example value title jumpcloud login failure detected category best practices scope signal name matching value jumpcloud login failure detected guidance compare login ip to usual isp and working hours; if four or more consecutive failures or region differs from usual, favor malicious ; otherwise consider typo or benign linking and plan generation auto link when scope and matching value match case fields, the article can link automatically manual link attach articles on the case management record during triage generate plan hero ai uses linked and matched context summary and guidance when building investigation steps next steps topic guide guidance format and phases kb article best practices for plan generation docid 7zdgwrtvm6yi0lunjl4jp add articles in daily workflows operations and guidance docid\ dsdgtaqeg95dseaf2iat investigation plan phases investigation plan workflow