Operational Best Practices

follow these practices to maximize ai soc effectiveness and maintain efficient security operations case management and routing install from swimlane content per tenant when you can keeps solution and marketplace aligned components tagged consistently if you promote or import content into another tenant, the marketplace may show install even when equivalents exist; avoid blind reinstalls that can overwrite customized promoted content see swimlane content, user content, and integrated marketplace docid\ rkp6n65muhpghybplfbaf for details start simple with routing rules create basic routing rules first, then refine based on actual signal volume and patterns complex rules can be difficult to maintain and debug order routing rules strategically place high priority, specific rules before general catch all rules rules are evaluated in order, so the most important matches should come first review routing rule performance regularly use the routing rule management dashboard to monitor which rules match signals most frequently and adjust as needed test routing rules before production validate rules with sample signals to ensure they route correctly and do not create unintended matches document rule logic and purpose add clear descriptions to routing rules explaining when and why they should match signals threat intelligence and enrichment validate enrichment providers regularly check provider credentials monthly and before they expire to avoid stale verdicts and enrichment failures configure multiple ti providers for redundancy use multiple providers for the same observable types to ensure enrichment completes even if one provider fails monitor enrichment completion rates set up alerts for signals with pending enrichments that exceed expected completion times review provider specific limitations document which providers support which observable types (ips, domains, hashes, etc ) to set proper expectations check enrichment status before generating plans ensure threat intelligence enrichment has completed before generating investigation plans for more accurate ai analysis knowledge base management use ui scope correctly global (empty matching value ), signal source (vendor platform, for example crowdstrike ), signal rule (one rule, many alerts), signal name (one alert title) see knowledge base articles (kb) docid\ ntgnxpveszjgy llqojmf set category and record type use best practices or industry frameworks as appropriate; set record type to case management for ai soc plans do not overload global articles move detection specific steps to signal name or signal rule scope structure guidance for plans phase headings and one tool specific step per line see kb article best practices for plan generation docid 7zdgwrtvm6yi0lunjl4jp keep kb articles current update when tools, detections, or verdict standards change link and match deliberately manual links on cases plus auto link via matching value / signal source ; values must match case fields case sensitively document false positives in scoped articles use signal name , signal rule , or signal source scope instead of global when guidance applies to a subset of alerts ai plan generation and analysis use ai plans as a starting point, not a replacement review and validate ai generated plans before executing ai plans are suggestions based on available data document deviations from ai plans when you skip or modify ai suggested steps, add notes explaining why this helps improve future plan generation re run analysis after major evidence changes when new observables are discovered, threat intelligence enrichment completes, or you manually link threat intelligence records to a case, click reanalyze in ai alert analysis (reanalysis does not run automatically for manual ti links) review plan steps before running use the review action to inspect steps before execution, especially for steps that modify systems or take remediation actions add custom steps when needed use add additional step to include organization specific investigation steps that aren't in the ai generated plan wait for enrichment before generating plans allow threat intelligence enrichment to complete before generating plans to ensure ai has all available context normalize data for ai context store data from third party services as observables (ips, domains, hashes, urls) or structured custom fields rather than unstructured text observables are automatically extracted and enriched, making them available for ai analysis and correlation document playbook execution results when playbooks execute investigation steps, document important results in investigation comments or signal summaries so they can be referenced in subsequent ai analysis and plan generation case management and escalation escalate early for critical assets or users don't wait for complete investigation when signals impact critical systems, executive accounts, or sensitive data review correlations before starting a new case check the correlation panel to see if similar signals exist or if a case already exists for related activity attach evidence when escalating include relevant threat intelligence, observables, and investigation notes when escalating signals to cases set appropriate case priority use case priority to reflect business impact, not just technical severity close cases with clear resolution notes document the root cause, remediation steps taken, and any follow up actions required playbook development and maintenance duplicate before heavy edits for routing automation, duplicate a working ai soc routing playbook instead of editing the package original confirm rule execute , search records on tracking id , verdict with $actions , and apply rule to playbook on the routing rule—see building routing rule playbooks docid\ veifyg4oywkq3dcmmwjxi test playbooks with sample data always test new or modified playbooks with representative sample data before enabling in production add error handling to playbooks include on failure paths for external integrations that can fail (api timeouts, credential issues, etc ) keep playbook flows focused avoid mixing unrelated logic in a single flow create separate playbooks for distinct use cases document playbook triggers and dependencies clearly document what triggers each playbook and what components or assets it requires monitor playbook execution regularly review playbook execution logs to identify failures, performance issues, or unexpected behavior version control playbook changes document changes to production playbooks and test in a development environment first when possible design playbooks for ai integration when creating playbooks that will be used in ai generated plans, design them to receive signal or case tracking ids as input rather than individual properties this improves reliability and makes playbooks easier for ai to invoke correctly signal investigation workflow claim signals promptly claim signals you're investigating to prevent duplicate work and ensure clear ownership update signal status regularly keep signal status current (new → in progress → resolved) to maintain accurate dashboards and reports set manual verdicts on resolved signals always set a manual verdict when resolving signals to improve ai learning and historical analysis use investigation comments for context add investigation comments to document your reasoning, especially when verdicts differ from ai suggestions document changes and findings as notes throughout the investigation so ai can use this information when assessing signal data review similar signals check the correlation panel for similar signals that may have already been investigated to avoid duplicate work complete investigation summaries add investigation summaries to resolved signals to capture key findings and lessons learned correlate related alerts when new alerts are related to existing signals or cases, use correlation features to link them this helps ai understand relationships and context when analyzing signals and generating plans performance and monitoring monitor signal volume trends use dashboards to track signal volume, verdict distribution, and resolution times to identify capacity issues set up alerts for critical conditions configure alerts for signals with malicious verdicts, critical severity, or signals that exceed sla thresholds review oldest signals regularly use the "signals oldest" report to identify signals that may be stuck or forgotten track false positive rates monitor false positive rates by verdict type to identify areas where tuning or additional context is needed measure enrichment completion times track how long threat intelligence enrichment takes to identify slow providers or capacity issues review routing rule effectiveness regularly assess which routing rules are matching signals and adjust rules that aren't performing as expected security and compliance follow least privilege for rbac configure role based access control to grant only necessary permissions regularly audit role assignments document investigation decisions maintain clear audit trails by documenting investigation decisions, especially for compliance sensitive signals protect sensitive investigation data be mindful of sensitive information in investigation comments and ensure proper access controls regular credential rotation establish a schedule for rotating api credentials and credentials used by playbooks and integrations review and update triage rules periodically review triage rules to ensure they align with current security policies and threat landscape continuous improvement conduct regular retrospectives review investigation outcomes, false positives, and missed detections to identify improvement opportunities share learnings across the team use knowledge base articles and investigation summaries to share findings and best practices refine ai plans based on outcomes when ai plans consistently miss important steps, create kb articles or update investigation procedures to fill gaps measure and track metrics establish kpis for signal resolution time, false positive rates, and analyst efficiency to measure improvement over time stay current with threat intelligence regularly review threat intelligence feeds and update enrichment providers to ensure you're detecting current threats