Operations and Guidance

this guide covers daily operational tasks, investigation workflows, and automation in ai soc this page is for day to day analyst and operator work for your first investigation, see getting started docid\ p7qjquayekczhpxeppwcp for conceptual diagrams, see architecture and data flow docid\ kwciabpwqozqcjd2eztic for flow level playbook lookup (triggers, handoffs, troubleshooting), see playbook flow reference docid\ zlfipkihfjknqgchw7sxb related guides topic guide first signal investigation walkthrough getting started docid\ p7qjquayekczhpxeppwcp playbook categories and when to use them playbook types and usage docid\ np4vvqlu6pnrwzsbel eo playbook flows, triggers, and handoffs playbook flow reference docid\ zlfipkihfjknqgchw7sxb build or attach routing rule playbooks building routing rule playbooks docid\ veifyg4oywkq3dcmmwjxi investigation plans and plan steps investigation plan workflow docid\ bde8p71mmp2lbymuzuooi how verdicts and confidence are set understanding verdict generation docid\ bnyc263ysl2bmajhbaiob automation from plans and rules creating automation docid\ wjpjto3fjno0jio1dyv3s end to end example investigation example investigation workflow docid\ uy5on2guvxazzhrjc99wx kb articles for plan generation kb article best practices for plan generation docid 7zdgwrtvm6yi0lunjl4jp common daily tasks these are the most frequent tasks you will perform when working with signals in ai soc claim a signal when to use when you're starting to investigate a signal and want to assign it to yourself steps open the record in case management in the controls panel, click claim verify current owner updates to your user why it matters claiming signals prevents duplicate work and ensures clear ownership other analysts can see you're working on it change the manual verdict when to use after completing your investigation, set the verdict to reflect your findings steps open the signal record in the triage panel, open manual verdict select the appropriate verdict malicious confirmed threat requiring response suspicious needs further investigation benign false positive, no threat unknown insufficient data to determine save the record why it matters manual verdicts improve ai learning and provide historical context for similar signals run investigation plan steps when to use execute investigation steps from an ai generated plan steps ensure a plan has been generated (click generate plan if needed) navigate to the appropriate phase (preparation, analysis, or determination) for a single step click run on the specific step for all steps in a phase click run all steps review results in the step timeline add notes if you modify or skip steps available actions run execute a single step run all steps execute all steps in the selected phase sequentially review inspect what a step will do before running it mark as done mark a step as completed (if done manually outside the system) mark as open reopen a completed step to run it again delete step remove a step from the plan add additional step insert a custom step into the plan tips steps showing install need integrations to be installed first review steps before running, especially those that modify systems document any deviations from the ai plan escalated status and sustained investigation ai soc centers on case management records (prefix case ) when ai verdict and confidence meet thresholds your administrator configured, pending case resolution (and related playbooks) may set status to escalated and drive prioritization and metrics analysts continue investigation on the same record unless your organization uses a separate linked record pattern sustained investigation use claim , in progress , investigation comments, evidence, and routing rules as needed to change when records become escalated or closed , administrators edit the pending case resolution flow in orchestration → playbooks add a knowledge base article when to use document organization context, vendor platforms, detection rules, single alert runbooks, or false positive patterns steps follow knowledge base articles (kb) docid\ ntgnxpveszjgy llqojmf in knowledge base articles (kb) docid\ ntgnxpveszjgy llqojmf summary application records → knowledge base articles → add set record type to case management , category (for example best practices ), and scope ( global , signal source , signal rule , or signal name ) set matching value to the exact source, rule, or signal name—or leave empty for global complete context summary and guidance ; turn enabled on; save best practices match scope to the narrowest fit (see scope table in the kb guide) name installed connectors and playbooks in guidance so generate plan suggests tenant ready steps see kb article best practices for plan generation docid 7zdgwrtvm6yi0lunjl4jp reanalyze a signal when to use after major evidence changes (new observables, completed enrichment, investigation findings) steps open the signal record in the ai alert analysis panel, click reanalyze hero ai re runs the verdict analysis with updated context review the updated verdict, confidence, and analysis why it matters reanalysis ensures verdicts stay current as new evidence is discovered review correlation results when to use before starting a new investigation to avoid duplicate work steps open the signal record check the correlation panel review similar signals and related cases if similar signals exist check how they were resolved review investigation notes determine if this is a duplicate or related incident why it matters correlation helps identify related activity and prevents duplicate investigations automated signal resolution after a signal leaves processing , a flow (pending signal resolution) automatically sets the signal’s status based on the ai verdict and confidence escalated if ai verdict confidence meets the configured threshold (for example, ≥ 8) and the verdict is malicious or suspicious , the pending resolution flow may set the record to escalated (wording and thresholds depend on your installed playbooks) auto close if confidence meets the threshold and the verdict is benign , the signal is closed new otherwise (for example, verdict not yet defined), the signal is set to new for analyst review classification (true positive, false positive, unknown) is also set in this flow to change escalation or auto close thresholds (for example, confidence level), administrators edit the pending signal resolution flow in orchestration → playbooks ; this logic is not configured via assets see installation and configuration for where configuration lives