Operations and Guidance

this guide covers daily operational tasks, investigation workflows, and automation in ai soc for your first investigation, see docid\ p7qjquayekczhpxeppwcp common daily tasks these are the most frequent tasks you'll perform when working with signals in ai soc claim a signal when to use when you're starting to investigate a signal and want to assign it to yourself steps open the signal record in signal triage in the controls panel, click claim verify current owner updates to your user why it matters claiming signals prevents duplicate work and ensures clear ownership other analysts can see you're working on it change the manual verdict when to use after completing your investigation, set the verdict to reflect your findings steps open the signal record in the triage panel, open manual verdict select the appropriate verdict malicious confirmed threat requiring response suspicious needs further investigation benign false positive, no threat unknown insufficient data to determine save the record why it matters manual verdicts improve ai learning and provide historical context for similar signals run investigation plan steps when to use execute investigation steps from an ai generated plan steps ensure a plan has been generated (click generate plan if needed) navigate to the appropriate phase (preparation, analysis, or determination) for a single step click run on the specific step for all steps in a phase click run all steps review results in the step timeline add notes if you modify or skip steps available actions run execute a single step run all steps execute all steps in the selected phase sequentially review inspect what a step will do before running it mark as done mark a step as completed (if done manually outside the system) mark as open reopen a completed step to run it again delete step remove a step from the plan add additional step insert a custom step into the plan tips steps showing install need integrations to be installed first review steps before running, especially those that modify systems document any deviations from the ai plan escalate to a case when to use when a signal requires sustained investigation, coordination, or full case management lifecycle tracking steps confirm the signal requires full investigation or response in the controls panel, click escalate to case a case is created and linked to the signal open the linked case in case management to continue tracking when to escalate confirmed malicious activity requiring response multi signal incidents requiring coordination complex investigations needing extended time incidents affecting critical assets or users add a knowledge base article when to use document investigation procedures, common false positives, or standard operating procedures steps navigate to application records → knowledge base click add to open a new article complete required fields title descriptive name for the article record type type of record this applies to (signal, case, etc ) category classification category scope global or organization specific add content context summary brief overview of when this applies guidance detailed investigation steps and procedures (optional) set matching value to auto link articles to related records set status (active, draft, etc ) and read only as needed save the article link the article to related signals or cases as needed best practices keep kb articles current and actionable include specific investigation steps, not just descriptions use matching values for automatic linking document false positive patterns to help ai learn reanalyze a signal when to use after major evidence changes (new observables, completed enrichment, investigation findings) steps open the signal record in the ai alert analysis panel, click reanalyze hero ai re runs the verdict analysis with updated context review the updated verdict, confidence, and analysis why it matters reanalysis ensures verdicts stay current as new evidence is discovered review correlation results when to use before starting a new investigation to avoid duplicate work steps open the signal record check the correlation panel review similar signals and related cases if similar signals exist check how they were resolved review investigation notes determine if this is a duplicate or related incident why it matters correlation helps identify related activity and prevents duplicate investigations automated signal resolution after a signal leaves processing , a flow (pending signal resolution) automatically sets the signal’s status based on the ai verdict and confidence escalate to case if ai verdict confidence meets the configured threshold (for example, ≥ 8) and the verdict is malicious or suspicious , the signal is escalated to a case auto close if confidence meets the threshold and the verdict is benign , the signal is closed new otherwise (for example, verdict not yet defined), the signal is set to new for analyst review classification (true positive, false positive, unknown) is also set in this flow to change escalation or auto close thresholds (for example, confidence level), administrators edit the pending signal resolution flow in orchestration → playbooks ; this logic is not configured via assets see installation and configuration for where configuration lives