KB Article Best Practices for Plan Generation

hero ai reads guidance and context summary from linked kb article records when it builds investigation plans on case management cases how you set scope , matching value , and guidance determines plan quality for how to create records, scope types, and ui steps, see knowledge base articles (kb) docid\ ntgnxpveszjgy llqojmf ( how to create kb articles at the top of that page) pick scope before you write guidance your content is about… set scope to set matching value to whole tenant tools, swimlane usage, whitelists, classification rules global (empty) one vendor or platform (for example all crowdstrike alerts) signal source exact source on the case (for example crowdstrike ) one detection rule covering several alert names signal rule exact rule identifier on the case one alert title only signal name exact signal or alert name use category to classify the article ( industry frameworks , best practices , memos ) endpoint or vendor runbooks commonly use best practices use a phase based template in guidance align guidance with investigation plan phases under each phase heading, put one discrete step per line use explicit product names and actions you can enter this in the guidance rich text editor on the kb article tab preparation 1\ enrich public ip observables with abuseipdb and recorded future 2\ enrich file hashes with virustotal analysis \ 1\ query crowdstrike for related detections for the host name from the alert 2\ search the elastic siem for events involving the same user in the last 24 hours containment \ 1\ isolate the host using the crowdstrike containment action eradication \ recovery \ one step per line split multiple vendors or tools into separate numbered lines so hero ai can map each line to a turbine component when one exists what to document in guidance (beyond steps) include content plan generation can use to choose connectors and playbooks platform role for signal source articles, state what the source is (for example endpoint security with crowdstrike) swimlane integrations name connectors and components installed in your tenant for that scope playbooks note standard playbooks analysts or automation should use key data points which alert or case fields to read for lookups whitelists / blocklists approved assets, domains, or scanners; platform level exceptions classification principles when to escalate or close without over relying on a single enrichment source example guidance by scope global environment \ identity jumpcloud endpoint crowdstrike siem elastic ticketing jira \ use crowdstrike components for host enrichment; jumpcloud components for user identity investigation practices \ review user and host activity for the last 24 hours; extend to seven days when findings are suspicious classification principles \ do not classify as malicious from virustotal alone without corroborating case evidence scope global matching value empty signal source (crowdstrike) preparation 1\ enrich host observables with the crowdstrike threat graph component analysis \ 1\ pull process chain and detection context from crowdstrike using the alert detection id scope signal source matching value crowdstrike (must match case signal source ) signal name (login failure) analysis \ 1\ compare current login ip to the user’s usual isp and working hours determination \ 1\ if four or more consecutive failures or region differs from usual, favor malicious scope signal name matching value exact alert title on the case write concrete, tool specific lines name products and actions instead of vague instructions state observable types (public ip, hash, domain) where enrichment steps depend on them use the same phase headings across articles so merged context stays consistent components must exist in your tenant plan generation maps guidance lines to components in your tenant or marketplace install and publish connectors before you reference them in kb articles when plans still differ from the kb confirm scope and matching value match the case (and that enabled is on) confirm articles exist at the right scope (global plus source or name as needed) confirm guidance uses phases and one step per line with installed tools named re run generate plan after kb or evidence updates see also knowledge base articles (kb) — create workflow, fields, scope table investigation plan workflow operations and guidance