KB Article Best Practices for Plan Generation

hero ai uses the guidance and context summary from linked kb article records when it builds investigation plans in case management how you structure that text strongly affects whether generate plan produces complete, runnable steps instead of only partial coverage at a glance goal what to do plans follow your runbook break guidance into phases with one discrete step per line instructions map to actions use one vendor or system per line (for example one line for crowdstrike, another for elastic) hero can find components describe actions your tenant can run; install or publish connectors for tools you require articles apply to case triage set record type and scope so articles intended for ai soc cases target case / case management usage use a phase based template in guidance align the body of guidance with the same phases you use in investigation plans under each phase, put one step or one component oriented instruction per line numbered lines work well for preparation ; you can use the same pattern for other phases use clear phase headings and short lines, for example preparation 1\ enrich public ip observables with abuseipdb and recorded future 2\ enrich file hashes with virustotal analysis \ 1\ query crowdstrike for related detections for the host name from the alert 2\ search the elastic siem for events involving the same user in the last 24 hours containment \ 1\ isolate the host using the crowdstrike containment action eradication \ recovery \ adapt phase names to your process empty phases can stay as placeholders or be omitted if you do not use them single step per line avoid packing several vendors or tools into one sentence (for example "get more data from sentinelone or crowdstrike and from siem like elastic") split those into separate numbered lines so hero ai can map each line to a concrete turbine component when one exists write concrete, tool specific lines prefer explicit product names and actions (for example "send a summary to slack channel c012345") over vague directives (for example "notify the team") when you use multiple kb articles (for example one generic runbook and one vendor specific article), use the same structured format in each mixed styles still work, but consistent per line detail improves how fully the plan reflects your guidance describe observable types your steps need (for example public ip versus private ip) so enrichment steps match the alert components must exist in your tenant plan generation matches instructions to turbine components available in your tenant or the marketplace if no suitable component exists, hero ai may skip that part of the guidance or note that the action is unavailable to get plans that include a vendor or integration, install or publish the corresponding connector and verify it appears where analysts build plans target case investigation articles correctly articles that drive generate plan for ai soc should be authored and classified so they apply to case management investigation workflows set record type , scope , and status according to your administrator’s kb configuration so case linked and auto matched articles are the ones hero ai can consume for case records see docid\ ntgnxpveszjgy llqojmf for field reference and linking behavior when plans still differ from the kb confirm linked articles use the phase template and one instruction per line confirm the integrations you describe are installed and visible to playbook builders re run generate plan after major evidence or kb updates see also docid\ ntgnxpveszjgy llqojmf — fields, linking, and matching value docid\ bde8p71mmp2lbymuzuooi — preparation, analysis, and determination phases