AI SOC Solution Release 26.1.0

ai soc 26 1 0 includes new capabilities and fixes that improve reliability across case management, threat intelligence, alert ingestion, and routing workflows this release strengthens day to day analyst work on case records playbook run visibility, phishing email preview on signals, and threat intelligence re query on new signals help teams trace automation, review alert context in the record, and base verdicts on current intelligence rather than stale enrichment ai alert ingestion is included in the 26 1 0 solution package, with alert schema store, mapping safeguards, and connector onboarding improvements that reduce time to connect new alert sources hero ai gains richer solution context through descriptions and visible to hero ai settings, updated threat intelligence enrichment components improve observable enrichment reliability, and the jsonata helper agent helps builders create and validate transformation expressions in playbooks and components overall, ai soc 26 1 0 helps security teams investigate with clearer automation traceability, onboard alert sources more efficiently, and operate on a more dependable solution baseline after issues identified in ai soc 26 0 0 for installation, configuration, and daily operations, see ai soc solution https //docs swimlane com/solutions/ai soc solution what's new in this release playbook run visibility routing and automation are easier to trace on case records the ai analysis widget links playbook run details when a routing playbook runs for subsequent alerts, so you can see what ran and open the run in operational health case records include a playbook run id field under routing rule matches, updated by the ai soc update playbook run id component in the solution bundle phishing email preview in signal records phishing email ingestion now renders a visual preview of reported email content on signal records analysts can review the message in context under support → phishing email data without leaving the record threat intelligence re query on new signal records when a new signal record is created, attached threat intelligence records are re queried against providers observable reputation can change over time; re querying helps ensure verdicts reflect current intelligence rather than stale cached results ai alert ingestion improvements ai alert ingestion is included in the ai soc 26 1 0 content bundle and includes several enhancements content bundle — ai alert ingestion ssp is included in the ai soc 26 1 0 solution package alert schema store — review and edit ai suggested field mappings in the ui; the original alert payload is saved on the schema record for reference when you adjust mappings later prefix name warning — the ingestion wizard warns when a component or playbook prefix can override existing content visible to ai default — the visible to ai toggle is off by default for ingestion generated content multi action sources — when you create an ingestion component from a connector with multiple actions, the full native action sequence is preserved crowdstrike hash mapping — webhook ingestion maps crowdstrike observable hashes more accurately hero ai visibility and descriptions solution playbooks, flows, components, applications, and application fields now include descriptions and visible to hero ai settings where appropriate hero ai can use this context during investigation, plan generation, and verdict analysis updated threat intelligence enrichment components the enrich ipqualityscore enrich observable and enrich abuseipdb enrich observable value in context components are updated to current connector versions for more reliable observable enrichment jsonata helper ai agent the jsonata helper ai agent helps you generate and validate jsonata expressions for transformations in ai soc playbooks and components it understands swimlane specific jsonata functions and can test expressions against sample payloads, reducing manual expression work and playbook execution time compared with script based alternatives addressed issues the following fixes address issues found in ai soc 26 0 0 case management and timeline lessons learned application was missing — fixed an issue where the lessons learned application was not included in the ai soc solution package the application is now available after upgrade or content import case timeline did not record key analyst actions — fixed an issue where the case timeline did not update when you changed classification, set a manual verdict, reopened a case to in progress , or ran check threat intelligence from manual actions timeline entries now appear for these actions re assign owner unclaimed the case — fixed an issue where re assign owner unclaimed the case instead of assigning it to the selected user reassignment now sets the intended owner add observable and remediation actions failed on cases — fixed an issue where you could not add observables, mitre techniques, or run remediate or unremediate actions from case or signal records these actions now complete successfully signal triage and routing signal triage labels truncated — fixed an issue where labels in the signal triage side widget were cut off full labels now display routing rule playbook information out of date — fixed an issue where routing rule details did not reflect the associated playbook after changes playbook information now stays in sync knowledge base articles did not match by signal source — fixed an issue where signal source matching values did not attach the expected knowledge base articles to cases kb article matching now works for configured signal sources playbooks and analysis ai soc generated playbook failed for non malicious verdicts — fixed an issue where ai soc generated playbook execution failed when the verdict was not malicious playbooks now run for benign, suspicious, and unknown verdicts as designed remediation block reported success when block failed — fixed an issue where the microsoft defender block observable component reported success when the underlying block operation failed results now reflect the actual block outcome ai ingestion saved record did not persist in ai ingestion — fixed an issue where saved record in the ai ingestion workspace did not save configuration details saved records now persist correctly schema store lookup limited results — fixed an issue where ingestion schema lookup considered only the most recent 100 schema store records lookups now use the full available schema history ingestion playbooks missing parallel loops — fixed an issue where playbooks created by ai ingestion webhook flows did not use parallel loops where required ingestion playbooks now process alerts as designed ai ingestion dashboard permission error — fixed an issue where the default dashboard for the ai ingestion workspace returned you do not have the proper permissions for some roles authorized users can now open the dashboard dashboards and reporting mttr displayed negative values — fixed an issue where mean time to resolve could show negative values on case records or reports mttr now calculates and displays correctly mttr by source dashboard card used wrong metric — fixed an issue where the case mttr by source dashboard card referenced signal mttd instead of case mttr the card now uses the intended metric incorrect signal labels in case reports and components — fixed an issue where case reports and the ai soc deduplicate alert component used inconsistent signal or sig terminology labels now match case management naming known limitations the following behaviors are documented constraints for ai soc 26 1 0 see the linked user guide topics for workarounds custom asset required fields custom configuration assets (for example ai soc tenant configuration and turbine tenant credentials ) do not mark inputs as required in the turbine ui you can save an asset with empty or placeholder values from content packaging, but core playbooks and components (for example ai soc collect playbook execution data ) fail at run time until you enter valid tenant values after install or upgrade, open each custom asset under orchestration → assets and complete all required inputs see configure custom assets https //docs swimlane com/solutions/ai soc solution/installing and configuring ai soc solution/configure custom assets manual threat intelligence links and reanalysis when you manually add or link threat intelligence records to a case management record after initial processing, hero ai does not automatically re run verdict analysis, and the ui does not indicate whether reanalyze has run since your change click reanalyze in the ai alert analysis panel to refresh the ai verdict and threat intelligence analysis see case management (case) https //docs swimlane com/solutions/ai soc solution/ai soc applications/case management case and operations and guidance https //docs swimlane com/solutions/ai soc solution/operations and guidance