Education

• Splunk Education: Free courses

• Microsoft Learn: Free courses

• IBM SkillsBuild: Free courses

• IBM: AI Agents for Cybersecurity

Playbooks

• Example playbooks

Tools and Platforms

• SIEM (Security Information and Event Management): collects and analyzes security data from across an organization’s network, enabling real-time monitoring and threat detection. It helps identify potential security incidents through event correlation and pattern recognition. 

SOAR (Security Orchestration, Automation, and Response): use AI to automate the response to security incidents. They integrate with multiple security tools to execute playbooks.

Playbooks: Predefined workflows that can contain and neutralize a threat in seconds.

Vendors

G2: Best SIEM Solutions

• Microsoft Sentinel

  • A key player with a cloud-native SIEM and integrated SOAR capabilities. It is a strong fit for organizations already invested in the Microsoft Azure and 365 ecosystems.

• Splunk Enterprise Security

  • A market leader known for its powerful data analytics. It offers a robust SIEM (Splunk Enterprise Security) and an integrated SOAR platform (Splunk SOAR). It's often preferred by large enterprises with complex, diverse data sources due to its extensive app ecosystem.

• IBM QRadar

  • A comprehensive solution leveraging AI for threat intelligence and incident response. It is a strong choice for companies with existing legacy systems or complex on-premises environments.

• Rapid7 InsightIDR

  • Known for its combined SIEM (InsightIDR) and SOAR (InsightConnect) platforms. Their strength is a user-friendly, no-code approach to building SOAR playbooks and a strong reputation in vulnerability management.

• Fortinet Security Fabric

  • A significant player whose core strategy is the "Fortinet Security Fabric." This approach tightly integrates all of their products, making their SIEM (FortiSIEM) and SOAR (FortiSOAR) a compelling choice for companies that are already heavily invested in the Fortinet ecosystem.

• Popular SIEM Plugins:

Rapid7: Most Popular Plugins

• Provisioning and Deprovisioning Users: AWS IAM, AD/ LDAP, Okta, Duo, JIRA, GitHub, Workday

• Malware Containment: VirusTotal, Hybrid Analysis, Cuckoo, Palo Alto Wildfire, VMRay, Cortex, JIRA

• Alert Enrichment: WhoIS, AbuseIPDB, DomainTools, FreeGeoIP, GeoIP2 Precision, Snort Labs, IP Reputation, Powershell, Python

• Patching and Remediation: Microsoft SCCM, IBM BigFix, Metasploit, JIRA, ServiceNow

Threat Management

Alert fatigue is a significant challenge in modern SOCs, where analysts are overwhelmed by a high volume of alerts, many of which are false positives. AI and automation help by acting as an intelligent filter and accelerator, thereby reducing the burden on human analysts.

Automated Triage

What it is:

• AI systems analyze incoming alerts in real-time, assigning a risk score based on factors like user behavior, time, and asset criticality. It then prioritizes the most significant threats for human review.

Example:

• An AI system flags a user who is trying to access a sensitive database from a new, unusual location. This is deemed high-risk and moved to the top of an analyst’s queue.

Automated Enrichment

What is it:

• SOAR platforms use automation to instantly enrich alerts with critical context. When a suspicious event occurs, the playbook can automatically query threat intelligence feeds for the IP address, check internal logs for related activities, and gather user information. This saves analysts significant time and provides them with a complete picture before they even begin their investigation.

Example:

• An AI agent systematically handles the initial stages of a security incident. The process begins with the agent collecting data from various security sources, such as a SIEM. The data is then enriched with external information from sources like threat intelligence and internal context from frameworks like MITRE ATT&CK. The agent then correlates, predicts, and ranks the information based on risk. Finally, it recommends a response and compiles all the findings into a documented ticket or case, which is then handed off to a human analyst.

Event Correlation

What it is:

• Event Correlation is the process of linking individual security events (e.g., a suspicious login, a unique process running, a small data transfer) into a single, cohesive narrative of an attack. AI helps human analysts by correlating seemingly unrelated events across different systems to identify a complete "attack path."

Examples:

• "Living Off the Land" Attack: An AI system detects a user running a legitimate tool like PowerShell in an unusual way, which would be missed by a traditional, signature-based system.

• Insider Threat: AI-powered UEBA (User and Entity Behavior Analytics) detects a user accessing a sensitive database at an unusual time from a different location, flagging their behavior as anomalous even though they have the proper permissions.

Automated Containment

What is it:

• For high-confidence threats, automation can take immediate, low-impact actions. For example, a playbook can automatically quarantine a suspicious email, block a known malicious IP at the firewall level, or temporarily suspend a user account. This reduces the Mean Time to Respond (MTTR) from hours to minutes or even seconds.

Example:

• A SOAR playbook is triggered by a high-risk alert. It can automatically quarantine a suspicious email, block a known malicious IP at the firewall level, temporarily suspend a user account, scan a machine for malware, and create a ticket for an analyst to investigate further.

Alerts Best Suited for AI Triage

AI is particularly effective at triaging alerts in a SOC that are high-volume, repetitive, or involve sifting through massive amounts of data to find subtle anomalies.

Phishing and Malware Alerts

• AI can quickly analyze email headers, URLs, and attachments against threat intelligence feeds and known malicious patterns. It can flag suspicious emails, quarantine them, and even identify new, sophisticated phishing campaigns by recognizing subtle deviations from normal communication patterns. This helps to reduce the number of false positives and frees up analysts to focus on more complex threats.

Vulnerability Scanning and Patching Alerts

• AI can automate the correlation of vulnerability scan data with asset inventory and patch management systems. It can prioritize alerts based on the severity of the vulnerability, the exploitability, and the criticality of the affected asset. This allows SOC teams to focus on the most urgent patching needs rather than manually sorting through a large volume of scan results.

User and Entity Behavior Analytics (UEBA) Alerts

• UEBA uses machine learning to establish a baseline of normal behavior for users and devices. When a deviation from this baseline occurs—such as a user accessing a system they've never used before or a machine communicating with a suspicious IP address—the AI can flag it as an anomaly. This is particularly effective for detecting insider threats or compromised accounts.

Multi-Stage Attack Correlation

• AI is highly effective at connecting seemingly unrelated alerts from different security tools across a network. It can correlate a low-severity alert from an endpoint with a suspicious network flow and a login attempt from an unusual location, identifying a multi-stage attack that might have been missed by a human analyst looking at individual alerts.

Cloud Security Alerts

• With the scale and complexity of cloud environments, AI can analyze a constant stream of logs from services like AWS, Azure, and Google Cloud. It can identify misconfigurations, unauthorized access attempts, and policy violations that are often buried in vast quantities of log data.

Key Benefits

Reduced MTTR/MTTD

• AI significantly lowers the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to threats. For many organizations, AI can compress alert investigation time from 20-30 minutes per alert to just a few minutes or even seconds. This directly reduces the overall MTTR from hours to minutes.

  • Time Reduction: 30 minutes > 5 minutes

Increased Efficiency

• By automating repetitive tasks, AI frees up human analysts to focus on complex, high-value work. This can lead to a 50-60% increase in analyst productivity, allowing them to spend less time on manual triage and more time on strategic threat hunting and deeper analysis. AI can also filter out a high percentage of false positives, reducing alert fatigue and improving analyst morale and job satisfaction.

  • Productivity Increase: 60%

Compliance Preparedness

• AI-powered SOCs can assist with regulatory compliance (e.g., GDPR, CCPA) by providing detailed logs, automated reports, and continuous monitoring, making it easier for organizations to meet standards.

Risk Calculation

A company does not have to complete a massive data classification project beforehand. AI can dynamically calculate risk and allow for customization. The AI's machine learning models compute a risk score based on:

Behavioral Analytics

• The system establishes a "normal" baseline for users and devices. Any deviation from this baseline contributes to a higher risk score.

Contextual Factors

• The AI considers data points like geographic location, time of day, and the criticality of the asset being accessed. It can also perform Content-Based Analysis to infer the sensitivity of data.

Customization

• A company can tune the system by adjusting thresholds for automated actions and modifying the weighting of different factors. This is an ongoing process to reduce false positives and improve detection accuracy.

Implementation

A successful implementation of AI in the SOC follows an incremental, three-phased approach rather than a "big bang" deployment. See also Scaling Automations as an alternative phased approach.

Phase 1: Visibility

• Objective

  • This phase is all about establishing the foundational data pipeline. You're connecting the most critical systems to get a centralized view of your security data.

• Key Actions

  • Ingest logs from high-priority systems like firewalls and identity management systems.

• Systems

  • Firewalls: To monitor network traffic, denied connections, and successful access attempts.

  • Identity Management Systems: To track user logins, authentication attempts, and privilege changes.

  • Critical Servers: To collect system logs and audit trails from your most important assets.

  • Cloud Infrastructure: To ingest logs from your cloud provider, such as AWS, Azure, or GCP, for resource activity.

• Example

  • Using basic rules to detect a brute-force attack from your most critical systems.

Phase 2: Enrichment

• Objective

  • In this phase, you're not just collecting data; you're connecting systems that can provide context and allow for an initial, low-risk automated action.

• Key Actions

  • Start with low-risk automation like alert enrichment and use a "Human-in-the-Loop" approach for all high-impact actions.

• Systems

  • Threat Intelligence Feeds: To automatically check if an IP address, domain, or file hash is known to be malicious.

  • Internal Directories: To enrich alerts with information about the user or asset (e.g., Active Directory or LDAP).

  • Firewalls and Email Security Gateways: To perform low-risk containment actions like blocking a URL or quarantining an email.

  • Case Management Systems: To automatically create and update tickets for human analysts.

• Example

  • A playbook automatically queries a threat intelligence feed for a suspicious IP and attaches the information to the alert for an analyst to review. See: Suspicious IP Enrichment

Phase 3: Response

• Objective

  • To use AI to detect complex, anomalous threats and to enable full automation for high-confidence events.

• Key Actions

  • Enable UEBA: Expand log sources to detect behavioral anomalies. Automate high-impact actions for well-understood, high-confidence threats.

• Systems

  • EDR: To gain deep visibility into all endpoints and take automated containment actions like isolating a device from the network.

  • All Other Endpoints: To expand your log sources beyond just critical servers and enable robust UEBA across the entire environment.

  • Identity Management Systems: To take automated, high-impact actions like forcing a password reset or suspending a user's account.

  • Vulnerability Management Tools: To correlate threat data with known vulnerabilities for a more informed response.

• Example

  • A high-confidence playbook is configured to automatically block a known malicious IP address at the firewall level. See: Malicious IP Block

  • A SOAR playbook is triggered by a high-risk alert. It can automatically quarantine a suspicious email, block a known malicious IP at the firewall level, temporarily suspend a user account, scan a machine for malware, and create a ticket for an analyst to investigate further.

Considerations

• Empowerment

  • Foster a culture where security is everyone's responsibility, not just the security team's. Empower employees to make secure decisions and report suspicious activity.

• Zero-Trust for All

  • For individuals and organizations, implement secure access and authentication at every layer and monitor activity between systems and applications to create a miniature zero-trust environment.

• Federated Data Approach

  • Break down data silos and embrace a federated data approach where data is accessible in real-time, enabling security teams to view threats from a holistic perspective across on-premise, cloud, and edge environments.

SIEM Data Ingestion

The first step is always to get the data from its source to the SIEM. This is called data ingestion. Most modern SIEM platforms are designed to be "vendor-agnostic," meaning they can accept data from a wide variety of sources using different methods. The goal is to collect all high-fidelity security events and telemetry in a centralized location for correlation and analysis.

EDR

EDR tools provide the most granular level of visibility into what's happening on your endpoints (servers, desktops, laptops). This includes process executions, file modifications, and network connections.

Connection Method

• EDR platforms typically connect to SIEMs via a dedicated API or a data streaming service. This is the most efficient and preferred method. The EDR vendor provides an API key and a connector (often a small application or a cloud-native integration) that the SIEM uses to pull in the telemetry data. This is an advanced method that ensures data is parsed correctly and often includes more context.

Best Practices

• Focus on Telemetry

  • Ingesting raw EDR logs can be expensive and overwhelming. Best practice is to focus on ingesting the telemetry and alerts that are most relevant for threat detection and hunting.

• Prioritize Critical Alerts

  • Only send high-fidelity alerts to the SIEM for immediate action.

  • Example: A "malware found" alert is a high-priority event that should be sent immediately, whereas a daily log of all file executions might be stored in the EDR's data lake and only pulled into the SIEM on an as-needed basis for deep-dive investigations.

Firewalls

Firewalls are a crucial source of network-level logs, showing traffic allowed, denied, and the source/destination of connections. This is often the first log source a company connects to their SIEM.

Connection Method

• The most common and standardized way to ingest firewall logs is via Syslog. Syslog is a protocol for sending event messages over an IP network. Most firewall vendors have a built-in function to forward logs to an external Syslog server, which can be the SIEM itself or a log collector that then forwards to the SIEM.

Best Practices

• Prioritize Relevant Logs

  • Firewalls can generate a massive volume of logs. Don't send everything. Filter out known benign, high-volume logs (like basic permitted internet traffic) and prioritize sending logs related to denied traffic, successful logins, and connections to critical assets.

• Use a Secure Protocol

  • Whenever possible, use a secure protocol like Syslog over TLS to encrypt the logs in transit. This is especially important if the data is being sent across an untrusted network.

Code Repositories

Code repositories (like GitHub or GitLab) are an important, but often overlooked, source of security data. They provide visibility into who is accessing code, making changes, and managing permissions, which can be a key indicator of an insider threat or compromised account.

Connection Method

• The most effective way to connect a code repository to a SIEM is through a webhook or API integration. A webhook is an automated message sent from the repository to the SIEM whenever a specific event occurs (e.g., a new user is added, a sensitive branch is merged, or an access token is created).

Best Practices

• Focus on Security-Relevant Events

  • Don't log every single code commit. Focus on events that could have security implications.

• Prioritized Events to Monitor

  • Changes to administrative privileges

  • Creation or deletion of user accounts

  • Changes to sensitive code branches or settings

  • Creation of new API keys or secrets

  • Massive data exfiltration or Cloning of repositories

By implementing these best practices, a company can ensure that its SIEM receives the right data from the right sources, providing a solid foundation for threat detection, hunting, and automated response.

Proactive Threat Management

A reactive SOC primarily responds to alerts after they've been generated, which can be like playing a constant game of whack-a-mole. Evolving to a proactive model means actively hunting for threats before they cause damage.

Threat Hunting

• This involves actively searching for threats that have bypassed automated defenses. AI plays a crucial role here by acting as an assistant. Instead of manually sifting through mountains of log data, AI-powered tools can identify subtle anomalies and suggest hypotheses for an analyst to investigate. For instance, an AI system might highlight a specific, unusual process running on a server that doesn't trigger any standard alert but fits the pattern of a "living off the land" attack.

Behavioral Analytics (UEBA)

• User and Entity Behavior Analytics is a core component of proactive security. Instead of looking for known bad signatures, UEBA establishes a baseline of normal behavior for every user and device on the network. When an activity deviates from this baseline (e.g., a finance employee suddenly accesses HR records at 2 a.m.), the system flags it as suspicious. This is a powerful strategy for detecting insider threats and compromised accounts that would be missed by traditional rule-based systems.

Predictive Analytics

• This advanced strategy uses AI to analyze historical attack data and predict potential future threats. The SOC can then use these insights to harden their defenses in advance, patching specific systems or implementing new controls before an attack occurs.

XDR

• A modern SOC uses Extended Detection and Response (XDR) to go beyond the capabilities of traditional EDR. XDR unifies security visibility across endpoints, network, and cloud environments to provide a holistic view of threats and enable a coordinated response. See G2 Best Extended Detection and Response (XDR) Platforms for a list of vendors.

Future-Proof Your SOC

As attackers increasingly use AI to launch more sophisticated, rapid, and evasive attacks, SOCs must evolve their defenses when reliable and repeatable results are achievable.

Embrace AI for Defense

• Combat AI-powered threats with AI-powered defense. AI-driven platforms can analyze attacker tactics, techniques, and procedures (TTPs) at a scale and speed that a human cannot. They can learn to detect a variety of attack methods, from highly evasive malware to deepfake phishing attempts.

Threat Simulation

• Use AI-driven threat simulation and attack surface management tools to continuously test your defenses. These platforms can simulate a wide range of attack scenarios, providing insights into your vulnerabilities and helping you prioritize remediation efforts.

Focus on Explainability

• As your SOC becomes more dependent on AI, it's crucial to understand why the AI is making certain decisions. This is known as explainable AI (XAI). A future-proof SOC must be able to audit and validate the logic behind AI-driven alerts to prevent blind trust in the technology and ensure that false positives can be quickly identified and corrected.

Align PPT

Technology alone isn't enough. An optimized security posture depends on the synergy between people, processes, and tools.

People

• The most crucial part of any SOC. AI should be viewed as an augmentative tool, not a replacement. Analysts need to be trained on the new technologies and understand how to work with AI to leverage its full potential. The focus should be on upskilling analysts to perform more strategic, high-value tasks like threat hunting and incident response leadership.

Processes

• Your workflows must be adapted to incorporate AI and automation. For example, a "Human-in-the-Loop" approach is a critical process for Phase 2 deployments. This involves having playbooks that handle automated enrichment and low-risk containment but always require human approval before taking high-impact actions like blocking a legitimate business partner. This balances speed and security.

Tools

• The tools you use should be integrated. A modern SOC needs an ecosystem of tools that can share information and trigger actions. This includes a robust SIEM for data aggregation, a SOAR platform for automation, and EDR (Endpoint Detection and Response) tools for detailed endpoint visibility. These tools must work together seamlessly to provide a complete picture and enable rapid, orchestrated responses. See: Solutions

Risks of Autonomous AI

Deploying autonomous AI agents in a SOC environment without human oversight can introduce several critical risks. While AI can be a powerful tool for improving security, a "human-in-the-loop" approach is essential to ensure safety and effectiveness.

Hallucinations

• AI agents, particularly those based on large language models, can sometimes generate plausible but incorrect information. In a security context, this could lead to an agent falsely declaring a system clean, recommending faulty remediation steps, or misunderstanding an alert, which could be exploited by an adversary.

Adversarial Manipulation

• Attackers can attempt to deceive an AI agent through indirect prompt injection. They may craft malicious data, such as a log entry or an email, in a way that tricks the AI into ignoring a real threat or providing false information.

Over-reliance and Loss of Skill

• If human analysts begin to blindly trust the AI's output without verification, they may lose their own critical thinking and investigative skills. This overfitting to the AI's recommendations can lead to a team missing subtle clues or errors that the AI itself has overlooked.

Increased Risk with Automation

• While automation can speed up response times, it also means that any errors or vulnerabilities in the AI system can be exploited at a much faster rate and greater scale. A single flaw in an autonomous agent could lead to widespread disruption if not carefully managed and monitored by human experts.

Last updated: September 20,2025

Download version: Google doc