AI Agents in the SOC

  • About SOC

  • SOC Agents vs SOAR / Hyperautomation vs Manual response

  • Alert Triage and Investigation

  • Cyber Threat Intelligence (CTI) and Threat Hunting

About SOC

What is a SOC Agent?

A SOC Agent is a type of AI Agent specifically designed to enhance and automate tasks within a Security Operations Center (SOC). They can perform a wide range of functions, including threat detection and analysis, incident response, threat hunting, and security operations workflow streamlining.

How does an AI Agent integrate with and leverage existing SOC technologies?

SOC agents can leverage existing security technologies such as SIEM, CAASM, XDR, CNAPP, TIP, and SOAR both as data sources as well as action targets, by using API level integrations with those platforms. They can also directly integrate with sources like threat intelligence feeds and data providers and act directly on mitigation targets like firewalls, IDPs, and endpoints.

Can SOC Agents replace SOAR?

Because SOC agents can make decisions and support act directly on mitigation targets, they can be used to automate incident response in a comparable way to SOAR platforms. However, SOC agents can also integrate with and leverage existing SOAR platforms as well, using them as mitigation targets.

SOC Agents vs SOAR / Hyperautomation vs Manual response

SOC Agents vs SOAR / Hyperautomation vs Manual response

FeatureSOC AI AgentSOAR / HyperautomationManual Response
CostLeast expensive, scales with organization needExpensive playbook managementMost expensive
ScalabilityCan be scaled up and downCan be scaled, but often complexLimited by human resources
PlaybooksNo playbook maintenance requiredRequires playbook creation and maintenanceRelies on runbooks for consistent action
Learning & EvolutionAlways evolving and learningRequires manual updatesLimited by individual learning pace and training budget

Alert Triage and Investigation

How do AI Agents help with alert investigation and triage?

AI Agents significantly accelerates alert investigation and triage by rapidly evaluating numerous potential threat hypotheses. They leverage general security knowledge along with historical data from previous investigations - both public and private. This approach covers a broad spectrum of scenarios, enabling efficient knowledge sharing across the SOC team. Through this collaborative intelligence, an AI agent streamlines workflows, reduces response times, and ensures that team members have access to expert insights, leading to more effective and coordinated security responses.

Do AI Agents explain their findings?

An AI Agent offers a concise executive summary of its investigations and triage processes. This summary validates the agent’s actions, outlines each step taken, highlights key findings, and facilitates the timely integration of expert insights when specific business logic is required. This summary can be used as a draft of the Security Operation Notes.

Cyber Threat Intelligence (CTI) and Threat Hunting

What does an AI Agent leverage threat intelligence for?

Threat Hunting and Alert investigation are two common use cases where threat intelligence is useful. A Threat Hunter uses threat intelligence to understand the modus operandi of threat actors (in the form of their tactics, techniques, procedures, tools used, IP addresses they come from etc).

 

The Threat Hunter then searches for the Threat Actor in their environment by matching signals against that threat intelligence. An AI Agent can hunt across a company’s environment in the same way. A SOC analyst uses threat intelligence when investigating alerts, to determine if any part of the alert matches known malicious patterns, coming from threat intelligence. An AI Agent can do the same.

Where does an AI Agent acquire threat intelligence?

An AI Agent can acquire threat intelligence in multiple ways:

  • It can access machine-readable intelligence, by consuming it from a commercial threat intelligence provider via its API.
  • It can access community threat intelligence, by connecting to an ISAC or ISAO sharing portal using STIX and TAXII protocols, or by connecting to an OSINT threat intelligence provider.
  • It can subscribe to, read, and understand unstructured threat intelligence from blogs, websites, and other OSINT sources.

Can AI Agents understand the MITRE ATT&CK™ framework?

Because it is well-documented, AI Agents can be given a very thorough understanding of the MITRE ATT&CK framework. Through leveraging this understanding, an AI Agent can automatically map and classify threat intelligence to MITRE ATT&CK tactics and techniques, even if the original report does not include specific references. The agent can also leverage its awareness of kill-chain progression through ATT&CK to predict the next set of things it should look for in an incident investigation or threat hunt.

How can an AI Agent help accelerate the threat hunting process?

By leveraging a large corpus of expertly curated cybersecurity knowledge, an AI Agent can put the process of threat hunting on auto-pilot. Upon being given a new source of threat intelligence and/or attacker technique, a threat hunting agent can iteratively search across all of the data repositories it has access to in order to ascertain if this threat appears active in the environment. If indications are found, a hunting agent can then immediately move into investigation and triage, by handing any of the found artifacts over to the SOC agent.