At Dropzone AI, we’re always looking for ways to make our AI SOC analyst more of a helpful and trusted teammate for our customers. One of the new features that we’ve added to the system is insight tags, which add context for human analysts who are reviewing investigations.
Speeding Up Time to Insight
Instead of spending 25 minutes manually investigating each security alert, human analysts spend only 2 minutes or less reviewing a Dropzone AI investigation. To make those reviews as quick and easy as possible, we’re constantly thinking about how to improve the UI. You can think of it as “time to insight,” or the moment when the light bulb in your brain turns on: “Ah, I see … this is a true positive, but it’s not urgent,” for example.
Insight tags help the human analyst to quickly orient themselves when deciding which investigations to review and then when they’re looking at the investigation summary. In other words, insight tags shorten the observe and orient stages in the OODA loop.
How Insight Tags Work
This feature allows us to add additional context-specific tags to investigations, supplementing the primary conclusions without altering them. These tags provide a more detailed picture of the activity and enable our customers to tailor how they receive and prioritize alerts based on their unique needs.
Take a look at the following screenshot as an example of how this might work: In this example, there is an Microsoft Sentinel alert investigation with a “Malicious” conclusion. But because the Dropzone AI SOC analyst also observed that the account was locked due to repeated incorrect sign-in attempts, it has an “Account Lockout” tag. This helps the analyst understand that even though there was a malicious conclusion, Microsoft Sentinel locked the account and so while the incident needs to be reviewed, it’s likely already been remediated.
Other insight tags can be applied like:
- Automated Testing: Differentiating planned testing activities and simulated attacks from genuine threats.
- Blocked Attacks: Identifying when an attack was successfully blocked by existing security measures allows teams to prioritize responses appropriately.
- Potential Misconfigurations: Identifying possible issues in the environment that may not be immediately malicious but could lead to vulnerabilities if left unaddressed.
- Suspected User Travel: Identifying login activity that suggests a user may be traveling and evaluating whether this requires additional scrutiny.
Designing for Human-in-the-Loop Review
The Dropzone AI system is designed for human-in-the-loop review, where human analysts review the investigation report and approve or adjust the conclusion. We believe that AI SOC analysts should work together with existing human staff as their teammates.
Our goal is to offload all of the repetitive and routine investigation tasks from human analysts, such as: checking user permissions, querying and analyzing logs to establish normal access patterns, examining files and processes, confirming with users that they actually logged in from a particular device, and writing the investigation report—all necessary but repetitive tasks that previously could not be easily automated.
Want to see what the Dropzone AI SOC analyst can do for you? Schedule a demo—we’d love to show you!
