diff --git a/blog-cse/2025-11-21-application.md b/blog-cse/2025-11-21-application.md new file mode 100644 index 0000000000..138f1a4fda --- /dev/null +++ b/blog-cse/2025-11-21-application.md @@ -0,0 +1,36 @@ +--- +title: November 21, 2025 - Application Update +image: https://assets-www.sumologic.com/company-logos/_800x418_crop_center-center_82_none/SumoLogic_Preview_600x600.jpg?mtime=1617040082 +keywords: + - insights + - AI +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +### SOC Analyst Agent (Beta) + +We're excited to announce Sumo Logic's SOC Analyst Agent, a powerful agentic AI tool designed to improve the speed and accuracy of your Security Operations Center (SOC) team's threat investigations. + +The SOC Analyst Agent provides the following new functionality: +* AI Investigation tab in Cloud SIEM +* Insight investigation in Mobot + +#### AI Investigation tab + +A new **AI Investigation** tab in Cloud SIEM provides an AI-generated analysis of insights that accelerates investigation and troubleshooting by your SOC team. + +Insight AI Investigation tab + +#### Insight investigation in Mobot + +When you select the **Ask Mobot** button on the new **AI Investigation** tab in Cloud SIEM, the insight's AI-generated information is launched in Sumo Logic Mobot. There you can use Mobot's focused query capabilities to drill down into the insight for greater detail. + +Mobot Investigation Agent + +#### Availability + +This new functionality is available for participants in our beta program. To request access, contact your Sumo Logic account representative or Support. + +[Learn more](/docs/cse/get-started-with-cloud-siem/soc-analyst-agent). \ No newline at end of file diff --git a/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md b/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md new file mode 100644 index 0000000000..2ffd40fd24 --- /dev/null +++ b/docs/cse/get-started-with-cloud-siem/soc-analyst-agent.md @@ -0,0 +1,93 @@ +--- +id: soc-analyst-agent +title: SOC Analyst Agent +sidebar_label: SOC Analyst Agent +description: Learn how to use Sumo Logic's SOC Analyst Agent to perform investigations of Cloud SIEM insights. +--- + + + + + +

Beta

+ +import useBaseUrl from '@docusaurus/useBaseUrl'; + +Sumo Logic's SOC Analyst Agent is an agentic AI tool designed to improve the speed and accuracy of your Security Operation Center (SOC) team's threat investigations. + +The SOC Analyst Agent performs two distinct jobs that mirror an analyst’s daily responsibilities: +* **Triage**. Delivers automated verdicts on insights using evidence-backed +reasoning to determine whether the insights are malicious, suspicious, or benign. +* **Investigation**. Supports analysts with a hypothesis-driven approach to assess the scope, context, and likely impact of an event. + +The SOC Analyst Agent provides the following functionality: +* [AI Investigation tab in Cloud SIEM](#ai-investigation-tab) +* [Insight investigation in Mobot](#investigate-the-insight-in-mobot) + +## AI Investigation tab + +The **AI Investigation** tab in the details page of a Cloud SIEM insight is an artificial intelligence-generated analysis of the insight. + +1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM > Insights**. You can also click **Go To...** at the top of the screen and select **Insights**. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main menu select **Cloud SIEM** and then click **Insights** at the top of the screen. +1. On the insights list page, select an insight. +1. The **AI Investigation** tab shows results of AI analysis:
Insight AI Investigation tab + 1. **Severity Verdict**. Details about the insight's severity analysis: + * **Current Severity**. The severity of the insight as set by the cumulative activity score for the insight. For more information, see [About insight severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process/#about-insight-severity). + * **Global Confidence Score**. A level of confidence that the insight is actionable, predicted by Sumo Logic’s Global Intelligence machine learning model. See [What is a Global Confidence score?](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/#what-is-a-global-confidence-score). + * **AI Verdict**. The AI system's qualitative assessment of the insight. Following are the available verdicts: + * **Benign**. AI analysis determined that the insight is harmless and is not a candidate for elevation to SOC team investigation. + * **Inconclusive**. AI analysis could not determine whether the insight needs to be investigated. + * **In Progress**. AI analysis is in process. + * **Malicious**. AI analysis determined that the insight is malicious, and warrants immediate investigation by your SOC team. + * **Suspicious**. AI analysis determined that the insight is suspicious and warrants investigation by your SOC team. + * **Recommends security level of ___**. AI analysis recommends a new severity level be assigned to this insight. If you agree with the assessment, click **Accept**. The **Current Severity** field changes to the new value. + 1. **What Happened**. A concise summary of threat incidents based on triggered signals in the insight. Content of this field is generated by Sumo Logic's Summary Agent, an agentic AI tool. The summary consolidates key details to facilitate quick understanding and response by security teams. The summary is generated when an insight is created, and is regenerated whenever the insight is modified, keeping it current with added or removed signals. + :::tip + Help us refine the tool by using the thumbs-up or thumbs-down buttons to provide feedback on the effectiveness of the summary presented. Clicking the thumbs-down button gives you the opportunity to provide additional feedback. + ::: + 1. **Key Findings**. The main points uncovered by AI analysis. Details about these findings can be found in the signals that fired for the insight. + 1. **Ask Mobot**. Click to send the AI analysis of the insight to [Sumo Logic Mobot](#investigate-the-insight-in-mobot) for further investigation. + +### Filter for AI verdicts + +In the insight list page, that the **AI Verdict** column shows the results of the AI analysis:
Insight AI Verdict column + +Click in the **Filters** area near the top of the insights page and select **AI Verdict** to search for insights based on the verdict they are assigned (Benign, Inconclusive, In Progress, Malicious, Suspicious). See [Filtering insights](/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui/#filtering-insights) for more information about filtering. + +## Investigate the insight in Mobot + +1. From the insight's details page, click **Ask Mobot** to open the AI investigation in [Sumo Logic Mobot](/docs/search/mobot/).
Ask Mobot buttons +1. Details about the AI investigation appear in Mobot. The entire context of the AI investigation is brought into Mobot so you can quickly drill down for more information about the insight.
Mobot investigation +1. In **Ask Something...**, type a question about the insight using details provided in the **What Happened** section above. For example, you could ask to see logs about the entities mentioned in the text (that is, hosts, users, IP addresses, file hashes, and so on).
Insight investigation query +1. Click **Search** Search button in Mobot. Mobot analyzes your request and fashions a query based on it. +1. Click **View Results** to see the results of your request in the logs query UI. You can also click the suggestions provided to drill down farther. As you ask questions, Mobot retains the context of your conversation about the insight, allowing you to more easily obtain detail.
Insight investigation query results + +### Start a new investigation + +To clear the context and start a new investigation, click **New Conversation** in the upper-right corner of the screen. To start investigation on another insight, navigate back to Cloud SIEM, select another insight, and click **Ask Mobot**. + +## FAQs + +### What is the Sumo Logic SOC Analyst Agent? + +The SOC Analyst Agent is part of the [Sumo Logic Dojo AI](/docs/get-started/ai-machine-learning/#whats-new-dojo-ai-for-the-soc). The SOC Analyst Agent is an assistant that applies agentic AI reasoning to triage and investigation tasks. It correlates alerts, weighs patterns against frameworks like MITRE ATT&CK, and renders evidence-backed verdicts, providing analysts an immediate sense of threat impact. When deeper analysis is required, the same agent supports hypothesis-based investigation to map relationships, connect entities, and summarize findings. + +### What are the benefits of the agent? + +Security teams spend too much time validating false positives and performing repetitive investigative steps. By embedding reasoning and context-awareness directly into Cloud SIEM, the SOC Analyst Agent eliminates noise, standardizes outcomes, and accelerates time to resolution. + +### Will the agent increase scanning or data-processing costs? + +No. The agent analyzes existing data already ingested into Cloud SIEM. It performs reasoning on metadata and contextual signals rather than initiating new scans. + +### How does the agent differ from Cloud SIEM correlation or automation rules? + +Unlike traditional correlation logic, which is static, the SOC Analyst Agent applies agentic reasoning. It adapts based on insight context, recent analyst actions, and environmental signals, producing contextual, explainable decisions rather than fixed pattern matches. + +### What data does the agent rely on to render verdicts? + +The agent draws from normalized security data (`sec_record*` indexes and signals), correlated entities, Sumo Logic’s integrated threat intelligence feeds, and enrichment data (for example, IP geolocation, user behavior, and asset details). + +### Can analysts provide feedback or correct AI verdicts? + +Yes. Analysts can override verdicts and flag feedback within the UI. These actions are logged and reviewed to refine model behavior over time as part of the Dojo AI learning loop. \ No newline at end of file diff --git a/static/img/cse/ai-investigations-tab-in-release-note.png b/static/img/cse/ai-investigations-tab-in-release-note.png new file mode 100644 index 0000000000..325868ed25 Binary files /dev/null and b/static/img/cse/ai-investigations-tab-in-release-note.png differ diff --git a/static/img/cse/ask-mobot-buttons.png b/static/img/cse/ask-mobot-buttons.png new file mode 100644 index 0000000000..2a82f91908 Binary files /dev/null and b/static/img/cse/ask-mobot-buttons.png differ diff --git a/static/img/cse/insight-agent-in-mobot.png b/static/img/cse/insight-agent-in-mobot.png new file mode 100644 index 0000000000..a0980cf851 Binary files /dev/null and b/static/img/cse/insight-agent-in-mobot.png differ diff --git a/static/img/cse/insight-ai-investigation-tab.png b/static/img/cse/insight-ai-investigation-tab.png new file mode 100644 index 0000000000..e4c4280a1c Binary files /dev/null and b/static/img/cse/insight-ai-investigation-tab.png differ diff --git a/static/img/cse/insight-ai-verdict-column.png b/static/img/cse/insight-ai-verdict-column.png new file mode 100644 index 0000000000..38481e0457 Binary files /dev/null and b/static/img/cse/insight-ai-verdict-column.png differ diff --git a/static/img/cse/investigation-agent-query.png b/static/img/cse/investigation-agent-query.png new file mode 100644 index 0000000000..efebee1faa Binary files /dev/null and b/static/img/cse/investigation-agent-query.png differ diff --git a/static/img/cse/investigation-agent-results.png b/static/img/cse/investigation-agent-results.png new file mode 100644 index 0000000000..7cc2f1e5a8 Binary files /dev/null and b/static/img/cse/investigation-agent-results.png differ diff --git a/static/img/cse/search-button-in-mobot.png b/static/img/cse/search-button-in-mobot.png new file mode 100644 index 0000000000..9822a9f91c Binary files /dev/null and b/static/img/cse/search-button-in-mobot.png differ