Socrates is an autonomous AI SOC analyst designed to transform your case investigations, serving as a powerful force multiplier. By accelerating detection and response times, Socrates significantly boosts your team's efficiency, enabling you to accomplish more in less time.
Overview
Socrates leverages case data, information from other cases in the workspace, and external resources such as MITRE and NIST frameworks to provide analysts with a complete overview of the investigation, current status, and actionable next-step suggestions.
Out of the box, Socrates can perform operational actions on a case, just like an analyst would—such as changing states and severities, reading and writing notes, adding observables, and assigning the case to others.
Additionally, Socrates is fully extensible, allowing you to customize and expand its capabilities to meet your specific needs. By creating workflows, you can equip Socrates with additional tools to execute, effectively extending its capabilities.
Socrates has a defined context window, or maximum amount of text it can process at once. When a case-specific interaction with Socrates is started, Socrates receives the full case data which is used as its baseline knowledge. If Socrates then executes a workflow, the output from the workflow’s Exit operator is ingested and added to its context.
When a workflow returns a very long output, it can overflow Socrates's context window. It is recommended to properly configure the Exit operator to format the output.
These are the two ways you can utilize Socrates:
Chat with Socrates: Communicate with Socrates using natural language to get help with case investigations. Socrates will analyze the findings, provide relevant data, and carry out actions as directed.
Assign cases: Assign cases directly to Socrates. It will take on the role of the analyst, adhering to the case runbook and its associated Actionplan, providing updates on completed tasks, and seeking analyst confirmation as needed, all in line with established guidelines.
Chat with Socrates for case investigations
Whether you're dealing with a routine inquiry or a complex incident, Socrates is here to help streamline the process.
Open the case: Navigate to the specific case within the cases page.
Access the Socrates tab: Find the Socrates tab located next to the case timeline.
Start or continue a conversation: Engage with Socrates by either initiating a new interaction to request information or recommendations for next steps, or by picking up where you left off with ongoing discussions.
Execute: Direct Socrates to execute tasks based on its insights and recommendations.
Assign cases to Socrates for autonomous management
Socrates can be assigned to manage cases autonomously, following the predefined runbook and updating you on its progress.
At this stage, Socrates can be assigned to a case manually or automatically via the Start following the runbook step. Once assigned to a case, it will start executing the Actionplan generated from the runbook associated with the case.
To assign cases to Socrates manually:
Select Socrates as the assignee: Within the case, choose Socrates from the assignee list. It will begin automatically executing the steps outlined in the case runbook and its associated Actionplan.
Receive progress updates: Trigger an alert via System Events when Socrates starts or finishes a runbook execution.
To assign cases to Socrates automatically:
Open the workflow: Navigate to Build > Workflows and select the relevant workflow.
Add the Start following the Runbook step: Search for the Start following the runbook step and add it to the workflow.
Configure the step: Open the step's parameters and enter the relevant case's ID.
Execute the step: Click Execute to run the step or publish and run the workflow to automatically assign the case to Socrates. Socrates will start executing the Actionplan generated from the runbook associated with the case.
Receive progress updates: Trigger an alert via System Events when Socrates starts or finishes a runbook execution.
The Start following the runbook step will fail if the relevant case doesn’t have an associated runbook or has an invalid Actionplan.
Monitor Socrates
Every Action Socrates performs is logged in the Audit Logs, recording Socrates as the actor and the instructing user as the requesting actor. Additionally, conversations are saved within the relevant case context to ensure transparency. See the guide on Socrates auditing.
Use Case Example: Investigate Suspicious User Activity with Socrates
Leverage Socrates to efficiently investigate suspicious user activity.
Start a conversation with Socrates: Access the suspicious activity case and go to the Socrates tab. Ask for recommendations on how to begin the investigation.
Socrates analyzes the case: Based on the runbook and its toolset (tasks it can perform), Socrates will provide insights and suggested actions.
Socrates raises the case severity: In this example, Socrates retrieves user data from Okta and identifies the user as a VIP, prompting it to escalate the case severity to Critical. It then attempts to contact the user via Slack.
Socrates closes the case: If the user confirms the failed MFA attempts, Socrates will seek your approval to close the case and complete any final actions.
Best practices
The following best practices will optimize the performance and efficacy of Socrates when it is assigned to cases.
Normalize data points ingested from third-party services by storing them as case observables or custom fields. To enhance the context for Socrates when storing data in custom fields, it is recommended to store multiple related values in separate custom fields rather than as an array of values in one custom field.
As a case investigation progresses, document changes and findings as notes so Socrates can use the information when assessing case data.
New alerts associated with existing cases should be added as events.
When creating workflows used as custom tools, follow the instructions to ensure Socrates can properly execute and utilize the workflows.
To minimize Socrates's context window, make sure the workflows used as custom tools have explicit Exit operators that return only formatted, relevant data as output.
When possible, build case-forward workflows that receive a case ID rather than properties from Socrates to minimize errors.
Since Socrates does not save the outcomes of workflows it runs, they should be documented in a case note or description so they can be referenced in subsequent runbook tasks.