Skip to main content
All CollectionsBuild AutomationsCasesSocrates
Socrates AI Analyst: Transforming Case Investigations
Socrates AI Analyst: Transforming Case Investigations

Discover how Socrates, Torq's AI SOC analyst, accelerates investigations, offers insights, and streamlines case management processes.

Updated over 3 months ago

Socrates is an autonomous AI SOC analyst designed to transform your case investigations, serving as a powerful force multiplier. By accelerating detection and response times, Socrates significantly boosts your team's efficiency, enabling you to accomplish more in less time.

Socrates leverages case data, information from other cases in the workspace, and external resources such as MITRE and NIST frameworks to provide analysts with a complete overview of the investigation, current status, and actionable next-step suggestions.

Out of the box, Socrates can perform operational actions on a case, just like an analyst would—such as changing states and severities, reading and writing notes, adding observables, assigning the case to others, and more.

In addition, Socrates is fully extensible, allowing you to customize and expand its capabilities to meet your specific needs. By creating workflows, you can equip Socrates with additional tools to execute, effectively extending its capabilities (read more).

These are the two ways you can utilize Socrates:

  • Chat with Socrates: Communicate with Socrates using natural language to get help with case investigations. Socrates will analyze the findings, provide relevant data, and carry out actions as directed.

  • Assign Cases: Assign cases directly to Socrates. It will take on the role of the analyst, adhering to the case runbook, providing updates on completed tasks, and seeking analyst confirmation as needed, all in line with established guidelines.

Chat with Socrates for Case Investigations

Whether you're dealing with a routine inquiry or a complex incident, Socrates is here to help streamline the process.

  1. Open the Case: Navigate to the specific case within the Cases page.

  2. Access the Socrates Tab: Find the Socrates tab located next to the case timeline.

  3. Start or Continue a Conversation: Engage with Socrates by either initiating a new interaction to request information or recommendations for next steps, or by picking up where you left off with ongoing discussions.

  4. Take Action: Direct Socrates to execute actions based on its insights and recommendations.

Assigning Cases to Socrates for Autonomous Management

Socrates can be assigned to manage cases autonomously, following the predefined runbook and updating you on its progress.

At this stage, Socrates can be assigned as the assignee only manually from the case and not automatically via steps or API.

  1. Select Socrates as the Assignee: Within the case, choose Socrates from the assignee list. It will begin executing the steps outlined in the case runbook automatically.

  2. Receive Progress Updates: Socrates will update you on completed tasks and notify you of any failures or issues that require your intervention.

  3. Approve Actions When Needed: Socrates will request your approval for actions as required by the runbook and your settings, ensuring that critical decisions are made with human oversight.

Monitoring Socrates

Every action Socrates performs is logged in the audit log, recording Socrates as the actor and the instructing user as the requesting actor. Additionally, conversations are saved within the relevant case context to ensure transparency. More information is available here.

Use Case Example: Investigating Suspicious User Activity with Socrates

Leverage Socrates to efficiently investigate suspicious user activity.

  1. Start a Conversation with Socrates: Access the suspicious activity case and go to the Socrates tab. Ask for recommendations on how to begin the investigation.

  2. Socrates Analyzes the Case: Based on the runbook and its toolset (actions it can perform), Socrates will provide insights and suggested actions.

  3. Socrates Raises the Case Severity: In this example, Socrates retrieves user data from Okta and identifies the user as a VIP, prompting it to escalate the case severity to Critical. It then attempts to contact the user via Slack.

  4. Socrates Closes the Case: If the user confirms the failed MFA attempts, Socrates will seek your approval to close the case and complete any final actions.

Did this answer your question?