Security Operations Centers (SOCs) are under immense pressure to ensure no attack goes unnoticed. At Corelight, we’re being approached daily to help bring in network visibility. For many though, visibility isn’t enough. SOCs are already overloaded and Tier 1 Analysts often lack network expertise. Modern network visibility has to be easy to use and designed for maximizing SOC efficiency. For that, we built Guided Triage.
Guided Triage brings context, visuals, and AI to every alert. With rich context pre-queried and pulled into the Detection, analysts can react to the data instead of searching for it. The key design principle is providing details while on the same page, avoiding issues like tab fatigue or getting lost traversing page after page during a workflow. Built on the best network data, Guided Triage simplifies network complexity for analysts by automating workflows, delivering prioritized alerts, and explaining the expert level data needed for triage, all while reducing SIEM ingest.
Last year, we introduced AI to help explain alerts. We also introduced AI to help guide on next steps and to ask questions about an alert. Guided Triage takes ease of use to the next level using a combination of AI and powerful page design to pull in data, simplify it, and visualize it.
We understand that having all the logs and payloads isn’t enough when the analyst isn’t a network expert, so we used LLMs to turn traffic logs and payloads into plain English. When we started building these LLM features, we started with privacy by adding an optional opt-in, and then used multiple tactics to ensure private data stays secure. One of the advantages of having been early to adding LLM to our products is rapid learning and iteration. For example, with our newest LLMs features we’ve put in the extra effort to avoid lengthy paragraphs and take on the harder task of turning LLM summaries into key fields and highlights that can be quickly scanned.
Other things are better painted in a picture. Features like our new timeline visual make it effortless to inspect the detected machines for other malicious behavior. Upon looking at a detection, one of the first questions an analyst has is, “what are the machines that are communicating and what are they communicating about?” The timeline visual tells that story, making it easy to see attacks unfolding.
To truly improve SOC metrics like TTD and TTR, you have to make both the L1 and the L2-3 analysts faster. That’s a challenge for any designer because what those users want to see can differ. This is where information architectures come into play.
Guided Triage pulls out the most important network context from the raw data, making it quick and easy to scan the page for ports, protocols, user agents, data transfer rates, and other key details. Built on the power of Zeek, Guided Triage can highlight key details other tools can’t.
Importantly, for the L2-3 Analyst, the raw data is always just a click away. Analysts can get tab fatigue and when it’s not too many tabs, it’s getting lost down an investigation rabbit hole and having to click back five times. Guided Triage places emphasis on the single-screen workflow. Delivering on such a powerful page required designing new components and lots of customer research. The result is the ability to view everything, from a related Detection to a raw log, without leaving the page. In early testing, this has drawn “wows” from expert users who can do in seconds what they previously did in minutes.
Every alert follows one of two paths: Either the alert is a real threat and follows an IR workflow, or it’s a false positive, in which case the analyst moves into making a decision to tune or keep getting similar alerts. To optimize for SOC efficiency, a Detection actually has to be designed equally for both true positive and false positive workflows.
For example, an analyst may investigate a remote desktop alert and find it was a user from IT. They may choose to mark it as such, leave a comment, and keep the rule enabled to catch future suspicious remote desktop sessions. With triage history shown as part of every Detection, the next time this alert fires on the same host, all prior investigation verdicts, notes, and other details will come up, making it easier to discover context and compare if the new activity matches the old. If the alert keeps happening, it will be easier to see the history and eventually tune the rule to avoid the false positives.
When SOC efficiency is the goal, it’s important to recognize that false positives are a part of SOC life and SOC efficiency means equal speed in working both the TP and the FP scenario.
When you study analyst workflows, you find that seconds add up. Leaving a page has a focus cost. Loading a new page has a waiting cost. Knowing those costs affects analyst decisions about how often they click to learn more, knowing it will cost them time. In a world where no one likes waiting for a spinner, quick information can change the game.
That’s why Guided Triage includes hover cards. Hover on any IP, anywhere on the screen, and a hover card shows what Detections are active on it, if it’s internal or external, first and last seen dates, and gives quick buttons to pivot into a deeper investigation on that IP. Like all Guided Triage features, these investigation pivots pop up right in the Detection to keep learning curves short and SOCs fast.
With the launch of Guided Triage, Corelight Investigator is not just keeping pace with industry standards but setting new ones. By focusing on ease of use and efficiency, we're empowering SOC analysts to operate with greater speed and accuracy, ultimately strengthening an organization's security posture.