AI in SOC: Capabilities and Applications

15/04/2025

AI in SOC

By Konstantin Karasev, Lead Cybersecurity Architect

AI in SOC: Capabilities and Applications

The effectiveness of a cybersecurity center is determined by many factors among which the main ones are:

  1. The presence of well-developed and formalized processes, covering everything from threat detection to post-incident analysis.

  2. The availability of tools that enable the implementation of these processes.

    This includes a combination of systems, utilities, and other solutions designed to perform their assigned tasks with minimal failure probability.

  3. The high competence of analysts.

    A lack of expertise among employees can directly impact threat response outcomes, which may negate all efforts described in points 1 and 2 and lead to unacceptable consequences for the organization.

This approach aligns with the PPT (People, Process, Technology) Framework. In this context, AI serves as a technology that helps develop, maintain, monitor efficiency, and improve processes, thereby optimizing cybersecurity costs. The launch of OpenAI's ChatGPT in 2020 set a major trend, triggering a boom in AI development worldwide. The accessibility of such technologies not only for cybersecurity professionals but also for malicious actors has lowered the entry threshold into cybercrime. Given this trend, the cybersecurity market has faced increasing demand for AI-powered solutions that reduce workload and, at a later time, cybersecurity costs. In response, software and hardware vendors are striving to meet this demand by introducing AI-driven applications—even in cases where AI may not be strictly necessary.

Where can AI be used in SOC?

Thanks to SOAR's ability to create connectors and playbooks, any process can be configured. Below are listed key areas where AI can be applied:

  1. Data transformation into any format and structure.

    Parsing messages using AI enables human-generated text to be converted into a structured format understandable by any system, such as JSON, XML, XLS, and others.

    Consider a scenario where a SOC operator requests information via email and receives a response in a plain text format. Firstly, this text must be analyzed and later manually structured into corresponding request form fields. AI can now automate this process, converting responses into structured data that can be parsed into different fields or, for example, generating an XML file for seamless system integration. This approach eliminates the need for complex programming, relying instead on predefined text commands.

    Similarly, AI can facilitate reverse transformation—extracting only specific sections or logical conclusions from system responses when regular expressions are insufficient. Such data can be easily parsed, stored in the required format, and all of this works out-of-the-box.

  2. AI as an incident response assistant.

    Fully automating a cybersecurity center with AI is an ambitious goal. AI does not inherently understand process specifics, infrastructure details, or interaction methods, making adaptation a time-consuming task. While AI must follow and execute instructions, these instructions must first exist as structured processes. Although achievable, automation and its testing require significant preparation time.

    However, AI can provide valuable assistance both in the process creation phase and throughout its implementation.

    There are several levels of AI involvement in SOC operations:

  • Beginner mode – AI operates in a hint-based mode.

  • Advanced mode – AI "observes" the operator's actions and can correct them when necessary.

  • Expert mode – AI remains mostly silent but intervenes when operator actions require correction.

    For effective incident response, two key components are required:

  • Response scenarios tailored to business specifics, IT infrastructure, interaction mechanisms, and other nuances.

  • A database of best practices for incident response.

    How does it work?

    During incident handling, the AI assistant continuously receives and analyzes incident data, including:

  • Contextual analysis of the incident;

  • Data from analytics and enrichment sources;

  • Changes in fields (history tracking);

  • Playbook execution monitoring.

    Based on this analysis, the assistant evaluates whether the operator needs to be notified of necessary action adjustments. This communication takes place within an incident chat.

  1. Reporting. 

    One of the most critical components of any SOAR system is reporting. AI can now generate reports on any incident in multiple formats, strictly based on facts, and drawing conclusions. AI-powered reporting enables information to be tailored for different management levels, ensuring each group receives the most relevant information.

    Additionally, AI can track anomalies, detect violations during investigations, assess the completeness of data entered by analysts, and provide recommendations.

 

TOP POSTS

IoC role in the Threat Intelligence process
Cybersecurity Digest #3: 27/04/2020 – 8/05/2020
Unlock Superior Cybersecurity Management with Defensys SGRC Advanced KPI Calculation
Cybersecurity Digest #47: 04/04/2022 – 15/04/2022
Case study by Defensys — Mining company
Cybersecurity Digest #86: 12/12/2023 – 26/12/2023
Cybersecurity Digest #99: 04/07/2024 – 18/07/2024
An Insight into Threat Intelligence: Who Needs TI Data and Why is Threat Intelligence important?
Cybersecurity Digest #36: 18/10/2021 – 29/10/2021
Cybersecurity Digest #53: 27/06/2022 – 08/07/2022