25.04.2025

By: Dori Fisher

Threat intelligence

Threat intelligence is the process of identifying and analyzing Cyber threats to output strategic, tactical, and operational actions and insights.

Strategic threat intelligence can foresee a trend that may affect a company strategy, while tactical or operational may integrate into security systems to block or detect adversaries.

According to large intelligence vendors, AI is already playing a key role in threat intelligence. Some of the predominant use cases are:

• Summarizing collected data into human readable insights

• Guiding security teams on mitigations and next steps

• Ranking and scoring files and threats based on AI models

• Identifying and Understanding code functions

• Translating and normalizing data

• Extracting entities from data collected

While some of these applications are behind the scenes for SOC teams, others are directly visible when threat intelligence platforms deliver their outputs.

Alert management

For this article we will define alert management as deduplication, suppression and aggregation of multiple alerts or logs into an incident, which reduces SOC alert fatigue by dealing with fewer incidents.

Aggregation: summarizing hundreds or thousands of alerts into a single incident doesn’t necessarily require ML, as the attributes for aggregation already exist in the logs and the decision to include multiple alerts in an incident can be based on one or (usually) more attributes.

ML and AI assist in generating additional attributes and relationships that are not part of the original event or alert, allowing for potentially more effective aggregation.

Deduplication: although different vendors claim to offer AI based deduplication, the reality is more complicated. Simplified example:

During a 10-minutes period, different alerts are triggered from the same IP address. If the IP belongs to a single machine, it makes sense to deduplicate and/or aggregate these alerts into a single incident. However, if the IP address belongs to a firewall in a segmented environment, these should not be deduplicated, as these may well be different, unrelated incidents.

Similarly, alerts stemming from “guest Wi-Fi network” connecting to a malicious destination, should not be deduplicated or aggregated with corporate assets from the internal network, accessing the same malicious destination. These alerts may indicate corporate compromise.

Suppressing alerts are similar and should be carefully managed to not overwhelm SOC analysts. To suppress effectively, the system must accurately identify what the attributes for suppression are. Deciding that a common process (like a browser) and a common destination (like a proxy) are basis for alert suppression, may result in missing out on important alerts.

False positive reduction

The most common way to reduce false positives is increasing incident confidence, and one of the most common ways to boost confidence is through correlation. In a SOC, correlation usually means not creating an incident (or a ticket) until several alerts with a common attribute (usually hostname or IP) are triggered in a certain timeframe, adding to the incident fidelity.

What is not commonly discussed is the impact of correlation. The underlying issue of SOC alert correlation is that the SOC is unaware of or does not address alerts that do not meet a certain threshold. These may be crucial to incident detection but may be missed in “low and slow” attacks.

The decision to correlate has, in many cases, shifted to software vendors. Modern SIEMs alerting is no longer based just on the operator decision and content created. Instead, ML and vendor-created content trigger incidents.

One important decision that vendors are making is how to reduce false positives, using ML, vendors can profile assets and behaviors under the assumption that if “everyone” does it – it must be acceptable. Thus, excessive alerts are analyzed, and attribute-based analysis can improve incident confidence. For example, if 10% of assets are accessing a low-reputation website but only one is using a rarely seen process and uploading data, the SIEM may automatically exclude common processes from the incident creation. Reaching the same conclusion manually is sometimes possible but cumbersome. In other words, AI/ML can exclude legitimate processes and focus on a single suspicious process that is usually detected only after a human analyst's investigation, reducing analyst effort and false positives. As standard practice, incidents are triaged or investigated and based on the outcome and analyst insights, exclusions and whitelisting are applied, further reducing future false positives.

Forensic analysis

A single computer may contain millions of files, including images, text files, binaries, compressed files and potentially encrypted files.

Forensic analysis, like threat hunting, can be well assisted using AI, image categorization, translation, pattern recognition, anomaly detection, natural language processing are some of the relevant capabilities.

Unfortunately, SOCs have not yet leveraged the potential benefits of AI in computer forensics. These capabilities must first be integrated into commercial tools and proved in courts to impact computer forensics which, due to inherent limitations (forensically sound), advance slower than cyber security.

Automation

The SOC has been advancing automation for a decade, starting with scheduled scripts and evolving into the “Gartner coined” SOAR (Security Orchestration, Automation, and Response) in 2017.

SOAR, as a full-fledged system, failed to gain widespread adoption by SOCs as it required programing skills and cumbersome playbook creation. SOAR solutions were either incorporated in large vendors' SIEM platforms (Splunk – Phantom, Palo Alto Networks – Demisto, Google – Siemplify, Microsoft – Logic Apps) or reinvented as low-code/no code systems that leverage ML and AI.

The next generation SOAR allows the SOC to easily create playbooks using natural language, supporting analysts and lowering the barrier for automation usage. For BDO MDR, automation resolves 40%-60% of incidents through deduplication and automatic triage.

Future evolutions may create playbooks based on analysts’ behaviors and operational procedures. These will definitely be reliant on AI-driven language processing and pattern recognition.

Summary

AI and ML are transforming detection and response, some changes, such as vendor-driven incident creation, are reducing SOC interactions — SIEM vendors are now creating incidents, while the SOC is triaging and responding. Those incidents, once based on manual rule creation only, are now being developed by vendors using ML capabilities. Other changes like automation are increasing SOC interactions as barriers to playbook creation are dissolving due to low-code/no-code and natural language capabilities.

Since adversaries are also leveraging AI, questions remain regarding the SOC detection and response true improvement, as shifting to ML / AI detection does not necessarily guarantee better detection. However, it does mean detection content and visibility beyond your local SIEM SOC team capabilities, as advanced ML detection is now embedded within SIEM/XDR vendor portfolios.

Did AI revolutionize the SOC? Not yet.

Will AI revolutionize the SOC? Yes — as vendors continue to improve ROI of AI within detection and response.