In today’s rapidly evolving threat landscape, Security Operations Centers (SOCs) face mounting pressure to investigate incidents faster and with higher accuracy. Analysts spend valuable time switching between tools, writing queries, and compiling inconsistent reports — often during critical response windows.
In a recent session, Sanglap Patra, Security Engineer at Nielsen, showcased an innovative prototype — an AI-powered SOC Investigation Assistant that integrates natural language processing (NLP) with popular SOC tools like Splunk, Jira, and WhatsApp. This assistant automates investigation workflows, generates hunting queries from plain English prompts, and provides intelligent context-based analysis.
The session demonstrated how AI can act as a virtual teammate for analysts — handling repetitive investigation steps, correlating logs, and producing consistent, actionable insights. For CISOs, this signals the next phase of SOC modernization: AI-augmented detection and response operations.
Key Highlights:
- How analysts can perform investigations over WhatsApp (voice/text) with instant Splunk results.
- Using Gemini AI to interpret logs and provide contextual analysis.
- Business value of bridging SIEM with everyday communication apps for faster SOC operations.
About Speaker:
Sanglap Patra is a Security Engineer currently working at Nielsen, with prior experience at Toyota and Lumi. With a background spanning incident response, red teaming, digital forensics, and security engineering, he is now focused on applying AI and automation to simplify SOC workflows and improve incident handling speed and quality.
His hands-on demonstration reflected not just technical depth but a vision for how SOCs can evolve from manual analysis to context-aware, AI-driven operations.
Listen To Live Chat : (Recorded)
Executive Summary
1. The Real-World Problem
During his tenure as a SOC analyst, Sanglap often faced challenges such as:
-
Long, manual investigations requiring custom queries.
-
Context switching across multiple tools (SIEM, ticketing, chat).
-
Inconsistent reporting from different analysts.
-
Critical incidents occurring during off-hours with limited analyst availability.
These operational inefficiencies inspired him to design an AI system that could act as an investigation co-pilot — reducing manual overhead while improving consistency and speed.
2. The Vision: Natural Language–Driven Investigations
The core idea behind the AI Assistant is simple yet powerful:
Analysts should be able to “talk” to their SOC — ask questions in plain English and get actionable investigative results.
By using Natural Language Processing (NLP), the system translates analyst queries into SIEM searches, runs those queries, interprets the logs, and summarizes results in human-readable form — all within the same conversational interface.
3. Architecture Overview
The automation comprises three AI agents working in tandem:
-
Session Controller: Tracks case context via Jira and manages user sessions over WhatsApp.
-
Query Agent: Understands user intent, formulates search queries, and runs them over Splunk (or other SIEMs like Sentinel, Elastic, or QRadar).
-
Analysis Agent: Analyzes returned logs, summarizes findings, and determines if the event is a true positive or false positive.
The system integrates seamlessly via APIs, enabling incident management, data retrieval, and response — all triggered by simple chat commands.
4. The Demonstration
Sanglap’s demo highlighted how an analyst could initiate, continue, or close investigations entirely through WhatsApp messages:
-
Asking: “Check for unusual logins for sanglap.patra.”
-
Receiving: a generated Splunk query, execution results, and summarized analysis.
-
Following up: “Summarize the investigation” — and getting a concise summary of findings.
The automation handled:
-
AI-driven log analysis
-
Context retention across sessions
-
Automated ticketing in Jira
-
Intelligent report generation
It showcased how AI could turn routine SOC tasks into dynamic, interactive workflows.
5. Questions & Insights
During Q&A, participants explored key points:
-
The prototype currently uses Google Gemini for LLM tasks, but enterprise deployments would benefit from self-hosted models trained on internal threat data.
-
Integration can extend to Microsoft Sentinel, Elastic, and QRadar — any platform supporting API-based queries.
-
Analysts can incorporate Threat Intelligence (TI) sources for enrichment (e.g., VirusTotal, AbuseIPDB).
-
The system can evolve to include automated response actions, closing the loop from detection to mitigation.
CISO Playbook: Turning Insights Into Action
1. Begin with Workflow Mapping:
Identify repetitive SOC tasks (query generation, log parsing, case updates) that consume analyst hours and cause burnout.
2. Pilot AI-Assisted Workflows:
Start small — integrate NLP-based automation for investigation summaries or log correlation. Use open APIs (Splunk, Sentinel, Jira) to prototype quickly.
3. Ensure Data Governance:
Deploy AI models within secure, compliant environments. Train them on sanitized log schemas and threat patterns relevant to your organization.
4. Empower Analysts, Not Replace Them:
The goal is not full automation — it’s augmentation. Enable analysts to focus on judgment calls while AI handles the grunt work.
5. Measure & Iterate:
Track KPIs such as Mean Time to Investigate (MTTI) and Mean Time to Detect (MTTD). Use these to benchmark AI performance and refine your prompts and model logic.
Conclusion
The AI-powered SOC Investigation Assistant exemplifies how AI can operationalize security intelligence — making investigations faster, context-rich, and scalable.
As Sanglap emphasized, this is only the beginning. The future SOC will not be a static dashboard but an interactive, cognitive system — one that understands analyst intent, contextualizes threats, and drives autonomous action.
For CISOs, now is the time to reimagine SOC strategy with AI at its core — balancing human expertise with machine efficiency to stay ahead of evolving cyber threats.
Comments