The SOC Assistant helps you analyze security data, suggest next steps, and answer complex security questions. To make the assistant even more powerful, you can manage custom Playbooks and Memory entries that provide tailored context for your specific environment and workflows.
How the Assistant Works
When you interact with the SOC Assistant, it draws upon your active session, any linked pentest data, and the persistent knowledge stored in your Playbooks and Memory.
flowchart LR
User["Security Analyst"] -->|Sends Message| Chat["Assistant Chat"]
Chat -->|Loads Context| Memory["Memory Entries"]
Chat -->|References| Playbooks["Active Playbooks"]
Chat -->|Analyzes| Pentest["Linked Pentest Data"]
Memory -.-> Chat
Playbooks -.-> Chat
Pentest -.-> ChatManaging Assistant Sessions
Chat sessions isolate different investigations or conversations. You can create standalone sessions or link them directly to a specific pentest ID.
Linking a session to a pentest_id allows the assistant to automatically pull in relevant vulnerabilities, findings, and scope for that specific engagement.
| Action | Endpoint / Method | Description |
|---|---|---|
| List Sessions | GET /assistant/sessions | Retrieves all active SOC assistant chat sessions. |
| Create Session | POST /assistant/sessions | Starts a new session. Accepts an optional pentest_id. |
| Get Session | GET /assistant/sessions/{session_id} | Retrieves the full message history for a specific session. |
| Chat | POST /assistant/chat | Sends a message to the assistant and returns the response. |
| Delete Session | DELETE /assistant/sessions/{session_id} | Permanently removes a chat session and its history. |
Starting a Conversation
- 1
Create a session
First, initialize a new session. If you are investigating a specific pentest, include its ID in the request body.
{ "pentest_id": "pt_12345abc" } - 2
Send a message
Use the
session_idreturned from the previous step to send your prompt to the assistant.{ "session_id": "sess_9876xyz", "message": "Summarize the critical findings from this pentest and suggest remediation steps.", "pentest_id": "pt_12345abc" } - 3
Review the response
The assistant will analyze the linked pentest and return a detailed, actionable response based on your prompt.
Working with Playbooks
Playbooks act as standard operating procedures (SOPs) or guided workflows. By defining playbooks, you ensure the SOC Assistant handles specific types of incidents (like phishing or malware outbreaks) consistently.
| Action | Endpoint / Method | Description |
|---|---|---|
| List Playbooks | GET /playbooks | Lists all available playbooks in the system. |
| Get Playbook | GET /playbooks/{name} | Retrieves the details and content of a specific playbook. |
| Create Playbook | POST /playbooks/{name} | Creates a new playbook with a description and content. |
| Update Playbook | PUT /playbooks/{name} | Updates an existing playbook's description or content. |
| Delete Playbook | DELETE /playbooks/{name} | Removes a playbook from the system. |
Deleting a playbook is immediate and cannot be undone. Ensure no active investigations rely on the playbook before deleting it.
Example: Creating a Playbook
curl -X POST https://api.yourstudio.com/playbooks/phishing-response
-H "Content-Type: application/json"
-d '{
"description": "Standard response steps for reported phishing emails.",
"content": "1. Isolate the affected host. 2. Block the sender domain. 3. Reset user credentials."
}'Managing Memory
Memory entries allow you to store persistent facts about your organization—such as network architecture, VIP user lists, or specific compliance requirements. The assistant uses these memory entries to provide highly contextualized answers.
| Action | Endpoint / Method | Description |
|---|---|---|
| Get Memory | GET /memory/{name} | Retrieves a specific memory entry by its name. |
| Create Memory | POST /memory/{name} | Creates a new memory entry. |
| Update Memory | PUT /memory/{name} | Updates the description or content of an existing memory. |
| Delete Memory | DELETE /memory/{name} | Removes a memory entry. |
Keep memory entries focused and concise. Large, monolithic memory entries can make it harder for the assistant to extract the specific facts it needs.
Frequently Asked Questions
What is the difference between Playbooks and Memory?
Playbooks are instructional. They tell the assistant how to do something or what steps to follow during an investigation (e.g., "Incident Response Steps").
Memory is factual. It tells the assistant what it needs to know about your environment (e.g., "The primary firewall is a Palo Alto appliance located at 10.0.0.1").
Can I change the linked pentest in the middle of a session?
Yes. When sending a message to the /assistant/chat endpoint, you can pass a new pentest_id in the request body. The assistant will pivot its analysis to the newly referenced pentest data for that specific message.
