Sapphire Insights is at the heart of AgileBlue's Cerulean AI SecOps platform providing actionable AI decision making for expedited response times, automated case summaries, task lists, and more.
Overview
Sapphire Insights powers Cerulean AI's SecOps platform by automatically extracting key artifacts, providing analysis, summarizing alerts and cases, and determining recommended actions to be taken in response to potential security events in your environment. Some of the benefits of Sapphire Insights include:
- Actionable AI decision making for expedited response times
- Automated case summaries coupled with task lists offering response recommendations
- Autonomous response to endpoint, network, and cloud attacks (coming soon)
- Dynamic playbook capabilities
- Significant reduction in false positives and alert fatigue
The initial release of Sapphire Insights includes Windows alerts only and will be expanded to all indicators of attack in the future.
Sapphire Insights does not replace AgileBlue's human analyst team, instead allowing our security experts to focus their efforts on proactive threat hunting, priority investigations, and the most critical incidents in your environment.
This update to the Cerulean AI SecOps platform marks a significant leap forward in the realm of cybersecurity. By harnessing the power of intelligent automation and autonomous response capabilities, security teams are equipped with the tools necessary to effectively combat evolving cyber threat.
Artifacts
Artifacts are the most important data points related to an alert or alerts within a case. These can include items such as:
- Hostnames
- Usernames
- Processes
- Files
- DLLs
- Registry Modifications
- IP addresses
Sapphire Insights automatically extracts the key artifacts from each alert or case and quickly performs analysis of each item to apply a benign or malicious designation to artifacts such as IPs and Hash Values.
Alert & Case Summaries
Leveraging AI capabilities, Sapphire Insights will automatically generate a comprehensive and digestible summary of individual alerts as well as cases containing multiple alerts. The summary highlights the activity in the alert log and correlated log, presents relevant analysis, and provides an opinion regarding the status of the incident – benign or malicious.
An example of a case summary can be seen below:
Response Task List
In addition to analyzing and summarizing an alert or case, Sapphire Insights provides a response task list. This list includes recommended actions to take in response to the alert or case if it is determined to be malicious.
The actions could include, but are not limited to:
- Disabling a user account
- Isolating a host
- Creating a new firewall rule
- Deleting a DLL
- Deleting a file
Additional Features
Outside of the features described above, the Cerulean AI SecOps portal includes some additional items related to Sapphire Insights to help determine the current status of an alert or case. Some of these features are detailed below:
- Color Coded Sapphire Insights status in the Completion column on the case management page:
- Gray: the alerts in the case have not yet been analyzed
- Yellow: the case has been partially analyzed
- Blue: all alerts have been analyzed
- Analysis Progress Indicator
- This appears on the case details page and shows the percent of alerts in the case which have been analyzed by Sapphire Insights.
