Future Releases
      Back to home
      1. Help Center
      2. Future Releases

      Sapphire AI Decisioning & Confidence Scoring

      By leveraging the power of Sapphire AI Decisioning, AgileBlue maximizes efficiency and keeps our analysts’ focus on the most critical events in your environment.

      Overview 

      AgileBlue's SecOps Platform is designed to leverage AI capabilities to maximize efficiency in threat detection, investigation, and response. Sapphire AI Insights automatically analyzes cases detected in your environment and provides a summary of the activity. Sapphire AI Decisioning takes that process a step further by generating a verdict – Malicious, Benign, or Insufficient Information – and corresponding confidence score, automatically advancing the investigation and ensuring analysts focus their time on the most critical threats.

      By empowering Sapphire AI in the decision process, cases with a high certainty of a benign verdict are automatically closed out while remaining events are immediately reviewed by a human analyst.

      Sapphire AI Verdict & Confidence Score

      All cases analyzed by Sapphire AI will receive an initial verdict within minutes of the activity occurring. The initial verdict will be one of the following:

      • Benign
      • Malicious
      • Insufficient Information

      Along with the verdict, each case receives a confidence score – this rating is on a 0 to 100 scale and signals Sapphire’s confidence in the stated verdict. The combination of verdict and confidence score dictates what occurs next in the process.

      As you know, cybersecurity threats can change at a moment’s notice, and as additional alerts are added to a case, the verdict and confidence score can change as Sapphire AI analyzes the additional data.

      The Sapphire AI verdict and confidence score can be seen on the Case List table, on any individual case details page, as well as in Sapphire AI Decisioning escalations emails.

      • Benign Verdict:
        • Any case that receives a benign verdict with a confidence score of 80 or higher will automatically be set to the status of “Auto-Closing”. This means that the case will remain open for 10 minutes and, assuming either no new alerts are added to the case or further analysis of new alerts reaffirms the initial verdict and confidence score, the case will be automatically closed by Sapphire AI.
        • If the analysis of further alerts changes the verdict to Malicious or Insufficient Information, or drops the Benign confidence below 80, the case will immediately be assigned to the AgileBlue analyst team for further investigation.
        • The example here includes a Benign verdict with an 80 confidence score – based on this information, the case will enter an auto-closing status before being closed by Sapphire AI once the 10-minute timer is complete.

          benign-example
      • Malicious Verdict
        • Any case that receives a Malicious verdict will automatically enter the queue for investigation by an AgileBlue analyst, with priority given to malicious cases containing the most critical activity and highest confidence scores.
        • The example below includes a Malicious verdict and a Confidence Score of 70 – this case will immediately enter the analyst queue for further investigation.

          malicious-example
      • Insufficient Information Verdict
        • A verdict of Insufficient Information means Sapphire AI does not have enough data to confidently come to an initial verdict on the event. Any case with this verdict will immediately enter the analyst workflow for further investigation regardless of confidence score.

      Alert Playbook

      In addition to evaluating data from the case itself, Sapphire AI will also read your existing playbook. This allows for customized response to activities detected in your environment, ensuring the ability to drive accurate and personalized verdicts.

      A common use case for this feature would be Foreign Login events on Office365. For example, if AgileBlue receives a case indicating that the user jdoe@agileblue.com signed in to their Outlook account from an IP located in Germany, the case is likely to receive a malicious verdict with a high confidence score.

      Prior to this event, if AgileBlue’s playbook was updated to reflect that jdoe@agileblue.com would be traveling to Germany and was approved to log in from this location, the case verdict would be benign and automatically closed out since this is expected activity.

      Other Enhancements

      Some of the other improvements to the portal itself you will see include:

      • Re-tooled Alert Playbook layout and functionality allowing for quicker access to critical information and increased customization.
      • Updated Artifacts section on the Case Details page, giving a cleaner view of key case data and allowing for the ability to highlight malicious and potentially malicious artifacts.
      • Enhanced Sapphire AI Decisioning escalation email template with new key details, including:
        • Rules list
        • Sapphire AI Verdict
        • Verdict Confidence Score
        • Verdict Explanation
        • Case Summary

      Need Help?

      AgileBlue is always here to support you and ensure you are 100% successful. If there are any issues with the installation or if you have any questions, please reach out to AgileBlue Support.

      Email: support@agileblue.com 
      Phone: (216) 606-9400      🚨