The AI Engine (interpretation & prioritization)

Purpose. Turn heterogeneous events into ranked, explainable incidents. The engine runs centrally (or on-prem) and combines behavioral baselining, graph correlation, and few-shot signatures learned from prior incidents.

Pillars

• Behavioral baselines: rolling profiles per host/user/repo (hour-of-day, peer deviation, seasonal patterns).

• Graph reasoning: merges process trees, network edges, IAM events into a security interaction graph, enabling path-based features (e.g., signed admin tool → unsigned loader → off-net egress).

• Semi-supervised learning: isolates novelty without full labels; curates analyst feedback to refine.

• Federated updates (optional): sites train locally and share model deltas, not raw data.

Outputs

• Incident object with severity, confidence, affected assets, recommended action, and rationale:

  • top contributing features (SHAP-like),

  • matching patterns (e.g., “living-off-the-land + cloud exfil pattern”),

  • remediation playbook suggestions.

Performance targets (design, not SLA)

• End-to-end triage < 2–5s from agent emission on typical corp networks.

• False-positive reduction vs. rule-only pipelines: target ≥40–60% with human-in-the-loop tuning.

• Analyst time saved: fewer tickets per incident via auto-grouping of correlated events.

Example rationale (analyst view)

Severity: High (0.89) — Unusual rclone spawn under signed Office parent; first-seen destination; bursty file hash churn; off-hours user; peer group deviation p<0.01. Matches “exfil-via-sync” playbook (76% similarity).