FAQ
What does Arcanna.ai do?
Arcanna serves as a Decision Intelligence AI platform meant to enhance human decision-making within the Security Operations Center (SOC) or Network Operations Center (NOC), regardless of the tools, processes and data they use to make decisions. It achieves this by leveraging consistent data points and incorporating human feedback into AI models, moving towards an autonomous decision-making system.
For further information about Arcanna.ai, please check our documentation here
What is AI-Assisted Cybersecurity?
AI-Assisted Cybersecurity is a new form of technology that continuously learns from the cybersecurity team's experience and expertise, assimilating this knowledge into its AI models.
As such, your top tier analysts' knowledge is used to assist and augment the entire cybersecurity team, streamlining operations.
Can I use data from multiple sources and environments?
Arcanna.ai is data-source agnostic, in the sense that it can ingest data from multiple sources and use it to build AI models. Arcanna.ai connects with a variety of platforms used within the SOC ecosystem, such as SIEMs, SOARs, data warehouses, case management systems, threat intelligence, email servers, notification systems, and the list can go on. The integrations are plug-and-play, don't require any coding skills, except for basic configuration of the API connectors.
What is a Use Case?
A use case represents an end-to-end investigative flow for events that are being analyzed based on a common set of decision points. An AI use case maps the SOC investigation process to an AI process that gathers decision points relevant for the current flow, generates a decision for each event, presents it to the user for feedback and performs post-decision tasks. One investigation flow differs from another one through its decision points set and their relevance. Therefore, each use case will have its own AI models trained in order to learn the particularities and patterns of individual flows.
What decisions can Arcanna.ai make?
Arcanna.ai enables its users to map any investigation process to an use case. Therefore, any type of decision that the analysts make when performing the investigation can also be made with Arcanna.ai. When defining an AI use case you also need to define the decisions that should be assigned to alerts (for example: Drop, Escalate, High Importance, Informative, False Positive, etc). The user that creates the AI use case has full control over the granularity and labels of the decisions that the AI use case will learn to make.
Does the analyst need to explain why they changed a decision?
When giving feedback, analysts only need to assign a decision to the alerts, without explaining how they reached it. By design, the AI models will learn the patterns and causalities that lead to the decisions, without having to explicitly define which of the decision points weighed to reach them.
Does Arcanna.ai tell me why it took a decision?
Arcanna.ai is explainable, as it gives insights into why it took a certain decision. Each event will display in its detailed view a tab called "AI explainability". The information displayed here includes a timeseries of Arcanna's decisions on the event, who gave feedback and when, and a list of events already used in training that have similar decision points as the current event, together with the analysts' feedback on them. All the components listed above offer a clear view into why Arcanna made a certain decision, and which past events contributed to it.
Can I have multiple use cases running at the same time?
Multiple use cases can run at the same time in the same environment. Different investigation flows will require different use case setups, with different decision points for each of them. Arcanna.ai offers the possibility to map each flow to an AI use case and ensures that the decisions made based on an investigation flow are independent of the other investigation flows that the analysts follow.
Do use cases share the same knowledge base?
Individual use cases will have separate knowledge base - a collection of events with their decisions, based on which the AI models are trained. For each AI use case, the decision points associated with it will have a certain relevance, which is not impacted by the other AI use cases created in the same environment.
I already trained a use case, and now I want to create another one with the same data. Do I need to start from scratch or can I reuse the feedback I gave on the existing use case?
By design, each use case will build its own knowledge base and have its own decision points.
However, use acses can be cloned together with their knowledge base and decision points.
This means that you can train a base model for multiple investigation flows, and then clone it into specialized use cases that will have slight particularities in the investigation.
To clone an AI use case, go to "AI use cases" -> choose the use case you want to clone -> click on the three dots on the right -> Clone.
You will have various options for cloning:
- use case definition and decision points
- use case definition, decision points, and buckets
- use case definition, decision points, buckets and events
After cloning, each use case will start with the same knowledge base as the initial one. After being trained with new decisions, it will evolve into a specialized use case for the current investigation flow.
How do I know if my AI use case perform as expected?
For each AI use case, the use case overview page shows overall time saved metrics, changed versus confirmed decisions, performance metrics such as accuracy and F-score, together with a model history view where you can see all the training rounds and the performance each model had. Moreover, you can download the data and the models, or rollback to a previous model version. For more details regarding model performance, please check our detailed documentation here.
Can I check which analysts trained the AI models and what their feedback was?
Yes, this information is visible in the use case overview page, together with how often the decision made by an analyst was the same as the majority vote of all the analysts. This is displayed under the consensus percentage and is available either for the current feedback session, or for the entire use case history. You can also see on individual events who gave feedback and what their decision was.
Does Arcanna.ai need an Internet connection to work?
Arcanna.ai can be installed through an offline installer and does not require an Internet connection to be able to run. The AI models and their data are stored and trained locally, therefore they can run in an isolated environment.
I am managing an MSSP with multiple customers and various investigation flows. How should I configure Arcanna.ai?
When deciding upon the configuration, there are multiple factors to be taken into account.
Do you follow the same investigation flow for groups of customers?
If the answer is yes, you could have an AI use case configured for each group of customers with the same investigation flow. Moreover, the customer name itself could be a decision point, if there are slight changes in the investigation process for certain customers. However, if each customer is treated differently and the same decision points could have a different meaning and weight in the decisional process from customer to customer, we recommend having individual AI use cases per customer.
Do you have access to the same data for multiple customers?
- If so, and you have the same procedures for multiple customers, one use case for that particular group of customers would be our go-to recommendation.
Do you want to share investigation-related know-how between customers?
If the answer is yes, you could either start with a base use case that has common knowledge for all the customers and then clone it for separate customers, or use a single use case for all customers where your team is applying the same know-how and processes. By doing so, you will have shared knowledge not only throughout your team, but also throughout the way the investigation happens from customer to customer.
However, if you prefer to have each customer treated separately, either because you have dedicated analysts or different flows, you can opt for creating use cases per customer, and either start from no prior knowledge, or clone an existing use case and start with the knowledge accumulated on that particular use case.
Can Arcanna.ai be used to create or update tickets?
Arcanna.ai offers post-decision actions, such as creating, updating or closing tickets. Moreover, Arcanna.ai can learn from the changes made on the tickets, thus being seamlessly integrated into your workflow. For more details regarding post-decision actions and how Arcanna.ai integrates with ticketing solutions, click here.
Does my team need to use the Arcanna.ai UI to train the AI models?
Arcanna.ai can integrate with a variety of cybersecurity tools - SIEMs, SOARs, ticketing, alerting, etc. It can easily be integrated as a step in any playbook, update events and gather feedback from the tools already used in the company, thus making the integration and feedback loop seamless for the analysts. They will only see the final result - Arcanna's decision on the event, either as a note, a new field on the event, or through Arcanna's ticket management capabilities.
Therefore, it's not necessary to add a new screen or UI in front of your analysts. Arcanna can run as an agent and integrate without disrupting the current flow.
Can Arcanna.ai notify my team when a critical alert has been encountered?
Notifications and alerts can be sent from Arcanna to alerting systems or by email, when certain conditions are met. You can define when to receive notifications and for which decisions directly in Arcanna. For more information, please visit the Integrations section by clicking here .