What the API unlocks
Automated Investigations & Threat Hunting
Orchestrate playbooks that pull multi-source evidence (e.g., endpoint, identity, network) with a single request.
Pivot across entities (host → user → IP → process hash) using parameterized queries and time-boxed windows.
Reduce Mean Time to Evidence (MTTE) and Mean Time to Remediation (MTTR).
Alert Triage at Scale
Enrich alerts automatically (whois, asset criticality, recent failures, geovelocity, vulnerability status).
Apply decision logic (risk scoring, allowlists, recurrence checks) and auto-close noise with auditable justifications.
Free analysts from repetitive queries; focus human time on edge cases.
SOAR & Super-Automation Integration
SOAR platforms call the API to fetch context, then execute response actions (isolate host, disable token).
Super-automation (RPA/ITOM) chains API calls with ticketing/CMDB changes, approvals, and post-incident reporting.
Consistent, versioned endpoints ensure deterministic runbooks and easier change control.
Generative AI & Copilot Use Cases
Provide the model with a governed, read-only pathway to grounded context (RAG) about users, assets, behaviors.
Natural-language prompts compile to parameterized API queries; results stream back as citations for explainability.
Safe tool-use: rate limits, output schemas, and redaction guardrails prevent data leakage.
Compliance, Auditability, and M&A Transparency
Standardized queries drive repeatable evidence packs (PCI, ISO 27001, SOC 2).
Post-merger integration gains a unified lens over heterogeneous logs while legacy tools converge in the background.
Lineage and query logs show who accessed what, when, and for which control.
Last updated