Safe Use of AI
Using the Analyst Copilot
Navigate to Case Management
Launch the Analyst Copilot

Interact with the Chat Interface

Review and Run Suggested Workflows

Refine and Execute Actions

Enlarge Response
Next to the workflow’s execution status, you can click the icon, this will enlarge the analyst copilot’s response which connected flow it executed and to the left hand side it shows it reasoning and a button to that will direct you to the a ability workflow.

Ability Workflows
In the top-right corner, you can find all ability workflows by clicking the icon. These are workflows the analyst copilot can utilize to help you with case investigation, enrichment, remediation, and more. Any output from these workflows will be added to the session context.

Expose On-Demand Workflows to the Analyst Copilot
Ability workflows are on-demand workflows that extend the Analyst Copilot, enabling more detailed analysis and investigation. In any On Demand workflow, you can enable the Analyst Copilot by toggling the Analyst Copilot workflow button in the workflow’s settings or on the Workflow Overview page. Once enabled, the workflow is added to the Analyst Copilot as an ability workflow. This setting gives the Analyst Copilot access to the workflow’s configuration and outputs, supporting deeper analysis, informed decision-making, and guided response. With visibility into the workflow’s structure and data, the Copilot can more effectively assist analysts throughout the investigation process.
Use Case Examples: Analyst Copilot in Case Management
Use Case Example: Generate a timeline of events based on the case activity
Use Case Example: Generate a timeline of events based on the case activity

Overview
The Analyst Copilot assists security analysts by automatically generating insights and structured timelines for cybersecurity incidents. In this case, it processes details related to a malware-attached email and creates a timeline of events based on case activity.Key Capabilities Demonstrated
-
Automated Timeline Generation
- The Copilot extracts relevant information from the alert and observables sections and structures it into a chronological timeline of events.
- Example:
- Initial detection of a malicious URL.
- Receipt of the malicious email.
- Identification of the malicious attachment.
- Alert generation in Proofpoint security system.
- Case creation in the Blink’s Case Management for investigation.
-
Enhanced Investigation Efficiency
- By automatically summarizing critical case details, the Analyst Copilot reduces manual effort required from analysts.
- This allows analysts to focus on deeper investigations rather than compiling reports.
-
Real-time Case Status Tracking
- The system tracks case status (e.g., “NEW”, “UNDER INVESTIGATION”) and keeps analysts updated.
- Ensures that all stakeholders have a clear progression of events.
Why This is Valuable for Security Teams
- Speeds Up Incident Response – Analysts get an immediate structured summary without manually sifting through logs.
- Improves Accuracy – Extracts key details directly from security tools, reducing human error.
- Enhances Collaboration – Clear, structured timelines help teams coordinate actions effectively.
Use Case Example: Suggest a remediation plan based on this case.
Use Case Example: Suggest a remediation plan based on this case.

Overview
In this use case, the Analyst Copilot assists in responding to a brute force attack involving suspicious login attempts. The copilot helps the analyst review response actions linked to the case, trigger relevant workflows (e.g., DNS lookups), and suggest a detailed remediation plan—all from within the same interface and using natural language commands.Key Capabilities Demonstrated
-
Case Context Awareness
- Identifies and summarizes response actions specific to the case.
- Understands key case elements like involved users, source IPs, and severity.
-
Natural Language Automation Execution
- Executes security workflows based on plain language prompts (e.g., “Investigate source IPs”).
- Automatically maps case data (e.g., IP addresses) to required inputs.
-
Result Interpretation and Next-Step Guidance
- Provides structured output from workflows in plain English.
- Offers follow-up investigation recommendations based on results (e.g., manual IP analysis after NXDOMAIN result).
-
Remediation Planning Support
- Generates a step-by-step remediation plan organized by urgency (Immediate, Short-term, Medium-term, Long-term).
- Takes into account case metadata such as severity, user role, and business impact.
Why This Is Valuable for Security Teams
- Reduces Analyst Workload Automatically surfaces relevant information and actions without needing to manually navigate through multiple tools or tabs.
- Accelerates Incident Response Automations can be executed and interpreted instantly, significantly reducing investigation and response time.
- Promotes Consistent and Repeatable Workflows Ensures incident handling follows a structured process, even for less experienced analysts.
- Enhances Transparency and Documentation Each action is traceable and tied to the case timeline, supporting audit and compliance needs.
- Keeps Momentum Despite Tooling Gaps The copilot doesn’t fail silently, it identifies where coverage is missing and recommends manual next steps, helping teams maintain investigative momentum.
Best Practices
- Be clear and precise: Providing clear and specific instructions will assist Analyst Copilot in understanding your instructions clearly.
- Use complete integration names: For example, instead of using generic terms like Compute Instance, specify the full name of the relevant integrations, such as AWS EC2 Compute Instance.
- Refrain from using unknown or unrecognized vendors in your prompt.
- Keep it simple and concise: To tackle complex workflows effectively, consider breaking your prompt instructions into bullet points, ensuring each bullet point prompt is concise and straightforward.