Analyst Copilot
The Analyst Copilot
The Analyst Copilot is an AI-powered assistant designed to help SOC analysts streamline incident response, investigation, and remediation. Built on an advanced model, the Analyst Copilot understands the full context of each security incident, providing enriched insights and real-time recommendations.
With its chat interface, analysts can quickly gather relevant information, execute enrichment tasks, and take remediation actions all without leaving their workspace. Equipped with pre-built workflows, the Analyst Copilot eliminates manual effort, accelerates decision-making, and ensures a swift, efficient, and precise response to security threats.
Safe Use of AI
It is important that Blink does not use customer data for AI training. We adhere to industry standards to ensure your data remains secure, never stored or utilized for these purposes.
Using the Analyst Copilot
For best results, check out Best Practices for Using the Analyst Copilot to create effective prompts.
1
Navigate to Case Management
Navigate to the Case Management section and select the case you want to work on.
2
Launch the Analyst Copilot
Click on the Analyst Copilot button in the top-right corner of the case interface.
3
Interact with the Chat Interface
Begin your chat with the Analyst Copilot. You can ask it to summarize case insights, identify next steps, perform investigations, or trigger specific actions based on the case data.
4
Review and Run Suggested Workflows
If the Copilot recommends executing a workflow, review the suggested action, fill in any required input fields, and then run the workflow directly from the chat interface.
Please note that, depending on the specific prompt, you might need to provide additional details in the required input fields.
5
Refine and Execute Actions
After a workflow is executed, the Analyst Copilot will automatically summarize and analyze the results. This helps you interpret key findings, uncover new leads, and determine appropriate next steps to advance the investigation helping you advance the investigation and move closer to resolving the case.
6
Enlarge Response
Next to the workflow’s execution status, you can click the icon, this will enlarge the analyst copilot’s response which connected flow it executed and to the left hand side it shows it reasoning and a button to that will direct you to the a ability workflow.
7
Ability Workflows
In the top-right corner, you can find all ability workflows by clicking the icon. These are workflows the analyst copilot can utilize to help you with case investigation, enrichment, remediation, and more. Any output from these workflows will be added to the session context.
To add more ability workflows to your Analyst Copilot, see the next section for instructions.
To view the Analyst Copilot’s limitations, navigate here
Expose On-Demand Workflows to the Analyst Copilot
Ability workflows are on-demand workflows that extend the Analyst Copilot, enabling more detailed analysis and investigation. In any On Demand workflow, you can enable the Analyst Copilot by toggling the Analyst Copilot workflow button in the workflow’s settings or on the Workflow Overview page. Once enabled, the workflow is added to the Analyst Copilot as an ability workflow. This setting gives the Analyst Copilot access to the workflow’s configuration and outputs, supporting deeper analysis, informed decision-making, and guided response. With visibility into the workflow’s structure and data, the Copilot can more effectively assist analysts throughout the investigation process.Important: To support the Analyst Copilot in conducting effective investigations, we strongly recommend adding a workflow description when setting up your workflow.
This feature is currently in its alpha stage.
Use Case Examples: Analyst Copilot in Case Management
Use Case Example: Generate a timeline of events based on the case activity
Use Case Example: Generate a timeline of events based on the case activity
Overview
The Analyst Copilot assists security analysts by automatically generating insights and structured timelines for cybersecurity incidents. In this case, it processes details related to a malware-attached email and creates a timeline of events based on case activity.Key Capabilities Demonstrated
-
Automated Timeline Generation
- The Copilot extracts relevant information from the alert and observables sections and structures it into a chronological timeline of events.
- Example:
- Initial detection of a malicious URL.
- Receipt of the malicious email.
- Identification of the malicious attachment.
- Alert generation in Proofpoint security system.
- Case creation in the Blink’s Case Management for investigation.
-
Enhanced Investigation Efficiency
- By automatically summarizing critical case details, the Analyst Copilot reduces manual effort required from analysts.
- This allows analysts to focus on deeper investigations rather than compiling reports.
-
Real-time Case Status Tracking
- The system tracks case status (e.g., “NEW”, “UNDER INVESTIGATION”) and keeps analysts updated.
- Ensures that all stakeholders have a clear progression of events.
Why This is Valuable for Security Teams
- Speeds Up Incident Response – Analysts get an immediate structured summary without manually sifting through logs.
- Improves Accuracy – Extracts key details directly from security tools, reducing human error.
- Enhances Collaboration – Clear, structured timelines help teams coordinate actions effectively.
Use Case Example: Suggest a remediation plan based on this case.
Use Case Example: Suggest a remediation plan based on this case.
Overview
In this use case, the Analyst Copilot assists in responding to a brute force attack involving suspicious login attempts. The copilot helps the analyst review response actions linked to the case, trigger relevant workflows (e.g., DNS lookups), and suggest a detailed remediation plan—all from within the same interface and using natural language commands.Key Capabilities Demonstrated
-
Case Context Awareness
- Identifies and summarizes response actions specific to the case.
- Understands key case elements like involved users, source IPs, and severity.
-
Natural Language Automation Execution
- Executes security workflows based on plain language prompts (e.g., “Investigate source IPs”).
- Automatically maps case data (e.g., IP addresses) to required inputs.
-
Result Interpretation and Next-Step Guidance
- Provides structured output from workflows in plain English.
- Offers follow-up investigation recommendations based on results (e.g., manual IP analysis after NXDOMAIN result).
-
Remediation Planning Support
- Generates a step-by-step remediation plan organized by urgency (Immediate, Short-term, Medium-term, Long-term).
- Takes into account case metadata such as severity, user role, and business impact.
Why This Is Valuable for Security Teams
- Reduces Analyst Workload Automatically surfaces relevant information and actions without needing to manually navigate through multiple tools or tabs.
- Accelerates Incident Response Automations can be executed and interpreted instantly, significantly reducing investigation and response time.
- Promotes Consistent and Repeatable Workflows Ensures incident handling follows a structured process, even for less experienced analysts.
- Enhances Transparency and Documentation Each action is traceable and tied to the case timeline, supporting audit and compliance needs.
- Keeps Momentum Despite Tooling Gaps The copilot doesn’t fail silently, it identifies where coverage is missing and recommends manual next steps, helping teams maintain investigative momentum.
Best Practices
- Be clear and precise: Providing clear and specific instructions will assist Analyst Copilot in understanding your instructions clearly.
- Use complete integration names: For example, instead of using generic terms like Compute Instance, specify the full name of the relevant integrations, such as AWS EC2 Compute Instance.
- Refrain from using unknown or unrecognized vendors in your prompt.
- Keep it simple and concise: To tackle complex workflows effectively, consider breaking your prompt instructions into bullet points, ensuring each bullet point prompt is concise and straightforward.
Related Articles
Case Management
Effectively handle security incident investigations by providing detailed information and logs in one place on a single dashboard
Cases
Track, manage, and resolve cases efficiently.
Alerts
Track, manage, and resolve alerts efficiently.
Observables
Create, Extract and manage observables efficiently.