CSOC AI Analyst Accelerator (Andesite AI)
Description
VA Cybersecurity Operations Center (CSOC) requires new tools and capabilities to meet increasing demands for monitoring and securing the VA’s complex information technology (IT) environment, which currently involve time-consuming and manual processes.
Detailed example
Andesite AI will submit prompts and retrieve results from AWS Bedrock (via Claude Sonnet) to help review potential incidents and perform investigations. The inputs of the model will include security event data from Splunk and Microsoft Sentinel used by CSOC analysts such as vulnerability data, indicators of compromise, security and event logs, and other threat intelligence data. Outputs of the model will include descriptions of potential incidents/vulnerabilities, suggestions on remediation and prioritization, and contextual information and correlation of various security event data. The users of Andesite AI will be 20 VA CSOC analysts.
AI / analytics pattern
Generative AI: AI that generates new or synthetic content (e.g., images, videos, audio, text, code).
Automation level / stage
a) Pre-deployment – The use case is in a development or acquisition status.
Expected benefit
Andesite AI has the potential to be a significant part of VA’s overall defensive security strategy which will provide comprehensive visibility by enabling the cybersecurity team to transform and accelerate investigations, connect data silos, and decrease time to response. Hosted in VAEC AWS, Andesite AI will connect via API to several endpoints such as Splunk, SOAR, ThreatQ and the VA Network to seamlessly integrate information to assist Cybersecurity Analysts with their investigations.
Controls / human review
ATO: Not reported; PIA: Not published