Adding Memory To Investigations – Qevlar AI

What is context memory

Memory is a feature in Qevlar AI that allows organizations to store and use contextual knowledge about their environment directly in the investigation process. Instead of relying only on external threat intelligence or static allowlists, analysts can provide organization-specific rules and facts, written in natural language, that Qevlar takes into account when investigating alerts.

For example:

“Host 10.60.XXX.XX is permitted to communicate with TOR networks in the research environment between 09h00 and 18h00 UTC.”
“Users in the legal department receive encrypted PDF attachments from known partners; escalate only if the sender domain is new or the PDF opens a web form.”

These memory items capture tribal knowledge that usually only lives in analysts’ heads or fragmented documentation, and make it available to Qevlar’s autonomous investigations.

What is solves

Without context, even the best SOC tools can waste time or create noise:

False positives: Investigations raise issues that are normal in the organization (e.g., sanctioned TOR communication, internal scanning).
False negatives: Legitimate threats may be overlooked because the investigation didn’t consider business rules (e.g., a finance user receiving unexpected encrypted attachments, business receiving login attempts from locations where there is no activity).
Lost knowledge: Analyst expertise is often undocumented or siloed, leading to repeated work when new team members investigate similar alerts.

Memory reduces these issues by embedding organizational knowledge into every investigation, ensuring Qevlar evaluates alerts in the right context for your environment.

How it works

Memory items are stored as a table of natural language entries created and managed by Admin users.
Memory items are unique to a profile, so a memory item written for Profile A, will never be accessible or referenced by an other profile created.
During each investigation, Qevlar automatically checks whether any memory items apply to the current alert or its related entities (hosts, users, processes, emails, domains, etc.).
If relevant memory items are found, they appear in the report with the tag “Memory Used.” Qevlar then evaluates whether any of these items should influence the investigation’s outcome. If so, it adjusts the conclusion and updates the evidence section to reflect the memory item(s) selected and their impact on the investigation findings.
All selected memory items can be viewed directly in the report by clicking on the “Memory Used” button.
A memory item will ‘overrule’ / take precedence from any investigation finding. e.g. if there are 42 Malicious results from a CTI, but the Memory item says this particular file is ok to be run by user X, then the conclusion will not be Malicious.

This ensures investigations are not only fast and accurate, but also aligned to your organization’s unique environment and policies.

How to use it

The Memory feature is available by clicking on Memory in the navigation menu, which will load the memory management module.

Memory Management. Here you can see the table of memory items

ID - Qevlar assigned ID, in ascending order from the first memory item created. Note that a delete memory item still retains its ID, it won’t be used again by a new item
Memory item - Lists current memory items. Any and all memory items are active and available for use, there is no disabled state.
Last Used - the last time the memory item was selected as relevant to an investigation, but it does not mean it was used to reason to the investigation conclusion.
Last Updated - the last time this memory item was updated by a user. Empty if it has never been updated.
Source - Where the memory was created from.
- User Submission - The memory items was added directly on the management module
- Report Review - The memory item was added from an investigation report
Added by - Which user added the memory item
Date added - When the memory item was added

Next to each memory item there is an action menu that when clicked, gives the option to delete or update a memory item.
Adding a memory
- Click on (+) Memory Item
- If your account has multiple profiles, be sure you have the correct one selected.
- Enter the memory item, see guidance section below
- If the memory item was prompted by a past investigation, include the relevant Qevlar Investigation ID (e.g., 4726). This links the memory back to a real scenario where Qevlar needed extra context, making it easier to track why the rule was added and ensuring future investigations benefit from that knowledge.
- Click Save and Add. The memory item is now added and can be referenced by the next investigation.

Guidance on writing memory items

Admins can add, edit, and manage memory items in the Memory Management module within the Qevlar platform.

Each item should be written in clear natural language so that it reflects how analysts would normally describe the context.
Memory items can reference IPs, hosts, domains, user groups, business processes, or behavior patterns.
- To get the most value from Memory, it helps to write items in a clear, structured way. A useful pattern is:
  - “[Entity] is [permitted/not permitted] to [action] in [context/environment].” This makes the rule precise, easy to read, and directly usable during investigations.
Examples:
- “Host 10.60.XXX.XX is permitted to communicate with TOR networks in the research environment between 09h00 and 18h00 UTC.”
- “Users in the legal department receive encrypted PDF attachments from known partners; escalate only if the sender domain is new or the PDF opens a web form.”
- “User HOME\PERSONX is a member of the security red team and performs rule detection testing with known malware file”
- “Our company has a legitimate branded Microsoft app login portal”

Tips:

Keep sentences short and unambiguous.
Reference specific entities or processes (users, processes, locations, timeframes, department) where possible.
Focus on business context, not just technical detail.
Use positive (“permitted”) or negative (“not permitted”) framing for clarity.