Skip to main content

Adding Organizational Context To Investigations

Updated

What is Organizational Context

Organizational Context is a feature in Qevlar AI that allows organizations to store and use contextual knowledge about their environment directly in the investigation process. Instead of relying only on external threat intelligence or static allowlists, analysts can provide organization-specific rules and facts, written in natural language, that Qevlar takes into account when investigating alerts.

For example:

  • “Host 10.60.XXX.XX is permitted to communicate with TOR networks in the research environment between 09h00 and 18h00 UTC.”
  • “Users in the legal department receive encrypted PDF attachments from known partners; escalate only if the sender domain is new or the PDF opens a web form.”

These organization context items capture tribal knowledge that usually only lives in analysts’ heads or fragmented documentation, and make it available to Qevlar’s autonomous investigations.

What is solves

Without context, even the best SOC tools can waste time or create noise:

  • False positives: Investigations raise issues that are normal in the organization (e.g., sanctioned TOR communication, internal scanning).
  • False negatives: Legitimate threats may be overlooked because the investigation didn’t consider business rules (e.g., a finance user receiving unexpected encrypted attachments, business receiving login attempts from locations where there is no activity).
  • Lost knowledge: Analyst expertise is often undocumented or siloed, leading to repeated work when new team members investigate similar alerts.

Organization Context reduces these issues by embedding organizational knowledge into every investigation, ensuring Qevlar evaluates alerts in the right context for your environment.

How it works

  • Context items are stored as a table of natural language entries created and managed by Admin users.
  • Context items are unique to a profile, so an item written for Profile A, will never be accessible or referenced by an other profile created.
  • During each investigation, Qevlar automatically checks whether any context items apply to the current alert or its related entities (hosts, users, processes, emails, domains, etc.).
  • If relevant context items are found, they appear in the report with the tag “Organizational Context Used.” Qevlar then evaluates whether any of these items should influence the investigation’s outcome. If so, it adjusts the conclusion and updates the evidence section to reflect the context item(s) selected and their impact on the investigation findings.
  • All selected context items can be viewed directly in the report by clicking on the “Organizational Context Used” button.
  • A context item will ‘overrule’ / take precedence from any investigation finding. e.g. if there are 42 Malicious results from a CTI, but the context item says this particular file is ok to be run by user X, then the conclusion will not be Malicious.

This ensures investigations are not only fast and accurate, but also aligned to your organization’s unique environment and policies.

How to use it

The Organization Context feature is available by clicking on Organization Context in the navigation menu, which will load the context management module.

Organization Context Management. Here you can see the table of context items

  • ID - Qevlar assigned ID, in ascending order from the first context item created. Note that a deleted context item still retains its ID, it won’t be used again by a new item
  • Context item - Lists current context items. Any and all context items are active and available for use, there is no disabled state.
  • Last Used - the last time the context item was selected as relevant to an investigation, but it does not mean it was used to reason to the investigation conclusion.
  • Last Updated - the last time this context item was updated by a user. Empty if it has never been updated.
  • Added by - Which user added the context item
  • Date added - When the context item was added
  1. Next to each context item there is an action menu that when clicked, gives the option to delete or update a context item.
  2. Adding a context item
    • Click on (+) Add Context
    • If your account has multiple profiles, be sure you have the correct one selected.
    • Enter the context item, see guidance section below
    • If the context item was prompted by a past investigation, include the relevant Qevlar Investigation ID (e.g., 4726). This links the context back to a real scenario where Qevlar needed extra context, making it easier to track why the rule was added and ensuring future investigations benefit from that knowledge.
    • If the context item should be for a limited time only, you can add an optional expiry date
    • Click Save and Add. The context item is now added and can be referenced by the next investigation.

Guidance on writing context items

Admins can add, edit, and manage context items in the Organization Context module within the Qevlar platform.

  • Each item should be written in clear natural language so that it reflects how analysts would normally describe the context.

  • Context items can reference IPs, hosts, domains, user groups, business processes, or behavior patterns.

    • To get the most value from Organization Context, it helps to write items in a clear, structured way. A useful pattern is:
      • “[Entity] is [permitted/not permitted] to [action] in [context/environment].” This makes the rule precise, easy to read, and directly usable during investigations.

    Examples:

    • “Host 10.60.XXX.XX is permitted to communicate with TOR networks in the research environment between 09h00 and 18h00 UTC.”
    • “Users in the legal department receive encrypted PDF attachments from known partners; escalate only if the sender domain is new or the PDF opens a web form.”
    • “User HOME\PERSONX is a member of the security red team and performs rule detection testing with known malware file”
    • Our company has a legitimate branded Microsoft app login portal

Tips:

  • Keep sentences short and unambiguous.
  • Reference specific entities or processes (users, processes, locations, timeframes, department) where possible.
  • Focus on business context, not just technical detail.
  • Use positive (“permitted”) or negative (“not permitted”) framing for clarity.

Related articles