Skip to main content

Adding Context To Investigations

Updated

Organizational context is highly important when investigating alerts by a human analyst and the same is true for Qevlar AI.

There are currently several types of organisational context Qevlar can manage and use when investigating. All context added is per-profile, meaning for an MSSP the domains lists and settings are unique to each profile that has been added, and should be set and populated according to their unique context.

info

The Context module and adding context items is restricted to users with an Admin role.

CTI Mode

Qevlar AI enriches observables it discovers using external Cybersecurity Threat Intelligence (CTI) sources. The sources available to your organization can be configured in the Integrations menu.

When domains or IPs are submitted to CTIs, Qevlar provides two modes for interpreting the results. These modes allow you to adapt investigations to your SOC’s operating context and risk preference:

  • All Sourcing (default): Qevlar marks a domain or IP as malicious if 2 or more CTI sources return malicious results. This low threshold helps detect subtle or emerging threats more quickly.
  • Qevlar TrueSignal: A Qevlar-developed solution that applies advanced machine learning models to filter for high-trust threat signals, reducing the false positives often found across multiple CTI vendors. This mode requires VirusTotal to be activated in the Integrations menu.

You can switch between CTI modes at any time. A full history of changes is recorded for audit purposes. The selected mode applies to all future investigations, but does not retroactively change results from past investigations.

Domains

You can mark domains trusted by your organization so they are not investigated by Qevlar AI. Trusted domains still appear in the observables table but are clearly labeled as Trusted.

Domains can be added in two ways:

  • From the Context > Domain menu by entering them manually or uploading a formatted CSV for bulk import.
  • Directly from an investigation by expanding an observable in the observables table and selecting Mark as Trusted.
warning

Adding a domain does not automatically trust its URLs or subdomains. These may still be investigated.

VIP

Providing a list of VIPs to Qevlar AI means when these users appears within an alert or are found during an investigation they will be tagged as VIP within the report, helping Analysts to prioritize alerts and enabling dynamic SLA setups with SIEM/SOAR platforms. Qevlar will still investigate these VIP users and their identified actions in the course of the investigation.

  • VIPs can be added to the context feature by going to the Context>VIP menu, and manually clicking and entering VIP information, or via uploading a formatted CSV to perform a bulk import of your organisations VIPs.

Files

Files teams use within your organisation that are not well known to Threat Intelligence sources can cause false positives. Files added to the context list will not be submitted for enrichment to CTIs and will be marked as Trusted within the investigation report.

  • Files can be added to the context feature by going to the Context>Files menu, and manually clicking and entering File information, or via uploading a formatted CSV to perform a bulk import of your organisations Files that should be trusted.
  • Qevlar AI matches on the file hash value, not the file name, and all files added need to have a reason for adding them to provide a justification for the action.

Related articles