Forward to: SOC Team

SOC Operations
Workflows

Ten agent workflows for the SOC Team — automated alert triage, phishing domain analysis, SIEM enrichment, domain reputation scoring, suspicious URL investigation, false positive reduction, threat hunting queries, user-reported incident processing, DNS anomaly investigation, and shift handoff intelligence — transforming raw alerts into actionable intelligence with comprehensive domain context.

1Automated Alert Triage & Enrichment

AI agent enriches every SIEM alert containing a domain with comprehensive domain intelligence — page type analysis, enrichment data, and historical context — enabling SOC analysts to triage alerts 10x faster with confidence.

1
Enrich Incoming SIEM Alerts
/login /security /about /careers OpenPageRank Domain Ages Web Filtering
ALERT TRIAGE — SIEM QUEUE (147 ALERTS, LAST 4 HOURS) ════════════════════════════════════════════════════════ ALERT #SOC-2026-4891 — DNS Query to Suspicious Domain Source: Cortex XDR | Severity: HIGH | User: [email protected] Domain: tracking-pixel-cdn.com ENRICHMENT: Domain Age: 2,847 days (7.8 years) | PageRank: 5.8/10 IAB: Advertising & Marketing | Web Filtering: Ad Networks /about: Legitimate ad-tech company, 120 employees /security: SOC2 Type II certified /careers: 23 active positions AUTO-VERDICT: FALSE POSITIVE — Legitimate ad tracker ACTION: Auto-close, add to known-good list ALERT #SOC-2026-4892 — Outbound HTTPS to Unknown Domain Source: NGFW | Severity: MEDIUM | Host: WORKSTATION-142 Domain: secure-file-transfer-app.com ENRICHMENT: Domain Age: 8 days | PageRank: 0.0/10 IAB: Technology | Web Filtering: Newly Registered / Suspicious /login: Present — generic login form /about: Placeholder text /security: Not present | /careers: Not present Personas: Enterprise employees AUTO-VERDICT: SUSPICIOUS — Requires analyst review ACTION: Escalate to Tier 2, isolate WORKSTATION-142 ALERT #SOC-2026-4893 — Blocked URL Category Source: Prisma Access | Severity: LOW | User: [email protected] Domain: github.com ENRICHMENT: Domain Age: 6,935 days (19 years) | PageRank: 9.2/10 IAB: Technology | Web Filtering: Software Development AUTO-VERDICT: FALSE POSITIVE — Developer accessing GitHub ACTION: Auto-close, adjust URL filtering policy
2
Measure Triage Efficiency Impact
SOC Metrics
Alert Triage Performance — With domain intelligence enrichment, 62% of alerts auto-triaged (no analyst required). Mean Time to Triage reduced from 14 minutes to 1.2 minutes. False positive auto-closure accuracy: 98.7%. SOC analyst capacity freed: 4.2 FTE equivalent per shift.
10x faster triage — 62% auto-resolved

2Phishing Email Domain Analysis

AI agent analyzes domains extracted from reported phishing emails — providing comprehensive domain intelligence to determine if the domain is a legitimate sender, a compromised domain, or purpose-built phishing infrastructure.

1
Analyze Reported Phishing Domains
/login /contact /legal /press Domain Ages OpenPageRank Personas
PHISHING ANALYSIS — 12 USER-REPORTED EMAILS ════════════════════════════════════════════════════ REPORT #PHI-2026-0891 Reporter: [email protected] | Subject: "Action Required: Password Expiry" Sender domain: microsoft-365-security.org Domain Age: 3 days | Country: Nigeria (hosting) PageRank: 0.0 | Web Filtering: Phishing /login: M365 login replica | /contact: Not present /legal: Not present | /press: Not present Personas: Enterprise employees VERDICT: CONFIRMED PHISHING → Blocked across all email gateways and SASE in 90 seconds → 4 other employees received same email — all auto-quarantined REPORT #PHI-2026-0892 Reporter: [email protected] | Subject: "Invoice #28471" Sender domain: acmeconsulting.com Domain Age: 4,102 days (11+ years) | Country: United States PageRank: 4.7 | Web Filtering: Business Services /about: Real consulting firm, Denver CO /contact: Phone, address verified /careers: 3 active positions VERDICT: LEGITIMATE — Real vendor, legitimate invoice → Restored from quarantine, sender whitelisted
2
Auto-Respond to Common Phishing Patterns
AUTO-RESPONSE ACTIONS — FEBRUARY 2026 ════════════════════════════════════════════════════ Total user-reported emails: 847 this month Auto-analyzed: 847 (100%) Auto-resolved: 712 (84%) — no analyst needed Breakdown: Confirmed phishing: 189 (22%) → Auto-blocked, IOCs distributed Legitimate emails: 523 (62%) → Auto-whitelisted with explanation Requires review: 135 (16%) → Escalated to Tier 1 with enrichment User notification sent automatically for all 847 reports Average response time to reporter: 2 minutes 14 seconds

3Real-Time Domain Reputation Scoring

AI agent maintains a continuous domain reputation score for every domain accessed across the enterprise — combining page type presence, enrichment data, and historical behavior to provide instant risk decisions for firewalls and proxies.

1
Compute Multi-Factor Reputation Scores
/security /careers /investors OpenPageRank Domain Ages IAB Categories Web Filtering
DOMAIN REPUTATION ENGINE — LIVE SCORING ════════════════════════════════════════════════════ REPUTATION FACTORS (weighted): Domain Age (25%) | PageRank (20%) | Web Filtering (20%) Page Completeness (15%) | Country Risk (10%) | IAB Match (10%) SAMPLE SCORING: salesforce.com Age: 8,401 days | PR: 8.9 | Filtering: Cloud CRM | Pages: 20/20 Country: US | IAB: Technology REPUTATION: 97/100 (TRUSTED) → Allow all traffic suspicious-saas-tool.io Age: 14 days | PR: 0.1 | Filtering: Uncategorized | Pages: 3/20 Country: Romania | IAB: Technology REPUTATION: 8/100 (MALICIOUS) → Block + alert SOC startup-project-mgmt.com Age: 234 days | PR: 2.1 | Filtering: SaaS | Pages: 12/20 Country: US | IAB: Business REPUTATION: 52/100 (UNKNOWN) → Allow with monitoring
2
Integrate with NGFW Policy Engine
Policy Integration
Dynamic Policy Actions — Reputation score >80: Allow. Score 40-80: Allow with SSL decryption and logging. Score 20-40: Allow with sandbox inspection. Score <20: Block + alert SOC. Scores update every 6 hours with domain intelligence refresh. 14.2M unique domains scored daily across customer base.
14.2M domains scored daily — zero-latency policy decisions

4DNS Anomaly Investigation

AI agent investigates DNS query anomalies detected by Cortex XDR — automatically enriching suspicious DNS patterns with domain intelligence to distinguish between legitimate services, shadow IT, and malicious C2 communication.

1
Investigate Anomalous DNS Patterns
/api /products /docs Domain Ages Countries Web Filtering
DNS ANOMALY INVESTIGATION — 3 PATTERNS FLAGGED ════════════════════════════════════════════════════════ PATTERN #1: High-frequency beacon (every 60s) Host: SERVER-DB-07 | Domain: health-check-api.xyz DNS queries: 1,440/day (exactly every 60 seconds) Domain Age: 19 days | Country: Russia | PageRank: 0.0 /api: Returns base64-encoded responses /products: Not present | /docs: Not present Web Filtering: Newly Registered VERDICT: C2 BEACON — Immediate containment required → SERVER-DB-07 isolated | IR team notified | Forensics initiated PATTERN #2: DGA-like subdomain queries Host: LAPTOP-SALES-12 | Domain: a8f3x.cloudflare-cdn.com DNS queries: 240/day (random subdomains) Domain Age: 4,380 days | Country: US | PageRank: 8.1 /api: Legitimate Cloudflare Workers endpoint /docs: Cloudflare developer documentation Web Filtering: CDN / Web Infrastructure VERDICT: LEGITIMATE — Cloudflare Workers application → Auto-closed, added to baseline profile PATTERN #3: Unusual TLD queries Host: WORKSTATION-HR-04 | Domain: file-share.tk DNS queries: 18/day (during business hours only) Domain Age: 67 days | Country: Tokelau (TLD), Netherlands (hosting) PageRank: 0.3 | Web Filtering: File Sharing /products: Free file sharing service VERDICT: SHADOW IT — Unauthorized file sharing → Blocked via SASE policy, user notified, IT ticket created

5Suspicious URL Deep Investigation

AI agent performs deep investigation on URLs flagged by users, email gateways, or automated detection — analyzing the full domain context including all 20 page types, enrichment data, and historical changes to provide definitive verdicts.

1
Deep Domain Investigation
/login /about /legal /partners /investors OpenPageRank Domain Ages Personas Countries
DEEP INVESTIGATION — ESCALATED URL ════════════════════════════════════════════════════ URL: https://corporate-benefits-enrollment.com/employee/login ESCALATED BY: Email gateway (suspicious link in HR phishing campaign) FULL DOMAIN ANALYSIS: corporate-benefits-enrollment.com Page Presence (4/20 — severely incomplete): /login: YES — Generic employee login, no SAML/SSO /about: YES — Vague text, no real company info /legal: YES — Copied from a legitimate benefits provider /contact: YES — Gmail address only, no phone Missing pages (16/20 absent): /careers /docs /api /leadership /blog /press /investors /sustainability /partners /support /events /case-studies /security /compliance /products /pricing Enrichment: Domain Age: 6 days | PageRank: 0.0/10 Country: Philippines (hosting), registered Panama IAB: Business & Finance | Personas: HR/employees Web Filtering: Phishing DEFINITIVE VERDICT: PHISHING SITE Confidence: 99.2% | Targeting: Employee benefits enrollment Technique: Credential harvesting + potential PII collection
2
Generate Investigation Report

URL Investigation Report — SOC-INV-2026-0412

SUMMARY ──────────────────────────────────────── Domain: corporate-benefits-enrollment.com Verdict: CONFIRMED PHISHING | Confidence: 99.2% Key indicators: 6-day-old domain, 4/20 pages, zero PageRank, offshore hosting, copied legal text, Gmail-only contact ACTIONS TAKEN 1. Domain blocked on all NGFW, Prisma Access, and email gateways 2. 12 employees who received link notified — no clicks detected 3. Registrar abuse report filed (NameSilo) 4. IOC shared with PAN-DB for global customer protection 5. Added to phishing domain cluster tracking (Cluster #34)

6False Positive Reduction Engine

AI agent systematically identifies and eliminates false positives from security alerts by cross-referencing flagged domains against comprehensive domain intelligence — reducing alert fatigue and freeing analyst time for real threats.

1
Identify False Positive Patterns
/about /careers /security OpenPageRank Domain Ages IAB Categories
FALSE POSITIVE ANALYSIS — JANUARY 2026 ════════════════════════════════════════════════════ TOTAL ALERTS: 24,891 CONFIRMED FALSE POSITIVES: 8,412 (33.8%) TOP FALSE POSITIVE CATEGORIES: 1. Legitimate SaaS tools flagged as "uncategorized" (3,847 alerts) Common trait: Domain Age >2 years, PageRank >3.0, /pricing present Example: notion.so, figma.com, linear.app Fix: Auto-whitelist domains with PageRank >3 + /pricing + /careers + /security 2. CDN/Infrastructure domains (2,234 alerts) Common trait: PageRank >7.0, IAB: Technology, /docs present Example: fastly.net, akamaized.net, cloudfront.net Fix: Infrastructure domain allowlist based on IAB + PageRank 3. Marketing/Analytics trackers (1,891 alerts) Common trait: Domain Age >5 years, IAB: Advertising, /legal present Example: segment.io, mixpanel.com, amplitude.com Fix: Ad-tech categorization rules using Web Filtering + IAB PROJECTED REDUCTION: Apply domain intelligence filters: -8,412 false positives/month New false positive rate: 3.2% (down from 33.8%)

7Proactive Threat Hunting Queries

AI agent generates and executes threat hunting hypotheses by querying domain intelligence — searching for patterns like newly registered domains accessing internal APIs, domains with suspicious page type combinations, or anomalous enrichment data patterns.

1
Execute Automated Hunt Queries
/login /api /products Domain Ages Countries OpenPageRank
THREAT HUNT — WEEKLY AUTOMATED QUERIES ════════════════════════════════════════════════════ HUNT #1: "Newly registered domains with /login accessed by employees" Query: Domain Age <30 days AND /login present AND accessed by corp users Results: 7 domains team-collab-workspace.io — Age: 12 days, 4 users accessed FINDING: Likely shadow IT — new project management tool trial secure-doc-review.com — Age: 8 days, 1 user accessed (executive) FINDING: Suspicious — possible targeted phishing, investigate HUNT #2: "Domains with /api but no /about or /security" Query: /api present AND /about absent AND /security absent AND PageRank <1 Results: 3 domains accessed by corp users data-sync-endpoint.xyz — 1 server querying every 5 min FINDING: Possible C2 or data exfil — immediate investigation HUNT #3: "High-reputation domains with sudden PageRank drops" Query: PageRank dropped >3 points in 30 days AND previously >5.0 Results: 2 domains in employee traffic enterprise-solutions-group.com — PR: 6.2 → 2.1 FINDING: Possible domain takeover or company collapse — monitor

8User-Reported Incident Processing

AI agent processes user-reported security incidents — analyzing suspicious URLs, attachments, and communications using domain intelligence to provide instant feedback to reporters while escalating genuine threats to the appropriate SOC tier.

1
Process User Reports Automatically
/login /about /contact Domain Ages OpenPageRank Web Filtering
USER INCIDENT REPORTS — TODAY (34 REPORTS) ════════════════════════════════════════════════════ AUTO-RESOLVED: 28 reports (82%) 18 legitimate emails — sender domains verified via enrichment 6 marketing emails — IAB: Advertising, PageRank >4, Domain Age >3yrs 4 false alarms — domains on corporate approved list ESCALATED: 4 reports (12%) 2 confirmed phishing — domains blocked, IOCs distributed 1 suspicious SMS — domain leads to credential harvester 1 impersonation attempt — executive name used with new domain PENDING REVIEW: 2 reports (6%) 1 ambiguous — domain has mixed signals (old domain, new /login page) 1 requires context — user reported internal domain behavior
2
Auto-Generate User Feedback
User Engagement
Report Feedback Loop — Every user report receives automated response within 3 minutes. Positive reinforcement for good catches increases reporting rate by 340%. Domain intelligence context included in feedback helps users learn to spot phishing patterns themselves.
340% increase in user security reporting

9SIEM Correlation Enrichment

AI agent enriches SIEM correlation rules with domain intelligence — adding context to multi-event correlations so that rules like "3 failed logins + DNS to new domain" include domain reputation, age, and page analysis for better detection accuracy.

1
Enrich SIEM Correlation Rules
/login /api Domain Ages OpenPageRank Web Filtering Countries
ENRICHED CORRELATION — RULE: CREDENTIAL_THEFT_EXFIL ════════════════════════════════════════════════════════ RULE: Failed auth (3+) → DNS to new domain → HTTPS upload >1MB WITHOUT ENRICHMENT (old rule): Triggers: 847/month | True positives: 23 (2.7%) | 97.3% false positive rate WITH DOMAIN INTELLIGENCE ENRICHMENT: Additional conditions: + Domain Age <90 days + PageRank <1.0 + /login OR /api present + Web Filtering != (CDN, Cloud Services, SaaS) + Country != (US, UK, DE, FR, JP, AU, CA) Triggers: 34/month | True positives: 21 (61.8%) | 38.2% false positive rate IMPROVEMENT: 96% fewer alerts, 23x better precision True positive capture rate maintained at 91%

10SOC Shift Handoff Intelligence

AI agent generates comprehensive shift handoff reports — summarizing all domain-related investigations, open tickets, trending threats, and priority items enriched with domain intelligence context so incoming analysts can immediately continue investigations.

1
Generate Shift Handoff Report
/login /security Domain Ages OpenPageRank Web Filtering
SOC SHIFT HANDOFF — DAY → SWING (14:00 UTC) ════════════════════════════════════════════════════════ SHIFT SUMMARY: Alerts processed: 287 | Auto-resolved: 178 (62%) Analyst-resolved: 94 | Open/escalated: 15 PRIORITY ITEMS FOR INCOMING SHIFT: P1 — Active C2 Investigation (SOC-2026-4901) Domain: data-sync-endpoint.xyz Status: SERVER-DB-07 isolated, forensics in progress Domain Intel: Age 19d, PageRank 0.0, Russia hosting, /api only Next step: Complete memory forensics, identify lateral movement P2 — Phishing Campaign Monitoring (SOC-2026-4908) Cluster: 12 domains targeting employee benefits enrollment Status: All domains blocked, monitoring for new variants Domain Intel: Pattern = 3-8 day old domains, Philippines hosting Next step: Monitor new domain registrations matching pattern P3 — Shadow IT Investigation (SOC-2026-4912) Domain: team-collab-workspace.io Status: 4 users using unauthorized SaaS tool, data at risk Domain Intel: Age 12d, PageRank 0.8, /login + /pricing present Next step: Coordinate with IT for approved alternative TRENDING THREATS: CVE-2026-1847 exploit domains: +21 new domains today Ransomware group infrastructure: 3 new negotiation portals detected Brand impersonation: 5 new domains targeting our customer brands
2
Track SOC Performance Metrics

SOC Performance — Domain Intelligence Impact

MONTHLY METRICS — FEBRUARY 2026 ──────────────────────────────────────── Mean Time to Triage: 1.2 min (was 14 min before enrichment) Mean Time to Respond: 4.7 min (was 47 min) False Positive Rate: 3.2% (was 33.8%) Auto-Resolution Rate: 62% (was 0%) Analyst Capacity Freed: 4.2 FTE/shift User Report Response Time: 2 min 14 sec (was 4+ hours) DOMAIN INTELLIGENCE VALUE Domains scored this month: 428M queries enriched Proactive blocks (before alert): 12,847 malicious domains Customer brands protected: 847 brands, 23 phishing campaigns stopped
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 100M+ domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.