SOC Decisions With Evidence Paths¶
Case study β cybersecurity
Incident response needs traces, not vibes.
Security operations combine messy telemetry, fast timelines, and strict playbooks. The system must connect evidence into defensible chains β and enforce what actions are allowed.
The question¶
Can AI support SOC triage and response while preserving chain-of-custody, enforcing playbooks, and producing incident traces that withstand review?
Failure modes to avoid¶
Hallucinated links
Invented relationships between events can send responders down the wrong path.
Action without authorization
Some responses must be gated by role, environment, and blast-radius constraints.
Lost provenance
If you cannot show where a claim came from, you cannot justify the response.
Non-replayable decisions
You need a trace you can replay later, not a transient chat transcript.
Context collapse
Alerts lack business and infrastructure context; without it, prioritization becomes guesswork.
Overbroad containment
Fast actions can cause outages; response steps must be constrained by impact and safety checks.
What changes with causal memory + playbook constraints¶
flowchart TB
%% Styles (brModel Standard)
classDef i fill:#D3D3D3,stroke-width:0px,color:#000;
classDef p fill:#B3D9FF,stroke-width:0px,color:#000;
classDef r fill:#FFFFB3,stroke-width:0px,color:#000;
classDef o fill:#C1F0C1,stroke-width:0px,color:#000;
classDef s fill:#FFB3B3,stroke-width:0px,color:#000;
I_A(["π¨ Alert"]):::i
R_Tel(["π Telemetry<br>(EDR, SIEM, cloud logs)"]):::r
R_Asset(["π§Ύ Asset + business context"]):::r
R_IAM(["π IAM + privileges"]):::r
R_PB(["π Playbooks + approvals<br>(versioned)"]):::r
P_Enr("𧩠Enrich + correlate"):::p
P_TL("π Build timeline"):::p
R_TL(["π Timeline artifact"]):::r
P_E("πΈοΈ Expand evidence graph"):::p
R_Path(["π§ Hypothesis paths<br>(evidence per edge)"]):::r
G_Ev{"Evidence sufficient?"}:::s
S_Req(["π Request missing telemetry/scope"]):::i
P_Sel("π Select playbook step"):::p
P_Sim("π§ͺ Simulate blast radius"):::p
G_Risk{"High risk?"}:::s
G_Auth{"Authorized?"}:::s
P_G("π Playbook + constraint gate"):::p
G_OK{"Gates pass?"}:::s
O_R(["β
Recommend / execute response"]):::o
S_X(["π Abstain + escalate"]):::i
R_T(["π§Ύ Incident trace package<br>(evidence + rules + actions)"]):::r
O_IR(["β
Incident record<br>(postmortem-ready)"]):::o
I_A --> P_Enr
R_Tel --> P_Enr
R_Asset --> P_Enr
R_IAM --> P_Enr
R_PB --> P_Enr
P_Enr --> P_TL --> R_TL --> P_E --> R_Path --> G_Ev
G_Ev -->|"no"| S_Req --> R_T
G_Ev -->|"yes"| P_Sel --> P_Sim --> G_Risk
G_Risk -->|"yes"| G_Auth
G_Risk -->|"no"| G_Auth
G_Auth -->|"no"| S_X --> R_T
G_Auth -->|"yes"| P_G --> G_OK
G_OK -->|"yes"| O_R --> R_T --> O_IR
G_OK -->|"no"| S_X --> R_T
%% Clickable nodes
click P_G "/methodology/constraints/" "Constraints & SHACL"
click P_E "/methodology/causalgraphrag/" "CausalGraphRAG"π‘οΈ The point is decision mechanics: telemetry and context become a timeline artifact and hypothesis paths. Then gates enforce evidence sufficiency, authorization, risk/blast radius, and playbook constraints. Every path ends in a trace package plus a postmortem-ready incident record.
Diagram: incident trace object (conceptual)¶
flowchart TB
%% Styles (brModel Standard)
classDef i fill:#D3D3D3,stroke-width:0px,color:#000;
classDef p fill:#B3D9FF,stroke-width:0px,color:#000;
classDef r fill:#FFFFB3,stroke-width:0px,color:#000;
classDef o fill:#C1F0C1,stroke-width:0px,color:#000;
classDef s fill:#FFB3B3,stroke-width:0px,color:#000;
I_Ev(["π Raw evidence<br>(logs, alerts, snapshots)"]):::i
P_Norm("π§Ό Normalize + hash"):::p
R_Ev(["π Evidence items<br>(with fingerprints)"]):::r
P_Cust("π Bind chain-of-custody"):::p
G_Cust{"Custody intact?"}:::s
S_Stop(["π Stop + notify<br>(provenance break)"]):::i
P_Build("π§Ύ Build trace object"):::p
R_H(["π§ Hypotheses + paths"]):::r
R_RU(["π Rules applied<br>(playbooks + constraints)"]):::r
R_AC(["β
Actions<br>allowed / blocked"]):::r
R_TS(["π Timestamps + scope"]):::r
R_T(["π§Ύ Incident trace<br>(signed artifact)"]):::r
P_Store("ποΈ Write to case store"):::p
O_Case(["β
Replayable case file<br>(postmortem / audit)"]):::o
I_Ev --> P_Norm --> R_Ev --> P_Cust --> G_Cust
G_Cust -->|"no"| S_Stop
G_Cust -->|"yes"| P_Build
P_Build --> R_H
P_Build --> R_RU
P_Build --> R_AC
P_Build --> R_TS
R_H --> R_T
R_RU --> R_T
R_AC --> R_T
R_TS --> R_T
R_T --> P_Store --> O_Case
%% Clickable nodes
click R_T "/methodology/brcausalgraphrag/" "Trace objects"π§Ύ A trace is a signed artifact with custody: raw evidence is fingerprinted, custody is validated, and only then does the system bind evidence, paths, rules, and actions. βProvenance breakβ becomes an explicit stop condition, not a hidden failure.
Diagram: escalation gates (blast radius, authorization, and uncertainty)¶
flowchart TB
%% Styles (brModel Standard)
classDef i fill:#D3D3D3,stroke-width:0px,color:#000;
classDef p fill:#B3D9FF,stroke-width:0px,color:#000;
classDef r fill:#FFFFB3,stroke-width:0px,color:#000;
classDef o fill:#C1F0C1,stroke-width:0px,color:#000;
classDef s fill:#FFB3B3,stroke-width:0px,color:#000;
I_Trig(["π― Trigger<br>(hypothesis + playbook step)"]):::i
P_Der("𧩠Derive action candidate"):::p
R_Act(["βοΈ Action candidate<br>(contain / block / isolate)"]):::r
P_Scope("π§Ύ Estimate scope"):::p
R_Scope(["π§Ύ Scope estimate<br>(assets, accounts, time)"]):::r
P_Run("π Select runbook steps"):::p
R_Run(["π Runbook plan<br>(step list)"]):::r
G_Auth{"Authorized?"}:::s
G_Ev{"Evidence sufficient?"}:::s
G_Risk{"High risk?"}:::s
G_Safe{"Containment safe?"}:::s
P_Approve("π§ββοΈ Collect approvals"):::p
G_App{"Approvals complete?"}:::s
O_Auto(["β
Auto-execute<br>(low risk)"]):::o
O_Rec(["β
Recommend<br>(runbook steps)"]):::o
S_Esc(["π Escalate to IR lead<br>+ change control"]):::i
R_Trace(["π§Ύ Decision trace<br>(gates + reasons)"]):::r
R_Tkt(["π« Case / change ticket<br>(links to trace)"]):::r
I_Trig --> P_Der --> R_Act --> P_Scope --> R_Scope --> P_Run --> R_Run --> G_Auth
G_Auth -->|"no"| S_Esc --> R_Trace
G_Auth -->|"yes"| G_Ev
G_Ev -->|"no"| S_Esc
G_Ev -->|"yes"| G_Risk
G_Risk -->|"yes"| G_Safe
G_Risk -->|"no"| G_Safe
G_Safe -->|"no"| S_Esc
G_Safe -->|"yes"| P_Approve --> G_App
G_App -->|"no"| S_Esc
G_App -->|"yes"| O_Auto --> R_Trace
R_Trace --> O_Rec --> R_Tktπ¦ These gates prevent dangerous automation: even if a hypothesis exists, actions must pass authorization, evidence sufficiency, risk/blast radius, and containment safety. The trace records every gate and reason, and can be attached to case/change tickets for accountable execution. Product: a decision trace linked to a case/change ticket with the concrete runbook plan and approvals.
Outputs¶
Defensible hypotheses
Mechanistic chains that connect alerts to likely causes with evidence per edge.
Governed responses
Actions are constrained by playbooks, roles, environments, and blast radius.
Replayable incident traces
Postmortems become faster because the reasoning artifact is explicit.
Safer automation
Abstention is a designed outcome when evidence or authorization is insufficient.
Chain-of-custody evidence
Telemetry, timestamps, and scope captured as an artifact so reviews donβt depend on screenshots and memory.
Playbook gap detection
When constraints block action, you learn which playbook step or permission is missing β and how to fix it.