Quick Links

Blumira SOC Auto-Focus: AI-powered threat analysis and response

Overview

Cybersecurity teams face an ongoing challenge: responding to complex threats, gathering environmental context, and determining appropriate next steps—all within critical time constraints. Blumira SOC Auto-Focus addresses this challenge by delivering AI-powered analysis that transforms how security teams investigate and respond to threats.

Blumira SOC Auto-Focus is an AI-driven feature that provides automated threat analysis, environmental context, and actionable response guidance for security findings. Rather than requiring teams to manually parse complex log data, conduct external research, or wait for support assistance, this feature delivers comprehensive threat intelligence directly within the app in a matter of seconds.

SOC Auto-Focus leverages Blumira's internal detection expertise through advanced prompt engineering paired with years of testing and research data, effectively scaling the knowledge of our Incident Detection Engineering (IDE) and Security Operations Support (SOS) teams across all customer environments. This approach ensures consistent, high-quality analysis regardless of the time of day or availability of human experts.

Required: An active XDR or Automate license is required to use SOC Auto-Focus.

Key capabilities

Blumira SOC Auto-Focus provides the following core analytical components for each security finding:

  • Time to Action: Clear guidance on how quickly analysts should respond, backed by AI confidence scoring and true/false positive validation.
  • Threat Overview: Clear explanation of why the detection was triggered and what security principles were violated.
  • Technical Analysis: Detailed breakdown of how the threat was identified, including specific detection logic and evidence correlation.
  • Investigation Steps: Structured guidance for conducting thorough security investigations, tailored to the specific threat type and environment.
  • Remediation Actions: Prioritized response steps for you to take action on, designed to eliminate immediate threats and prevent recurrence.
  • Contextual Intelligence: Analysis incorporating multiple related findings and their data, gathered from the immediate days surrounding the focus finding, in order to provide a broader perspective of the threat or suspicious activity.

Using SOC Auto-Focus

Accessing the assistant

SOC Auto-Focus is available in Blumira Findings to users with Administrator, Manager, or Responder roles and appears on all findings, regardless of which detection rule generated the finding.

Screenshot 2025-09-26 at 8.33.35 AM.png

To perform an analysis, do the following:

  1. Navigate to Reporting > Findings and open a security finding.
  2. On the finding’s details page, locate the SOC Auto-Focus section.
  3. Verify that no analysis already exists and that you have not reached the hourly or monthly limit.
  4. Click Generate AI Analysis.
  5. The window displays “Generating AI analysis” until the results successfully load.
    Note: If an error appears, refresh the page to verify that another user has not run an analysis simultaneously.
  6. After the results load, review the following sections of the analysis for important information and recommendations:
    • Summary and Details, including Affected Assets and IOCs
    • Technical Analysis
    • Investigation Steps
    • Remediation Steps

Interpreting results

Caution: AI-generated analysis might contain subtle errors, logical inconsistencies, or inappropriate content that might not be immediately obvious. AI tools work best when combined with human oversight and domain expertise, and we recommend caution and verifying data before taking dramatic action on your assets.

Each analysis provides structured sections addressing different aspects of the threat, including the following:

  • Technical Analysis
    • The "Why?" section explains the fundamental security concern and policy violations identified by the detection rule.
    • The "How?" section details the technical mechanisms behind the detection, including specific log sources and correlation logic used.
  • Investigation Steps provide a numbered checklist for conducting a thorough threat assessment, including verification procedures and evidence gathering techniques.
  • Remediation Steps offer prioritized actions for threat containment and elimination, often including both immediate response measures and longer-term security improvements.

Managing analyses

Concurrent analysis by team members is not possible, meaning attempts to generate an analysis are shared by the account and count as one run per the six-hour limit. When a user clicks the "Generate Analysis" button, this runs for all users in the account, preventing other users from clicking the button. All users will be able to view the results another user generates, but this might require refreshing the page.

Once generated, the most recent analysis remains accessible indefinitely for that finding. A previously generated analysis cannot be recalled except when an attempted re-analysis fails to complete. The system tracks generation timestamps and displays them in your local timezone for easy reference. 

Tip: Click "Copy analysis" at the bottom of the window to copy the entire assessment to your clipboard, and then paste it into an external tool for later reference or sharing.

When multiple team members access the same finding, they will see a shared analysis rather than generating separate assessments. This approach ensures consistent information across your security team while preserving usage allocations.

Understanding usage limits

The feature operates under specific usage parameters designed to ensure optimal performance. Those limits are as follows:

  • Monthly allocation: The baseline limit is 10 analyses per month, with 1 additional run per 5 employees (i.e., users) in your organization. As an example, if your organization has 1,000 employees, you will be able to run 210 total analyses per month. 

    Tip: To calculate your monthly allocation based on the users in your organization, review the User Count value on the Organizations page (Settings > Organizations). MSP administrators can review the License Count column of sub-accounts in the MSP Portal's Accounts page.
  • Regeneration timing: New analyses can be generated every 6 hours for the same finding; however, each run counts against the monthly usage limit, even when regenerated on the same finding.

After generating an analysis, you must wait six hours before you can run another analysis for the same finding. The window will display "Waiting for cooldown" until six hours have passed.

The current number of runs remaining for your account appears below the "Generate AI Analysis" button, allowing you to monitor your monthly usage against your limit.

Providing feedback about an analysis

After reviewing an analysis, you can rate the helpfulness using thumbs-up/down indicators at the end of the results. Provide feedback multiple times as your investigation progresses. Feedback submissions are recorded without displaying vote counts or previous ratings, allowing for ongoing assessment as situations evolve.

Best practices for implementation

To maximize the value of Blumira SOC Auto-Focus, consider integrating it into your standard investigation workflow. Use the AI analysis as a starting point for threat assessment rather than a complete investigation replacement. The structured investigation steps can serve as a checklist to ensure comprehensive threat analysis.

Pay particular attention to the timeframe indicators, which show which evidence was incorporated into the analysis. Understanding the temporal scope helps contextualize the recommendations and identify any recent developments that might require additional consideration.