Configure AI threat detection workbooks
Implementation Effort: Low – Involves deploying workbook templates from the Content hub and customizing visualizations to focus on AI-specific analytics rule outputs and incident data.
User Impact: Low – Admin-only activity; workbooks are consumed by SOC analysts and security leadership.
Overview
Analytics rules generate individual alerts and incidents, but individual alerts do not show trends. A workbook that aggregates AI threat detection data — prompt injection attempt volume over time, alert distribution by agent identity, incident resolution rates for AI-specific cases — gives the SOC and security leadership a continuous view of the AI threat landscape. Without this, the team reviews incidents one at a time and has no mechanism to assess whether detection coverage is adequate, whether certain agent identities are disproportionately targeted, or whether AI threat activity is trending upward.
Workbooks also serve as the primary artifact for periodic security reviews. When the SOC conducts a weekly or monthly AI threat review, the workbook provides the data-driven starting point for that conversation — not an ad-hoc query session, but a maintained, parameterized view that the team can reference consistently over time.
This supports Assume breach by providing continuous visibility into AI threat trends, enabling the team to detect coverage gaps and emerging attack patterns before they escalate into incidents. It supports Verify explicitly by surfacing aggregate patterns — such as a gradual increase in low-severity prompt injection attempts — that are invisible at the individual alert level but collectively indicate a probing campaign. Without workbooks, AI threat detection operates without feedback: rules fire, incidents close, and nobody evaluates whether the detection posture is improving or degrading.