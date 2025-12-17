AI-powered investigations for the modern SOC
As cyber threats grow in volume and complexity, security teams are under immense pressure to detect and respond to incidents faster. With limited resources and a shortage of skilled analysts, most security operations centers (SOCs) are overwhelmed.
To meet this challenge, IBM® QRadar® introduces the watsonx.ai® powered Investigation Assistant. An AI-powered application designed to revolutionize security operations through generative AI. Investigation Assistant streamlines workflows, enhances productivity and empowers analysts to uncover threats more efficiently.
Faster investigations with less manual effort.
Actionable short- and long-term recommendations for response.
Lower barrier for understanding advanced attack patterns.
With a single click, analysts receive a crisp, contextual offense summary which includes extended descriptions and key indicators. This summary helps identify:
By surfacing relevant context, the assistant reduces the risk of missing subtle threats and accelerates the investigation process.
The assistant offers two types of recommendations:
This dual approach ensures analysts can respond quickly and build long-term resilience.
After generating an offense summary, analysts can ask follow-up questions in natural language to explore:
This intuitive interaction model streamlines complex investigations and drives faster, more efficient decisions.
The cost for a basic customer primarily depends on the number of input and output tokens that are used during interactions with the Investigation Assistant. However, the cost also depends on whether the customers need some of the advanced watsonx.ai features. Customers and partners are advised to refer to the watsonx.ai pricing tiers at watsonx.ai pricing to understand the cost implications or contact their IBM representative.
The key functionalities of the application are available to managed security service providers (MSSPs). With support for offense summary, MSSPs can know about attack vectors, which might impact the source IP or destination IP, hostnames and users. MSSPs can use the recommended steps for further investigation and mitigation.
Investigation Assistant app officially supports only watsonx SaaS subscription.
Investigation Assistant does not require any additional modules or licenses within QRadar SIEM for full functionality. Yes, Investigation Assistant supports the latest QRadar Community Edition.
The first version of the Investigation Assistant app officially supports only offense summarization as the first use-case. As of today, the app does reply to some of the queries that are related to cybersecurity, in general, and associated with QRadar.
Investigation Assistant takes advantage of Transport Layer Security (TLS) encryption for securely transmitting data.
Investigation Assistant uses large language models (LLMs) to generate responses to human prompts entered in natural language. QRAW does not have any chatbot or generative AI capabilities. The user experience is conversational and hence, is different from QRAW.
If an artifact is identified as malicious, the app provides valuable insights to help security analysts investigate potential threats. Users can ask follow-up questions to gain additional context and details, allowing them to understand the implications of the malicious artifact and take informed action.
Investigation Assistant is designed in a way that the data resides only in QRadar on a customer’s premises and does not need to be mirrored on IBM Cloud®. The QRadar offense API provides specific offense information to watsonx.ai through an application programming interface (API) for the offense summarization feature. For more information, see Keeping your data secure and compliant.
watsonx receives offense data from the QRadar OffenseAPI endpoint: GET /siem/offenses/{offense_id}. This includes offense summary details such as ID, description, magnitude, source and destination IPs and rule information.
Data is transmitted only when it is initiated by the user. For example, data is transmitted when a user clicks the watsonx summary in the offense window or interacts with the AI-powered chatbot. No data is sent automatically or in the background without user action.
No, watsonx does not use customer data for training foundation models. This approach ensures that sensitive or proprietary information remains private and is not used to improve or retrain the underlying AI models. For more details, refer to IBM documentation on Security and privacy for foundation models.