Book a demo call with us
Cross icon
Qevlar AI
Logo Qevlar
Product

Meet Qevlar Memory: Turn SOC Internal Wisdom Into Investigation Superpowers

Forget scattered notes and lost tribal knowledge. Qevlar Memory lets your SOC team record critical context once and use it everywhere, ensuring fewer false positives, clearer investigations, and faster onboarding for new analysts.

Natalia Kazankova
Natalia Kazankova
Principal Product Marketing Manager
Meet Qevlar Memory: Turn SOC Internal Wisdom Into Investigation Superpowers

TL;DR

  • SOC analysts carry critical context in their heads, like a user temporarily working abroad, scheduled internal network tests, or departments using niche tools, and that knowledge is lost when they're unavailable or leave.
  • Qevlar Memory lets you write that context in plain language, and the AI applies it automatically to every relevant investigation, like whitelisting but easier to set up and as granular as you need.
  • The result is fewer false positives where behavior is expected, and more thorough investigation where context raises the stakes, such as alerts involving VIP users.
  • Every time Memory is applied it's logged, so you can see which items the AI recalled and why a verdict was reached.

SOC analysts often carry critical context in their heads: what’s normal and what’s not in a particular environment. Think of patterns like:

  • A user working from an unusual country for a specific period of time.
  • A user on night shifts this week, active between 9 pm and 6 am.
  • Internal network tests running for a limited period.
  • Departments using niche tools that might otherwise look suspicious.

With Qevlar AI Memory, you can embed this knowledge directly into all relevant investigations.

All you need to do is share information and facts in natural language, and Qevlar will automatically apply them when investigating relevant alerts.

Why it matters

The more context you share, the more accurate your investigation results will be:

✅  Fewer false positives because Qevlar better understands the business specifics of your organization (e.g., VPN usage, internal scanning).

✅  More critical alerts investigated because Qevlar pays attention to your (or your client’s) additional business context (e.g., marking alerts connected with VIP users as malicious for thorough investigations).

Keeping investigation context in one place makes it easier to share knowledge across the team, especially with new teammates or analysts who haven’t worked with certain types of alerts or clients before. With Qevlar Memory, you make this knowledge accessible to everyone on your team.

How it works

Put simply, it works like whitelisting, but easier to set up and as granular as you need it to be.

  1. Ping your Qevlar Admin to add or edit the context. Admins users manage Memory.
  2. To create a new memory item, open the Memory tab in the left menu, then click + Memory item.
  3. Share the context in a structured way, ideally using this pattern:

[Entity] is [permitted/not permitted] to [action] in [context/environment].

Examples:

  • TOR traffic from host 10.1.2.3 is expected when user abc uses the Brave browser. Any TOR traffic from this host not associated with Brave usage should be treated as malicious.
  • The svc_backup account is used exclusively to perform backups every night between 01:00 and 03:00. Any connection with this account outside this time window, or from a machine other than the backup server, should be considered suspicious.
  • Users in the legal department receive encrypted PDF attachments from known partners; escalate only if the sender domain is new or the PDF opens a web form.
  • User HOME\PERSONX is a member of the security red team and performs rule detection testing with known malware files.
  • Our company has a legitimate branded Microsoft app login portal.

    4. If the memory item comes from a past investigation, include the Qevlar Investigation ID (e.g., 4726) as the Source. This makes it clear why the rule exists.

You can also create a memory item right from the investigation section:

  1. Save it & enjoy more accurate investigations 🎉 During every new investigation, Qevlar automatically checks whether a memory item applies to related alerts (hosts, users, processes, emails, domains, etc.).
👉 Note for MSSPs: Memory is client-specific and never shared across profiles.

How to track the impact of Memory on investigations

On the Memory overview page, you’ll see when a memory item was last applied to an investigation, indicating that it was recalled and considered by the AI during its analysis.

You can also see this in the investigation report: if a memory item was used, you’ll see the tag “Memory Used” in the overview. By clicking on it, you can view all memory items that were considered during the investigation.

💡 Have feedback? Share it with your dedicated Customer Success Manager - we very much value your thoughts!
Published on
September 29, 2025
Updated on
June 18, 2026
Table of content
H2 toc

Frequently asked questions

How should I phrase a memory item so the AI applies it correctly?

bar
bar

Write it as a clear statement of what's permitted or not permitted, for which entity, under what conditions, following the pattern "[Entity] is [permitted/not permitted] to [action] in [context]." Crucially, include the boundary that makes it safe: for example, the svc_backup account runs backups nightly between 01:00 and 03:00, and any use outside that window or from another machine should be treated as suspicious. Conditions are what stop a memory item from becoming a blanket exception.

Who can add or edit memory items, and why is that controlled?

bar
bar

Admin users manage Memory, so context isn't added ad hoc by anyone. That matters because a memory item shapes how future verdicts are reached, so it should be a deliberate, owned entry rather than an offhand note. You can also create an item directly from an investigation, and if it comes from a past case you can attach the Qevlar Investigation ID as the source, which records why the rule exists for whoever reviews it later.

Can I see when a memory item actually influenced an investigation?

bar
bar

Yes. The Memory overview page shows when each item was last applied, meaning the AI recalled and considered it during analysis. Inside an investigation report, a "Memory Used" tag appears in the overview, and clicking it lists every memory item the AI weighed. That auditability lets you confirm context is being used as intended and spot items that may be stale or never triggered.

See how much of your manual workload can be automated