SOC analysts often carry critical context in their heads: what’s normal and what’s not in a particular environment. Think of patterns like:

• A user working from an unusual country for a specific period of time.
• A user on night shifts this week, active between 9 pm and 6 am.
• Internal network tests running for a limited period.
• Departments using niche tools that might otherwise look suspicious.

With Qevlar AI Memory, you can embed this knowledge directly into all relevant investigations.

All you need to do is share information and facts in natural language, and Qevlar will automatically apply them when investigating relevant alerts.

Why it matters

The more context you share, the more accurate your investigation results will be:

✅  Fewer false positives because Qevlar better understands the business specifics of your organization (e.g., VPN usage, internal scanning).

✅  More critical alerts investigated because Qevlar pays attention to your (or your client’s) additional business context (e.g., marking alerts connected with VIP users as malicious for thorough investigations).

Keeping investigation context in one place makes it easier to share knowledge across the team, especially with new teammates or analysts who haven’t worked with certain types of alerts or clients before. With Qevlar Memory, you make this knowledge accessible to everyone on your team.

How it works

Put simply, it works like whitelisting, but easier to set up and as granular as you need it to be.

1. Ping your Qevlar Admin to add or edit the context. Admins users manage Memory.
2. To create a new memory item, open the Memory tab in the left menu, then click + Memory item.
3. Share the context in a structured way, ideally using this pattern:‍

[Entity] is [permitted/not permitted] to [action] in [context/environment].

Examples:

• TOR traffic from host 10.1.2.3 is expected when user abc uses the Brave browser. Any TOR traffic from this host not associated with Brave usage should be treated as malicious.
• The svc_backup account is used exclusively to perform backups every night between 01:00 and 03:00. Any connection with this account outside this time window, or from a machine other than the backup server, should be considered suspicious.
• Users in the legal department receive encrypted PDF attachments from known partners; escalate only if the sender domain is new or the PDF opens a web form.
• User HOME\PERSONX is a member of the security red team and performs rule detection testing with known malware files.
• Our company has a legitimate branded Microsoft app login portal.
  
  4. If the memory item comes from a past investigation, include the Qevlar Investigation ID (e.g., 4726) as the Source. This makes it clear why the rule exists.

You can also create a memory item right from the investigation section:

5. Save it & enjoy more accurate investigations 🎉 During every new investigation, Qevlar automatically checks whether a memory item applies to related alerts (hosts, users, processes, emails, domains, etc.).

👉 Note for MSSPs: Memory is client-specific and never shared across profiles.

How to track the impact of Memory on investigations

On the Memory overview page, you’ll see when a memory item was last applied to an investigation, indicating that it was recalled and considered by the AI during its analysis.

You can also see this in the investigation report: if a memory item was used, you’ll see the tag “Memory Used” in the overview. By clicking on it, you can view all memory items that were considered during the investigation.

💡 Have feedback? Share it with your dedicated Customer Success Manager - we very much value your thoughts!

‍