Prerequisites

Before you begin, make sure you have:
  • An Azure Entra ID account with access to your organization’s SoCMate instance
  • A connected Microsoft Sentinel workspace (configured by your admin)

Sign In

1

Navigate to SoCMate

Open your browser and go to your organization’s SoCMate URL (e.g., https://socmate.yourcompany.com).
2

Authenticate with Azure Entra ID

Click Sign In and authenticate with your Azure Entra ID credentials. Complete MFA if prompted. You will be redirected to the SoCMate dashboard after successful authentication.
3

Explore the Dashboard

The dashboard shows your recent investigations, pinned sessions, and a summary of recent Sentinel incidents. The sidebar provides navigation to all platform features.

Run Your First Investigation

1

Start a new investigation

Click New Investigation from the dashboard or sidebar. This opens the investigation chat interface.
2

Select a persona

Choose the persona that matches how you want the report formatted:
  • SOC Analyst — Technical details, IOCs, KQL queries, MITRE ATT&CK mappings
  • CISO — Executive summary, business impact, compliance implications
3

Enter your query

Type a natural language question about a security concern. For example:
Investigate failed sign-in attempts for the last 7 days —
are there any brute force patterns?
SoCMate accepts any security-related question. You do not need to know KQL.
4

Watch the investigation unfold

SoCMate’s investigation engine processes your query in real time:
  1. Entity Extraction — Identifies security entities (IPs, users, hosts) in your query
  2. Intent Determination — Classifies the investigation type (triage, hunting, compliance)
  3. Query Planning — Selects relevant Sentinel tables and query strategy
  4. Query Generation — Produces optimized queries for Microsoft Sentinel
  5. Execution — Runs queries against Microsoft Sentinel
  6. Evidence Assessment — Evaluates whether the evidence answers your question
  7. Report Generation — Generates a structured report
Each stage streams updates to the UI so you can see progress as it happens.
5

Review the report

The investigation report includes:
  • Executive Summary with risk score (0-10)
  • Timeline of observed events
  • Indicators of Compromise (IOCs)
  • MITRE ATT&CK technique mappings
  • Recommendations for remediation
  • Entity diagram showing relationships between discovered entities

Ask Follow-Up Questions

After receiving a report, you can ask follow-up questions in the same session. SoCMate retains full context from prior queries and results. 
Also check what processes were running on affected hosts
during the suspicious activity window.
Follow-ups re-run the investigation with awareness of all previous entities, query results, and findings. This lets you drill deeper without repeating yourself.

Key Concepts

Investigation Session

A conversation thread between you and SoCMate. Each session can have multiple queries and follow-ups, all sharing context. Sessions are persisted and searchable.

Persona

Controls the tone, detail level, and structure of investigation reports. SOC Analyst personas produce technical reports; CISO personas produce executive summaries.

Knowledge Graph

A persistent graph of security entities (IPs, users, hosts, domains) and their relationships, built from investigation results. Entities discovered in one investigation are linked to entities from others.

Scheduled Investigation

A recurring investigation that runs automatically on a schedule (daily, weekly, monthly). Useful for monitoring patterns like failed sign-ins or anomalous network activity.
SectionWhat You’ll Find
DashboardRecent investigations, pinned sessions, incident summary
InvestigationsStart new investigations, browse history, search past sessions
IncidentsSentinel incidents synced automatically, with enrichment and investigation launch
SchedulesCreate and manage recurring investigations
Knowledge GraphVisual explorer for entities and relationships across investigations
AdminSIEM providers, LLM models, users, API keys (admin role only)

Next Steps

Investigations

Learn about advanced investigation features, capabilities, and the chat interface.

API Reference

Integrate SoCMate with your existing tools and workflows via the REST API.