AI Triage & Summarization

AI triage is the core of Seliq. Within seconds of an alert arriving, Seliq analyses it in the context of your environment — pulling in asset data, historical patterns, and threat intelligence — and produces a structured summary that tells your analyst what they’re looking at before they open a single log.

How it works

When a normalised alert hits the triage engine, Seliq runs four parallel analysis tasks:

1. Context enrichment Seliq looks up every entity in the alert (IPs, hostnames, users, hashes) against:

• Your asset inventory (imported via integration or manually maintained)
• Internal historical incident data — has this entity appeared in a previous incident?
• Threat intelligence feeds — is this IP or hash on a known-bad list?

2. Correlation Seliq checks whether this alert should be grouped with other recent alerts. Correlation happens across:

• Same entity (e.g. multiple alerts involving 192.168.1.47 within 30 minutes)
• Same source (e.g. a burst of Sentinel alerts from the same detection rule)
• Attack pattern matching (e.g. an authentication alert followed by a lateral movement alert)

Correlated alerts are grouped into a single incident. Each new alert added to a group triggers a summary refresh.

3. Summary generation Seliq generates a plain-English incident summary that answers three questions:

• What happened? (the event)
• What is the potential impact? (the risk)
• What should the analyst do? (the recommendation)

Summaries are regenerated as new alerts are added to an incident. Analysts can flag a summary as inaccurate to improve future outputs.

4. Severity scoring Seliq assigns an AI severity score that may differ from the source severity. It factors in the enrichment results — an alert rated medium by your SIEM might be escalated to critical by Seliq if the affected host is a domain controller with no recent patching.

Reading an AI summary

A Seliq AI summary has four parts:

[SEVERITY] Active Intrusion — Lateral Movement Detected

What happened:
Process injection detected on WKSTN-047 (svchost.exe) at 14:23 UTC,
followed by an outbound connection to 203.0.113.42 — a known C2 range.
An impossible travel login for the same user account was detected in
AWS GuardDuty 6 minutes later.

Entities: WKSTN-047 (Tier 1 asset), 203.0.113.42 (Known bad — TI match)

Recommendation:
Isolate WKSTN-047 immediately. Reset credentials for the affected account.
Block outbound to 203.0.113.0/24.

Confidence: High · 3 correlated events

Feedback and tuning

Analysts can rate every AI summary as accurate, partially accurate, or inaccurate. Feedback is used to improve summary quality for your specific environment over time. You can also flag specific recommendations as incorrect without rating the whole summary.

AI model details

Seliq uses a combination of purpose-trained classification models for severity scoring and correlation, and a large language model for natural-language summary generation. No alert data is used for external model training. Your data stays in your workspace.

Disabling AI triage

AI triage is on by default. You can disable it per-workspace from Settings → AI Triage if you need to run Seliq in a pure alert-routing mode. Individual analysts can also choose to collapse the AI summary panel if they prefer to start their own investigation without seeing the recommendation first.