How does an AI SOC analyst investigate network detection and response (NDR) alerts?

An AI SOC analyst ingests each NDR detection, builds an investigation plan, and works it end to end in minutes. It pulls device and asset records, pivots into endpoint telemetry from CrowdStrike and Microsoft Defender, runs related-detection queries, and checks threat intelligence before reaching a determination. Every query and piece of evidence stays visible to the analyst. Prophet AI runs this on every NDR detection, so network alerts no longer wait on a senior analyst and a packet capture.

Why does a SOC need network telemetry if it already has EDR?

Network telemetry covers gaps endpoint tools cannot. It sees devices that cannot run an agent, including IoT, OT, legacy hardware, and contractor laptops, and it gives east-west visibility inside the perimeter where lateral movement happens. It also provides evidence an attacker cannot tamper with, since they can disable an EDR agent or clear a log but cannot turn off the network. Prophet AI investigates that telemetry alongside endpoint and identity data on every alert.

What is the difference between NDR and an AI SOC analyst?

NDR detects threats on the wire, while an AI SOC analyst investigates what those detections mean. A network source like ExtraHop RevealX emits detections with participant data and MITRE ATT&CK mapping; Prophet AI ingests each one, builds an investigation plan, gathers context across endpoint, identity, and threat-intel sources, and reaches a determination. The two work together, with NDR supplying the signal and the AI SOC turning it into a defensible answer.

How does network context improve investigations of EDR and identity alerts?

Network context lets the AI SOC answer questions an EDR or identity alert alone cannot. When an identity provider fires an impossible-travel alert or an EDR raises a process anomaly, Prophet AI queries the network source to learn what the host communicated with, whether unusual protocol use occurred, and whether the device contacted anything on a watchlist. Used this way, network data drives cross-tool value over time and tightens alert triage across the SOC.

How does an AI SOC investigate threats hidden in encrypted traffic?

An AI SOC can investigate encrypted traffic when its network source decodes it. ExtraHop RevealX performs out-of-band passive decryption of TLS, including database protocols, and decodes more than 90 application, database, and network protocols in real time. That lets Prophet AI see the actual SQL statement, SMB file path, or Kerberos ticket rather than a flow summary, which matters because credential abuse, data movement, and command-and-control often hide inside encrypted sessions.

Can a SOC team threat hunt across network telemetry using natural language?

Yes. A SOC team can run threat hunting queries in plain language without learning a vendor query syntax. Prophet AI Threat Hunter translates natural-language requests into ExtraHop record-search API calls, so analysts hunt across network telemetry without writing ExtraHop's EQL query language. This lowers the skill barrier to network hunting and lets the team test hypotheses against the wire directly, with Prophet AI handling the translation so the analyst stays on the question.

Network Context for the Agentic SOC: Prophet Security and ExtraHop

An AI agent's verdict is only as reliable as the context it reasons over. Pre-correlated, high-fidelity context produces fast, confident, defensible determinations. Fragmented, low-quality context is often why investigation determinations stay inconclusive — routing back to a human analyst to finish what the agent started.

Endpoint, identity, and cloud are the domains where agentic investigation already works well. Endpoint detections come with process trees and parent-child lineage. Identity alerts come with session metadata, MFA history, and geolocation. Cloud detections come with API call records and IAM context. An AI agent can pick up any of those and run a credible investigation.

Network has been the exception. Today we're changing that.

We've partnered with ExtraHop to bring RevealX network detections and network telemetry directly into Prophet's Agentic AI SOC Platform. Every RevealX detection is now investigated end-to-end by Prophet AI SOC Analyst, and ExtraHop is available as a network context source for investigations originating from other security tools.

How do Prophet AI and ExtraHop work together

The integration supports three use cases for our joint customers:

‍Network alerts as the source. Prophet AI investigates ExtraHop detections directly — the default for customers who want every RevealX detection investigated end-to-end.‍
Network as context for other alerts. An identity provider fires an impossible-travel alert, or an EDR raises a process anomaly. Prophet calls into ExtraHop during the investigation to answer questions like "what did this host communicate with around the time of the alert," "was there unusual protocol use," or "did this device contact anything on a watchlist." This is the mode that drives the most cross-tool value over time — turning a single ExtraHop deployment into a context source that improves investigations across every other alert type.‍
Threat hunting. Prophet AI Threat Hunter can issue natural-language threat hunting queries that translate into ExtraHop record-search API calls, allowing analysts to hunt across network telemetry without needing to learn ExtraHop's query language.

The integration also supports bi-directional workflows between the two products:

ExtraHop RevealX → Prophet AI. Prophet AI investigates alerts from RevealX — both NDR alerts (lateral movement, ransomware indicators, C2, recon, exfiltration) and Identity alerts (user-attributed activity). Each alert is investigated by Prophet AI’s agents, which includes generating a comprehensive list of investigative questions, retrieving data from ExtraHop and other security tools to answer those questions, developing a timeline and coming up with a determination (i.e. is it malicious or benign). Every step, every query, and all evidence is preserved and visible to the analyst

Prophet AI → ExtraHop RevealX. Once Prophet AI reaches a determination, the corresponding ExtraHop detection is updated: status, resolution, assignee, and a link back to the Prophet investigation. Analysts can click straight from the ExtraHop console into the full Prophet investigation. The customer's ExtraHop console stops accumulating stale open detections that Prophet has already closed out.

The integration is consistent with how Prophet AI integrates with over 80 other security tools: : Prophet AI’s agents determine what context it needs, retrieve it from the appropriate security data source, and reason with the evidence — rather than waiting for a human to assemble the picture.

Getting started

The integration is available today at no additional charge from either company, and takes only a few minutes to configure.

If you're new to either side, reach out and we'll set up a joint demo. Our teams are working closely together on this and we genuinely enjoy showing it off.

‍

If you’re a joint customer, please reach out to your Prophet customer success contact or email us at support@prophetsecurity.ai to get set up.

Not Every AI SOC Agent Delivers on the Promise

Leverage Gartner's list of specific questions to ask vendors before committing to a solution

Download Gartner Report

Download Ebook

Frequently Asked Questions

Product Updates

Text Link

Augusto Barros

AUTHOR

As Principal Product Manager at Prophet Security, Augusto applies his hands-on experience and critical thinking to help push forward the new capabilities of Prophet AI SOC platform

Network Context for the Agentic SOC: Prophet Security and ExtraHop

How do Prophet AI and ExtraHop work together

Getting started

Not Every AI SOC Agent Delivers on the Promise

Frequently Asked Questions

Table of Contents

Subscribe to blog

Subscribe to the Prophet AI Blog