About Zoho's Zia Insights

In this page:

• How Zia Insights work
• Benefits of integrated Zia Insights experience

ManageEngine Log360 Cloud uses Zoho's Zia Insights, an AI-powered engine to enhance log analysis, threat detection, and incident response. By leveraging contextual AI, Zia Insights transforms raw logs, security events, audit trails, alerts, and incidents into actionable insights, enabling you to quickly identify risks, get context on an event, possible mitigation steps, and add value by mapping MITRE ATT&CK® techniques to the events wherever possible for effective analysis.

How Zia Insights work

This section elaborates the underlying architecture and functioning of Log360 Cloud's Zia Insights. Zia Insights capability of Log360 Cloud works with bring your own key (BYOK) model with Azure Open AI. By processing logs, alerts, and incidents, Zia Insights delivers contextual summaries, highlights potential risks, maps relevant activities to MITRE ATT&CK® techniques, and suggests possible remediation steps. These insights enable security teams to understand the event context better, accelerate investigations, and strengthen response strategies.

Figure 1: Workflow of Log360 Cloud's Zia Insights

Zia Insights workflow

1. Invoking Zia Insights

The workflow begins when a user initiates a request for insight by selecting a specific log, alert, or incident within Log360 Cloud. This action triggers the Zia Insights engine to begin its analysis.

Once invoked, Log360 Cloud automatically retrieves all relevant data associated with the selected item. This includes raw logs, event metadata, alert context, or incident timelines, depending on the request initiated by the user. This collected information forms the input layer, which is critical to the insight generation process.

The input layer aggregates a wide range of security data sources, including:

• Security events, system logs, and network activity: Collected from endpoints, firewalls, cloud infrastructure, and other monitored systems
• Alerts, detections (correlation alerts), and anomalies: Triggered through rule-based correlation alerts or anomaly detection mechanisms
• Security incidents, investigation cases, and escalated events: Data related to ongoing or historical threats under review by the SOC team

This comprehensive dataset ensures that Zia Insights has all the context it needs to generate actionable insights.

2. Insight generation

Once the relevant security data is collected, it is passed to the Zia Insights core engine, which leverages the capabilities of Azure OpenAI to transform raw data into contextual insights.

Zia Insights pairs the retrieved data with a predefined set of instructions known as a prompt. This prompt defines how Zia Insights should interpret the data and how the output should be structured.

Zia Insights then processes the data through several core components:

• Context analyzer

  Reconstructs the event timeline, identifies key actions, and potential threat classifications.

• MITRE ATT&CK® mapper

  Matches detected behaviors to known attacker tactics and techniques using the MITRE ATT&CK® framework, helping the SOC team understand potential threat stages.

• Remediation AI

  Suggests investigation steps, containment strategies, and recovery recommendations tailored to the specific scenario.

3. Outcomes from Zia Insights

After processing and analyzing the input data, Zia Insights produces a structured output that is both actionable and context-aware. The key components of the outcomes include:

Contextual summaries

Summarizes the event with a timeline, key indicators, and impact analysis.

• Timeline: Reconstructs the sequence of related events to provide temporal clarity.
• Key indicators: Highlights important information such as source IPs, user accounts, processes, and anomaly markers.
• Impact analysis: Evaluates the potential effect of the event on systems, users, or business operations, helping teams prioritize response.

MITRE ATT&CK® mapping

Based on the behaviors observed, Zia Insights maps the activity to corresponding MITRE ATT&CK® tactics and techniques. This enables standardized threat classification and aids in investigation and threat hunting.

Potential remediation

Zia Insights offers suggested investigation steps, immediate containment actions, and troubleshooting guidance to support timely and informed action.

Benefits of Zia Insights

Log360 Cloud's Zia Insights empowers SOC team's investigation process and effectively mitigate or neutralize a threat with unprecedented speed. It allows SOC professionals to:

• Proactively hunt for subtle indicators: Leverage the Summary, Insights, and Timeline in Zia Insights to uncover subtle indicators of compromise proactively. These segments quickly highlight relevant events, actors, and entities, letting you address anomalies sooner.
• Accelerate Investigation: By automatically providing context, identifying actors, entities, and laying out the attack chain with MITRE ATT&CK® framework mapping.
• Enable Rapid Remediation: By offering specific, actionable steps tailored to the detected threat and log types.
• Enhance Threat Intelligence: By consistently mapping incidents to MITRE ATT&CK® , building institutional knowledge of adversary tactics.
• Optimize Analyst Productivity: By offloading initial analysis and information gathering to the AI, allowing human analysts to focus on critical decision-making and strategic defense.

Read also

This document detailed the working principles and key use cases of Zia Insights in ManageEngine Log360 Cloud. For configuring and leveraging the capabilities of Zia Insights, refer to the articles below:

• Using Zia Insights
• Setting up Zia Insights