GreyMatter Workflows — Enhanced Automation and Agentic Teammate Capabilities
This month we rolled out powerful workflow improvements to all GreyMatter customers, including a dedicated Workflows Tab for managing your automation and an enhanced, user-friendly builder experience. You can now schedule workflows to run automatically on a recurring basis and easily duplicate existing workflows to use as templates for new ones.
For customers using Teammates, you can now build your own Agentic Teammate workflows directly inside GreyMatter. Instead of relying solely on pre-built operations, you have the design authority to create multi-step, AI-driven workflows using three new nodes.
The Teammate Instructions Node allows you to invoke a full teammate (such as Hunt, Intel, IR, or Detect) to autonomously investigate or analyse a situation using a natural language prompt. To expand this capability even further, the "Discover" persona is now available within this node, allowing you to seamlessly pull in Intel data, scan your environment for related exposures, and route the findings into a report or follow-up action.
Additionally, the Execute Prompt Node lets you send prompts to an AI model to extract specific fields like IOCs or risk scores for later steps. Finally, the Teammate Action Node triggers specific actions, like running a hunt or deploying a detection rule, complete with an optional human approval gate for high-impact decisions. Together, these updates allow you to define your own AI use cases and run them on any trigger or schedule.
Autonomous Teammates — Action Approvals
To ensure timely reviews of AI-driven actions, a dedicated notification type now surfaces in the platform whenever a Teammate action is pending analyst approval, ensuring nothing gets missed in your day-to-day operations.
GreyMatter Agentic Memories
The agentic memory system has been upgraded, combining with model guidance to create a central location for managing instructions given to our agentic systems. You now have complete control over how and where Memories are applied across three distinct categories: Global memories apply to every IR investigation, Adaptive memories trigger when an investigation reaches a specified similarity threshold, and Conditional-based memories activate only when user-specified criteria—such as a specific Rule ID—are met.
Transit — Multi-Event Detection
GreyMatter Transit now supports Multi-Event Detection, enabling you to correlate multiple events to identify advanced, multi-stage attacks before the data even reaches storage. This means more complex detections can be run directly in transit, significantly reducing the reliance on storage technologies and decreasing your overall Mean Time to Detect (MTTD).
GreyMatter Cases — Enhancements
Our latest enhancements to Case Collaboration improve usability and efficiency across the board. Navigating and acting within your workflow is now easier with the ability to manage attachments directly within Cases, save frequently used filters, and create reusable Investigate queries. We have also introduced a more consistent UI for taking bulk actions on Tasks, alongside an evolving, AI-powered summary that provides an insightful overview of the Case as new information is gathered.
Automated Detection Rule Tuning
To help streamline analyst workflows, we are introducing automated detection rule tuning. When a user closes an alert as "False Positive — Create Tuning Ticket," the tuning recommendation is automatically reviewed, tested, and surfaced for your approval. You can easily manage and approve these tasks in the newly added Detection Tuning section within Cases before any changes are applied to your environment.
GreyMatter Chat — Digital Risk Protection (DRP)
GreyMatter Chat now includes Digital Risk Protection (DRP) data. This allows you to explore and understand DRP alerts using natural language, surfacing insights, trends, and potential threat actor activity through an intuitive conversational experience.
GreyMatter Mobile App — Intel on the Go and Experience Updates
GreyMatter Intel is now fully accessible within the GreyMatter Mobile App, bringing critical threat intelligence directly to your mobile device. This major expansion of our mobile capabilities ensures you can stay ahead of emerging threats while on the go. You can now access Intel Updates, comprehensive Threat Advisories, and detailed Threat Profiles, complete with advanced search and filtering capabilities.
Alongside this intelligence update, we have added new customization features to the GreyMatter Mobile App. You can now configure your preferred session timeout duration within the app settings, up to a default of 8 hours, which resets with every log-in.
GreyMatter — Source Health Monitoring
GreyMatter now continuously monitors the health of your integrated sources to detect issues like expired credentials, revoked permissions, and connectivity failures in real time. Required API permissions are clearly displayed during source setup, and any subsequent errors are intelligently deduplicated and reported with an automatically updating health status. You can easily acknowledge, correct, and resolve these alerts by adding notes directly within the platform.
New Direct Sources
Source | Description | Supported GreyMatter Capabilities |
|---|---|---|
Akamai Traffic Peak | This integration leverages sub-second queries to allow analysts to search and hunt across massive volumes of Akamai traffic log data directly within GreyMatter alongside other security telemetry. | Detection at Source — RQ Authored, Investigate and Hunt |
Proofpoint Cloud Threat Response (TRIC) | By integrating with the TRIC Messages API, this connector enables security analysts to search, retrieve, and analyze email messages directly within GreyMatter, providing unified investigation and detection capabilities across the security stack. | Detection at Source — Vendor Authored, Investigate and Hunt |
SailPoint IdentityIQ | This integration provides GreyMatter with unified visibility into identity-based events, enabling cross-system investigations, automated response actions (such as disabling users or resetting passwords), and a comprehensive identity asset inventory across connected enterprise applications. | Investigate / Hunt, Asset Inventory, Respond |
Claude Compliance | By connecting GreyMatter to Anthropic’s enterprise Compliance API, this integration ingests usage events that are then evaluated against ReliaQuest-authored detection rules. Events are surfaced for analyst investigation via Investigate and can be actioned through Respond playbooks to delete chats, files, or projects for compliance and data-loss prevention. | Investigate / Hunt, Detection at Source — RQ Authored, Respond |
Enhanced Direct Sources
Source | Updated GreyMatter Capabilities |
|---|---|
CyberArk Workforce Identity | Authentication Updates — The integration now uses User ID and Password authentication instead of manual tokens. GreyMatter automatically manages token generation and refreshes behind the scenes, resolving recurring 401 errors and eliminating the need for repeated manual intervention. |
