https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-f1701a43-a10d-423c-928d-1646a9ca0bfd/image0_adaLogoAgent216.png
L1 SOC Triage Agent
durch adaQuest
Dieses Produkt enthält eine kostenlose Testversion. Dauer und Nutzungslimits können je nach Angebot und Herausgeber variieren.
Just a moment, logging you in...
Enhance SOC workflows with L1, designed for rapid triage and threat prioritization.
L1 SOC Triage Agent is a Security Copilot agent built to help SOC Level 1 analysts investigate incidents in the unified security operations experience with the judgment, structure, and consistency expected from a senior analyst.
The agent is designed for evidence-driven triage, not simple incident summarization. It investigates the incident, enriches relevant entities, validates supporting signals, identifies gaps, and recommends a clear analyst action: close, remediate, or escalate.
Inputs:
- IncidentId: required. The incident identifier provided by the analyst.
- LookbackDays: optional. Analysis window used for supporting investigation and enrichment. Default: 30 days.
Tasks:
- Resolve and investigate the incident from the unified Defender portal experience.
- Correlate and enrich with Microsoft Sentinel workspace evidence through configured KQL queries.
- Review incident metadata, related alerts, evidence, timeline, severity, status, and classification context.
- Extract and enrich users, identities, devices, IP addresses, URLs, domains, files, and hashes.
- Investigate identity and login context using Microsoft Entra and Defender identity signals, including sign-in patterns, risky users, audit activity, and suspicious authentication indicators.
- Enrich indicators with Microsoft Defender Threat Intelligence, including reputation, DNS, WHOIS, hosting, and related threat intelligence where available.
- Use Microsoft Purview enrichment when the incident suggests DLP, data exposure, insider risk, file activity, sensitive data movement, or possible exfiltration.
- Separate confirmed evidence from weak signals, assumptions, and unavailable data.
- Generate follow-up KQL suggestions so analysts can manually corroborate important findings when needed.
Outputs:
- Structured Level 1 triage report.
- Final verdict with confidence level and evidence rationale.
- Recommended analyst action: Close, Remediate, or Escalate.
- Closure reason and ready-to-use closure comment when the incident can be closed.
- Escalation reason, target team, and ready-to-use escalation comment when Level 2 or a specialized team should take over.
- Entity enrichment summary covering users, devices, indicators, files, hashes, and relevant data risk signals.
- Threat intelligence findings for IPs, URLs, domains, and hashes when present.
- Login and identity investigation summary.
- Purview/data risk summary when applicable.
- Investigation coverage checklist and data gaps.
- Suggested analyst follow-up KQL queries for validation.
Required integrations may include Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra, Microsoft Defender Threat Intelligence, Microsoft Purview, and Security Copilot. The agent operates in read-only investigation mode and does not automatically close, isolate, remediate, or modify incidents.
Version history / change log: v2.6.19
- Refining the stable L1 SOC Triage Agent execution model with stronger runtime controls, improved investigation quality, reduced risk of loops or unnecessary tool execution, and graceful handling for empty device enrichment results.
Estimated SCU consumption:
Typical runs are expected to consume approximately 0.8 to 2.0 SCUs depending on incident complexity, number of entities, enabled plugins, available evidence, and lookback window. Larger incidents with many entities, extensive threat intelligence enrichment, Purview context, or broad Sentinel correlation may consume more.
Auf einen Blick
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-f1701a43-a10d-423c-928d-1646a9ca0bfd/image2_Screenshot4.png
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-f1701a43-a10d-423c-928d-1646a9ca0bfd/image3_Screenshot5.png
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-f1701a43-a10d-423c-928d-1646a9ca0bfd/image5_Screenshot6.png