Initial Triage Agent

Agent Tasks:

Deterministic, contract-locked initial triage agent for Microsoft Sentinel and Microsoft Defender XDR incidents that automatically detects incident source, retrieves incident metadata, alerts, entities, comments, status/classification context, guided response (if available), and historical incidents with matching entities or similar alert patterns. Performs evidence-based triage for new, active/open, and closed/resolved incidents using only Sentinel/XDR-native data, applies bounded historical closure pattern analysis to improve analyst-grade disposition consistency, and generates concise structured triage output for Logic App and incident task injection.

Agent Workflow:

Input:

User request or automated trigger providing a Microsoft Sentinel or Microsoft Defender XDR incident requiring deterministic initial triage and evidence-based disposition analysis.

Output:

Verdict, Confidence Score, Classification Reasoning, Live Entity Investigation Summary, Critical Evidence Observed, Attack Timeline, Recommended Actions, Incident source identification (Sentinel or XDR), Current incident status/context assessment, Relevant historical incident comparison insights, Bounded historical closure pattern signal for disposition support, Flat subheading-free structured output optimized for Logic App integration and incident task injection.