Pasar al contenido principal
Products
L1 SOC Triage Agent
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-5b596ebf-a9c1-4f4b-a530-8fa97325e215/image0_adaLogoAgent216.png

L1 SOC Triage Agent

por adaQuest

Evaluación gratuita

Enhance SOC workflows with L1, designed for rapid triage and threat prioritization.

L1 SOC Triage Agent is a Security Copilot agent built to help SOC Level 1 analysts investigate incidents in the unified security operations experience with the judgment, structure, and consistency expected from a senior analyst.
The agent is designed for evidence-driven triage, not simple incident summarization. It investigates the incident, enriches relevant entities, validates supporting signals, identifies gaps, and recommends a clear analyst action: close, remediate, or escalate.
Inputs:
  • IncidentId: required. The incident identifier provided by the analyst.
  • LookbackDays: optional. Analysis window used for supporting investigation and enrichment. Default: 30 days.
Tasks:
  • Resolve and investigate the incident from the unified Defender portal experience.
  • Correlate and enrich with Microsoft Sentinel workspace evidence through configured KQL queries.
  • Review incident metadata, related alerts, evidence, timeline, severity, status, and classification context.
  • Extract and enrich users, identities, devices, IP addresses, URLs, domains, files, and hashes.
  • Investigate identity and login context using Microsoft Entra and Defender identity signals, including sign-in patterns, risky users, audit activity, and suspicious authentication indicators.
  • Enrich indicators with Microsoft Defender Threat Intelligence, including reputation, DNS, WHOIS, hosting, and related threat intelligence where available.
  • Use Microsoft Purview enrichment when the incident suggests DLP, data exposure, insider risk, file activity, sensitive data movement, or possible exfiltration.
  • Separate confirmed evidence from weak signals, assumptions, and unavailable data.
  • Generate follow-up KQL suggestions so analysts can manually corroborate important findings when needed.
Outputs:
  • Structured Level 1 triage report.
  • Final verdict with confidence level and evidence rationale.
  • Recommended analyst action: Close, Remediate, or Escalate.
  • Closure reason and ready-to-use closure comment when the incident can be closed.
  • Escalation reason, target team, and ready-to-use escalation comment when Level 2 or a specialized team should take over.
  • Entity enrichment summary covering users, devices, indicators, files, hashes, and relevant data risk signals.
  • Threat intelligence findings for IPs, URLs, domains, and hashes when present.
  • Login and identity investigation summary.
  • Purview/data risk summary when applicable.
  • Investigation coverage checklist and data gaps.
  • Suggested analyst follow-up KQL queries for validation.
Required integrations may include Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra, Microsoft Defender Threat Intelligence, Microsoft Purview, and Security Copilot. The agent operates in read-only investigation mode and does not automatically close, isolate, remediate, or modify incidents.
Version history / change log: v2.6.18
  • Standardized execution around a single required input: IncidentId.
  • Reinforced a Unified SecOps / Microsoft Defender portal first operating model.
  • Removed LookbackDays, runtime KQL execution, and Chat with agent dependencies to improve stability.
  • Preserved Defender XDR, Entra, Threat Intelligence, Generic, and Purview enrichment paths.
  • Strengthened the investigation workflow so evidence and entities are enriched before the final verdict.
  • Replaced fixed entity limits with relevance-tiered execution, deduplication, and tool-call efficiency controls.
  • Improved Purview and MDTI guardrails to run enrichment only when relevant evidence or supported identifiers are available.
  • Kept analyst follow-up KQL suggestions as output-only validation guidance.
  • Improved L1 verdict quality with confidence, evidence rationale, recommended action, closure/escalation/remediation rationale, and ready-to-use analyst comments.
  • Improved data gap reporting for unavailable telemetry, missing identifiers, unsupported enrichment paths, and evidence not found.
Estimated SCU consumption:
Typical runs are expected to consume approximately 0.8 to 2.0 SCUs depending on incident complexity, number of entities, enabled plugins, available evidence, and lookback window. Larger incidents with many entities, extensive threat intelligence enrichment, Purview context, or broad Sentinel correlation may consume more.

De un vistazo

https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-5b596ebf-a9c1-4f4b-a530-8fa97325e215/image2_Screenshot4.png
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-5b596ebf-a9c1-4f4b-a530-8fa97325e215/image3_Screenshot5.png
https://catalogartifact.azureedge.net/publicartifacts/adaquestinc1589508805668.scp_agent_l1_soc_triage_agent-5b596ebf-a9c1-4f4b-a530-8fa97325e215/image5_Screenshot6.png

Other aplicaciones de adaQuest

EWS Sunset Readiness AssessoradaQuest
+1
EWS dependency risk assessment using Entra signals; outputs a Graph-first remediation plan.
NaN out of 5
Admin Guard Insight AgentadaQuest
+1
Monitor and protect admin activities with Admin Guard Insight Agent's powerful analytics.
NaN out of 5
Entity Guard Investigator AgentadaQuest
+1
Investigates Defender incidents and delivers clear risk verdicts with actionable insights.
NaN out of 5
Ransomware Kill Chain Investigator AgentadaQuest
+1
Automated ransomware triage with user/device/IOC enrichment and guided response.
NaN out of 5
Login Investigator AgentadaQuest
+1
Investigates user sign-ins to detect risk, anomalies, CA outcomes, and related incidents.
NaN out of 5