Investigative AI Agents: Saving Time during Triage and Analysis
How AI assistants leverage SIEM foundations to automate tedious workflows and amplify human expertise
Welcome to Detection at Scale—a weekly newsletter diving into security monitoring, generative AI, and more! If you enjoy reading Detection at Scale, share it with friends!
In "The Agentic SIEM," we explored how AI agents represent a new analytical layer operating at machine speed with human-like reasoning. Security teams are now asking practical questions: "How exactly do these agents fit into our existing workflows? Will they actually save us time?"
The future SIEM operating model will rely on a collection of specialized agents utilizing distinct SIEM capabilities—searching data, performing enrichment, writing detection rules, and more. This closely mirrors the specialization in large security teams, and once agents become mainstream, organizations of all sizes will operate on a more level playing field. These specialized agents can deliver tailored outcomes with task-specific knowledge, like an AWS security specialist agent for cloud-specific attacks or a malware analysis agent for endpoint threats.
The fundamental shift isn't replacing analysts but eliminating the tedious parts of their job: the endless clicking between dashboards, repetitive queries across multiple systems, and manual correlation of events that machines should handle. In this post, we'll discuss how investigative agents will work alongside security teams for alert triage and investigation, transforming these critical workflows while saving analysts valuable time and mental energy.
Agent-Human Partnership Model
Effective security operations have always been a team sport, with each role bringing specialized expertise. Detection engineers craft rules to elevate relevant threats while analysts validate and investigate those alerts. The partnership between agents and humans follows a similar division of labor based on each party's inherent strengths.
AI agents excel at tasks requiring broad pattern recognition, recalling details, and relentless task consistency (if properly designed). They can process massive data volumes, maintain context across thousands of events, and never suffer from the fatigue that leads human analysts to miss connections late in their shift. Most importantly, they eliminate the "mental context switching tax" that plagues analysts jumping between different tools and interfaces.
Meanwhile, human analysts contribute creative problem-solving, nuanced judgment, and strategic thinking that agents cannot replicate. Humans intuitively understand business context, recognize novel threats without extensive training data, and make value judgments about risk that require broader organizational understanding.
Consider the typical investigation workflow an analyst performs today: they receive an alert, query multiple data sources to gather context, check threat intelligence for indicators, examine user behavior patterns, verify asset configurations, document findings, and finally make a determination. Each step requires interface switching, credentials, and mental translation between systems—all tasks agents could automate by leveraging existing SIEM capabilities through APIs and integrations.
This partnership doesn't just divide tasks—it creates a flywheel effect where each party makes the other more effective. Agents learn from observing how skilled analysts investigate, while analysts benefit from the comprehensive context agents provide. The key is designing interaction patterns that feel natural rather than forced. Agents should operate as an intelligent interface to your SIEM capabilities, not a separate tool that creates additional friction.
Trust remains foundational to this partnership. Well-designed agents must err on the side of caution, clearly distinguishing between facts derived from your data and inferences based on patterns. Agents should transparently acknowledge limitations when uncertain rather than provide potentially misleading information. This honesty builds credibility over time, allowing security teams to delegate increasingly complex tasks as trust develops confidently.
SIEM Data Foundations
To deliver real value, investigative agents must interact effectively with your security infrastructure. The SIEM remains the central nervous system of security operations, with both agents and analysts relying on its core capabilities. Understanding these foundations—and how agents can leverage them—is critical for evaluating where agents can help your team save time.
Modern SIEM platforms provide several foundational services that agents can utilize through APIs and integration frameworks:
Search & Query Systems: The ability to interrogate vast amounts of security data is fundamental to SIEMs and investigative agents. Humans typically interact with domain-specific languages like Splunk Query Language or Kusto Query Language, requiring specialized syntax knowledge. Agents can programmatically craft complex queries across multiple data sources, understanding schema differences and normalizing results. This eliminates the cognitive load of remembering exact field names, syntax variations, or the mental mapping required to correlate results from different systems. During an incident, agents can expedite critical questions getting answered, significantly reducing time-to-insight when minutes matter most.
Enrichment Services: SIEMs continually enhance raw logs with additional context through lookups and integrations. Whether mapping IP addresses to geolocations, enriching user events with identity information, or adding asset context to endpoints, these enrichment services provide crucial context for investigation. Agents can trigger these same enrichment flows and chain them together in response to evolving investigation paths. Ad-hoc enrichment during investigation also helps maintain data freshness, ensuring decisions are made on the most current information available.
Rules Engine: The core of detection is finding relationships between events across time, systems, and entities. Agents can leverage the same detection capabilities as your rules and apply them based on patterns they discover. Instead of requiring analysts to create new detection logic for each investigation manually, agents can suggest rule modifications or create temporary detection logic to validate hypotheses during an investigation.
Data Normalization: SIEMs invest heavily in normalizing disparate log formats into consistent schemas. This normalization layer enables agents to work with unified data models rather than requiring specialized knowledge of each log source's unique format. By tapping into these normalized datasets, agents can apply consistent reasoning across heterogeneous data without the mental translation humans typically perform.
Alert History: SIEMs maintain comprehensive records of past alerts, responses, and outcomes. Agents can leverage this historical knowledge to understand patterns of potential issues in the organization, identify noisy rules that should be tuned or optimized, and access the system of record for similar past incidents. This institutional memory helps agents provide relevant context about how similar situations were handled previously.
Building agents creates a new middle layer between the SIEM and human analysts, automating tedious clicks and interactions across the product while leveraging existing capabilities. This arrangement is similar to Tesla's autopilot—humans remain in the driver's seat, making strategic decisions and providing oversight, while the agent handles routine operations and navigates the complex interface landscape. The human maintains ultimate control but is freed from the mechanical aspects of the journey, focusing instead on the destination and critical decision points.
Investigation Augmentation
Security investigations are complex puzzles where analysts assemble fragments of evidence into coherent attack narratives. While experienced analysts develop intuition about which questions to ask and which paths to explore, this process remains highly manual and time-intensive. Investigative agents transform this workflow by automating evidence gathering while preserving human judgment on conclusions.
Let's examine how this works in practice through a common investigation scenario: a suspicious login alert. Today, this investigation typically follows a predictable yet laborious path:
An analyst receives an alert about a suspicious login from an unusual location
They query authentication logs to verify the login attempt details
They search for other recent authentication events for the same user
They check the user's access history and typical working patterns
They review endpoint logs for the device used to authenticate
They examine network logs for subsequent activity from the session
They check similar patterns across other users to identify broader campaigns
Finally, they document findings and determine appropriate escalation
Each step requires context switching between different SIEM views, remembering query syntax variations, and mentally tracking the investigation state. An investigative agent transforms this process by executing these steps programmatically while maintaining a conversation with the analyst:
🤖 "Alert: User alice.smith logged in from Sydney, Australia at 2:00 AM local time. This is unusual based on her typical patterns.
I've checked her authentication history and found:
This is her first login from Australia (all previous logins from US/Europe)
The login used valid credentials with successful MFA
Her account accessed customer records immediately after authentication
Three other marketing team members have shown similar unusual login patterns in the last 24 hours
Would you like me to check for potential device compromise indicators or examine data accessed during these sessions?"
The critical difference isn't just automation—it's proactive gathering of relevant context. While a traditional SOAR playbook might follow fixed decision trees, an agent dynamically adjusts its investigation based on what it discovers. If it finds evidence of credential theft, it pivots to compromise indicators. If it identifies unusual data access, it explores potential exfiltration. This adaptive approach mirrors how experienced analysts think without manual execution overhead.
Agents also excel at maintaining investigation state—tracking what's been checked, what remains unknown, and which hypotheses have been validated or disproven. This persistent context prevents duplicate work during handoffs and ensures comprehensive coverage of possible attack vectors. When an analyst returns to an investigation or passes it to a colleague, the agent provides a complete narrative of the current state rather than requiring someone to reconstruct context from fragmented notes.
The most significant time savings come from eliminating low-value mechanical actions. Analysts no longer waste time formatting queries, switching between interfaces, or documenting routine investigation steps. Instead, they focus on evaluating the agent's findings, directing further investigation paths, and making judgment calls about severity and response—the high-value cognitive work where human expertise truly matters.
Transforming Alert Triage
Alert triage represents one of the most repetitive yet critical security workflows—the front door through which threats enter your team's awareness. While detection engineering helps reduce false positives, the sheer volume of alerts requiring human verification creates a bottleneck that limits team effectiveness. This is precisely where investigative agents can deliver immediate value by transforming linear triage processes into dynamic, context-aware workflows.
Agents in the SIEM will transform alert triage through several key capabilities: proactive enrichment that immediately gathers relevant context; dynamic severity calculation that ensures consistent prioritization; parallel processing that explores multiple validation paths simultaneously; and contextual grouping that correlates related alerts into unified incidents. Perhaps most importantly, agents provide consistency at scale—applying the same thorough process to every alert, whether it's the first or hundredth of the day.
Integrating investigative agents into SIEM workflows represents a fundamental shift in security operations—not by replacing human expertise, but by eliminating the mechanical friction that prevents that expertise from being applied efficiently. By leveraging existing SIEM foundations, these agents create a new interface layer that saves time, reduces cognitive load, and ensures consistent execution.
The most successful implementations start with clearly defined workflows where agents can deliver immediate value—alert triage, initial investigation, and context gathering. As trust builds through reliable operation, teams can gradually expand agent responsibilities to more complex scenarios, always maintaining the crucial partnership between machine efficiency and human judgment.
The future of security operations isn't about replacing analysts with AI but creating truly collaborative human-machine teams where each contributes their inherent strengths. This partnership model doesn't just make security operations more efficient—it makes them more fulfilling by removing the tedious aspects that lead to burnout and focusing human attention on the challenging, creative work that attracted people to security in the first place. In a field chronically short of talent, that might be the most valuable transformation of all.
Related Reading: