This is blog #1 in a series of 6 discussing AI Agents, the Query Security Data Mesh, and why normalized data is the differentiator in AI for Security Operations. As part of this blog series, we’re introducing the release of six mission-specific AI Agents now available in preview to Query customers. These agents are designed to assist with core SOC workflows, bringing targeted automation to key areas like triage, investigation, and response.

In the world of cybersecurity, the Security Operations Center (SOC) is the frontline. Every day, analysts face a relentless barrage of alerts, each a potential signal of a critical threat. Yet, the sheer volume of this data, coupled with its distribution across dozens of disparate tools, has created a state of perpetual overload. This is where the paradigm needs to shift—from drowning in data to deriving intelligent, automated insights.

This post explores a powerful new approach that combines the architectural elegance of a security data mesh with the focused intelligence of purpose-built AI agents. We will delve into the “What,” “So What,” and “Now What” of a specific, game-changing tool: the Detection Finding Triage Agent.

Background: The “Why” – A Crisis of Scale and Silos

Today’s SOC is at a breaking point. The core challenges are not new, but their scale is unprecedented:

  • Alert Fatigue is Real: A 2023 report by the “Voice of the CISO” highlighted that 45% of CISOs believe their teams are overwhelmed by the volume of alerts. When everything is an emergency, nothing is. This leads to missed threats and analyst burnout.
  • Data Silos are the Enemy of Context: Critical security data is scattered across EDRs, SIEMs, cloud logs, firewalls, and threat intelligence platforms. Manually correlating an IP address from a firewall log with a process event in an EDR and a user login in Active Directory is a time-consuming, swivel-chair-intensive process. This manual correlation is the single biggest bottleneck in reducing Mean Time to Respond (MTTR).
  • The Talent Gap Persists: Finding and retaining senior security analysts with the experience to quickly separate signal from noise is a constant struggle. The expertise of a top-tier analyst is a scarce resource that doesn’t scale.

This is the “Why.” The current model of throwing more people at more data streams is unsustainable. The solution lies in fundamentally changing how we access data and how we apply intelligence to it.

Enter mission-specific AI Agents + the Query Security Data Mesh.

A security data mesh, like the one provided by Query, doesn’t require moving all your data into a single, monolithic data lake. Instead, it creates a unified semantic layer that allows you to search and access data where it lives. It’s a powerful solution to the data silo problem. But a map is useless without someone who can read it.

This is where AI Agents come in. These are not general-purpose chatbots; they are specialized, autonomous systems designed to perform specific “jobs to be done.” When you empower these agents with access to a security data mesh, you give them the secure, comprehensive data access they need to perform complex analytical tasks automatically. The agent provides the automated intelligence; the mesh provides the data. Together, they create a system that can finally operate at the speed and scale of modern threats.

The “What”: Deconstructing the Detection Finding Triage Agent

The Detection Finding Triage Agent is designed for one critical task: to automate the initial investigation and prioritization of security detection findings. It acts as an intelligent assistant for the SOC analyst, performing the initial, repetitive data gathering and analysis that consumes up to 80% of an analyst’s time on any given alert.

Core Capabilities and Architecture

Based on its design, the agent’s workflow is both methodical and intelligent:

  1. Federated Data Access: The agent’s fundamental advantage is its native access to the Query security data mesh. It doesn’t operate on a limited, isolated dataset. Instead, its tools directly query across all connected data sources—EDR, SIEM, cloud logs, and more—in real-time. This ensures that every analysis is comprehensive and based on the entirety of the available security data, not just a fraction of it.
  2. Targeted Data Retrieval: The agent doesn’t just “look at” alerts. It uses a suite of precise tools to retrieve findings based on specific analyst intent. These tools allow it to query the data mesh for findings by:
    • Severity: (get_detection_findings_by_severity) – “Show me all ‘Critical’ findings.”
    • Status: (get_detection_findings_by_status) – “List all ‘New’ findings.”
    • Observables: (get_detection_findings_by_ip_observable, …by_file_hashes_observable, etc.) – “Are there any findings associated with this IP address or this file hash?”
  1. Evidence Synthesis and Correlation: Once a finding is retrieved, the agent automatically synthesizes the available data to build a complete picture. It extracts and correlates:
    • Impacted Entities: It identifies the devices (hostname, IP, MAC) and resources (cloud assets, endpoints) involved.
    • Evidence Analysis: It reconstructs the event by analyzing process lineage (command lines, PIDs), user context, and network activity. It’s programmed to spot anomalies, like PowerShell spawning from Microsoft Word.
    • Enrichment Clues: It scans for unmapped data that could serve as pivots for a deeper manual investigation.
  1. Threat Mapping with MITRE ATT&CK®: The agent connects observed behaviors to the industry-standard framework for adversary tactics and techniques. By querying its internal knowledge base (mitre_attack_json), it can map a finding to a specific technique (e.g., T1059.001 – PowerShell) and tactic (e.g., Execution), providing immediate context on the adversary’s likely objective.
  2. Knowledge-Grounded Recommendations: The agent’s analysis is informed by embedded knowledge from trusted sources like NIST SP 800-61 (Computer Security Incident Handling Guide) and CISA guidelines. This ensures its recommendations are aligned with industry best practices.

At its core, the agent operates on a sophisticated prompt—a detailed set of instructions that defines its role, workflow, and guiding principles. It is explicitly instructed to be factual, analytical, and efficient, focusing on what matters most for a rapid triage decision.

The “So What”: The Tactical and Strategic Value

Understanding what the agent does is interesting. Understanding what it means for your SOC is transformative.

  • Drastically Reduced MTTR: By automating the initial data gathering, correlation, and enrichment, the agent collapses the investigation timeline for a single alert from 30-60 minutes down to mere seconds. The analyst is presented with a complete, contextualized summary the moment they open the ticket. This is the most direct path to slashing Mean Time to Triage and, consequently, Mean Time to Respond.
  • From Analyst to Investigator: The agent frees human analysts from the drudgery of copy-pasting IOCs and chasing data across multiple tabs. It elevates their role from data gatherer to true investigator and decision-maker. This not only improves morale and reduces burnout but also allows your most valuable assets—your people—to focus on complex threat hunting, strategic improvements, and mentoring.
  • Unwavering Consistency: Human analysts, no matter how skilled, can have bad days. They can be tired, rushed, or miss a step in their investigation. The agent is a machine. It follows its prescribed, best-practice workflow every single time. This brings a level of consistency and standardization to the triage process that is impossible to achieve manually, ensuring a high-quality investigation for every alert, 24/7.
  • Expertise on Demand: The agent’s programming and knowledge bases encapsulate the wisdom of senior analysts and industry best practices. This expertise is democratized and applied to every single finding, effectively giving a junior analyst the investigative power of a seasoned veteran. It acts as a force multiplier for your entire team.

The “Now What”: Practical Application and the Future of SOC AI

The true power of the Detection Finding Triage Agent is revealed when it’s integrated into the daily rhythm of the SOC.

Detailed Use Case Scenarios

Scenario 1: The Critical EDR Alert
  • Trigger: A “Critical” severity alert fires from your EDR: “Suspicious PowerShell Execution from Non-Standard Process.”
  • Old Way (30-45 minutes): An analyst sees the alert. They log into the EDR to get the hostname, username, and process command line. They pivot to the SIEM to search for the hostname and user to see recent activity. They check firewall logs for any associated IP connections. They manually look up the PowerShell commands on Google. Finally, they start writing up their findings.
  • The Agent Way (2 minutes): The analyst asks the agent, “Give me the triage summary for finding ID [ID].” The agent instantly returns:
    • Finding Summary: Title, Severity (Critical), Status (New).
    • Evidence Highlights: “powershell.exe spawned from WINWORD.EXE with a base64 encoded command line, executed by user ‘j.doe’ on host ‘workstation-123’.”
    • Threat Mapping (ATT&CK): Tactic: Execution, Technique: T1059.001 – PowerShell.
    • Triage Assessment: True Positive – Escalate.
    • Recommended Actions:
      • Isolate host ‘workstation-123’ via EDR
      • Reset credentials for user ‘j.doe’
      • Escalate to the Incident Response team.
      • The analyst makes one decision: execute the recommended actions.
Scenario 2: Proactive Triage with a New IOC
  • Trigger: Your CTI team shares a new file hash associated with a ransomware campaign.
  • Old Way (Hours): The analyst would need to manually search for the hash in the EDR, the SIEM, email security gateways, and potentially other tools, hoping they all support hash lookups.
  • The Agent Way (1 minute): The analyst asks, “Show me all detection findings from the last 7 days containing the file hash [hash].” The agent queries the entire federated data mesh and returns any findings from any connected source that contain that indicator, allowing the analyst to immediately assess impact.

Integrating into Your Workflow

This agent isn’t meant to be a standalone gadget. It’s a component designed to be woven into your existing security fabric. It can be triggered from a SOAR playbook, integrated into a chat platform like Slack or Teams, or built directly into a security investigation platform. The goal is to bring the intelligence to where the analysts already are.

The Future is a Team of Specialized Agents

The Detection Finding Triage Agent is just one example of a broader trend. The future of AI in security isn’t a single, monolithic AI attempting to do everything. It’s a collaborative team of specialized agents, each an expert in its domain: a Vulnerability Intelligence Agent to prioritize patches, an Asset Info Agent to provide system context, a Threat Research Agent to analyze CTI reports.

These agents, working in concert on a foundation of federated data, represent the next evolution of the SOC. They promise a future where technology empowers human expertise, where automation handles the scale, and where analysts are finally free to focus on what they do best: out-thinking the adversary.

Query customers interested in accessing the Detection Finding Triage Agent should contact their Query Customer Success Manager. Reach out if you’re not yet a Query customer interested in learning more.