This is blog #5 in a series of 6 discussing AI Agents, the Query Security Data Mesh, and why normalized data is the differentiator in AI for Security Operations. As part of this blog series, we’re introducing the release of six mission-specific AI Agents now available in preview to Query customers. These agents are designed to assist with core SOC workflows, bringing targeted automation to key areas like triage, investigation, and response.
Background: The “Why” – The Foundational Gap in Security
In cybersecurity, every investigation, every alert, and every threat hunt begins with a fundamental question: “What am I looking at?” An IP address in a log file is meaningless without knowing the asset it belongs to. A vulnerability is a theoretical problem until it’s tied to a specific server. Without asset context, security data is just noise.
Yet, for most organizations, creating and maintaining a complete, accurate, and real-time asset inventory is an elusive goal. Data is fragmented across Configuration Management Databases (CMDBs) that are perpetually out of date, endpoint management tools, cloud provider consoles, and network scanners. When an incident strikes, analysts waste precious time—sometimes hours—in a “swivel-chair” effort to manually piece together an asset’s identity, owner, function, and security posture. This delay is a critical gap that attackers exploit.
This is where the powerful combination of mission-specific AI Agents and a security data mesh provides a revolutionary solution. Instead of relying on a single, stale inventory, a security data mesh provides a unified query layer to access asset information directly from the source systems where it lives—in real-time.
When you empower this mesh with a specialized AI agent focused on asset intelligence, you bridge the foundational gap in security operations. The Asset Info Agent is a niche, task-oriented AI designed to answer the “what is this?” question instantly and comprehensively. The data mesh provides the unified data access; the agent provides the specialized intelligence to synthesize it. This synergy transforms asset data from a static, unreliable inventory into a dynamic, queryable source of truth, available on demand.
The “What”: Deconstructing the Asset Info Agent
The Asset Info Agent is an AI-powered analyst dedicated to one of the most fundamental tasks in security: locating, identifying, and contextualizing assets within your environment. It serves as the definitive source of truth for any device, server, or resource an analyst might encounter.
Core Capabilities and Architecture
The agent is built on a robust framework combining a powerful Large Language Model (LLM) with a suite of highly specific tools and a curated knowledge base focused on security best practices.
- LLM Engine:
The agent uses an LLM as its reasoning engine. This allows it to understand natural language questions, from simple queries like “Tell me about this IP” to complex requests like “Find all unhardened Linux servers in our cloud environment.” - Specialized Tools:
The agent’s power lies in its purpose-built tools, which translate natural language into precise queries against the security data mesh. It can find and filter assets by almost any conceivable attribute:- Assets by OS – (get_all_assets_by_os): Filters by operating systems (Windows, Linux, macOS, etc.).
- Assets by Device Type – (get_all_assets_by_device_type): Filters by hardware category (server, laptop, firewall, IoT).
- Assets by Owner/User – (get_all_assets_by_owner_or_logged_in_user): Finds devices associated with a specific person.
- Assets by Location – (get_all_assets_by_location): Narrows searches to a physical or logical location.
- Assets by Device ID – (get_all_assets_by_device_id, …by_device_ip, …by_device_mac_address): Pinpoints specific assets using their unique identifiers.
- Federated Search Integration:
This is the agent’s architectural cornerstone. Unlike traditional tools that query a static CMDB, the Asset Info Agent leverages Query Federated Search to pull information live from all connected sources. When you ask about an asset, the agent is simultaneously querying your EDR, your cloud provider APIs, and your vulnerability scanner. This provides a real-time, 360-degree view of the asset’s current state, not a snapshot from last week’s scan. This grounds the agent’s intelligence in reality, making its reports immediately actionable and contextually rich. - Curated Knowledge Base:
The agent’s understanding of “what good looks like” is informed by embedded security hardening standards, including:- Cimcor System Hardening Checklist
- NIST SP 800-123: Guide to General Server Security
This allows the agent not only to report on an asset’s configuration but also to compare it against industry best practices, instantly highlighting potential security gaps.
The “So What”: Strategic, Operational, and Tactical Value
The Asset Info Agent fundamentally changes how security teams interact with their environment. It moves them from a state of hunting for information to having context pushed to them on demand.
Use Case 1: Instant Incident Enrichment
- Scenario:
A Tier 1 SOC analyst sees a critical alert from the SIEM: “Multiple failed login attempts from 10.50.2.101 to server 192.168.1.5.” - Traditional Workflow:
The analyst begins the manual scavenger hunt. What is 10.50.2.101? Is it a user’s laptop? They check DHCP logs. What is 192.168.1.5? They check the CMDB, which lists it as “linux-db-04”. Who owns it? The CMDB owner left the company six months ago. The analyst wastes 30 minutes just trying to understand the players involved. - Workflow with the Asset Info Agent:
The analyst asks the agent: “Tell me about assets 10.50.2.101 and 192.168.1.5.” Within seconds, the agent returns a full profile for both:- 10.50.2.101: A Windows 11 laptop assigned to user ‘jdoe’ in the Marketing department.
- 192.168.1.5: A production RHEL 8 server named ‘PROD-FINANCE-DB’ running a critical Oracle database.
- The analyst immediately understands the severity: a user’s machine is potentially trying to brute-force a critical financial database. They can escalate with full context in under two minutes.
Use Case 2: Proactive Security Posture Management
- Scenario:
A security architect wants to assess the organization’s adherence to hardening standards for all internet-facing web servers. - Traditional Workflow:
This is a massive, multi-week project. It involves getting lists of servers from different teams (cloud, on-prem), scheduling configuration audits, and manually comparing results against a spreadsheet checklist. - Workflow with the Asset Info Agent:
The architect asks: “Show me all assets with device type ‘SERVER’ and in group ‘internet-facing’. Summarize their hardening status against NIST SP 800-123.” The agent queries the mesh, retrieves the live configuration data for those assets, and provides a report detailing which servers are compliant and which have gaps (e.g., “Missing patch management,” “Logging disabled”).
The “Now What”: Context is King
The Asset Info Agent is more than a simple inventory tool; it’s a foundational layer for intelligent, context-aware security operations. Every other security function—from vulnerability management to threat hunting—is made more effective when it starts with a complete and accurate understanding of the assets involved.
The key takeaway is this: the future of security isn’t just about finding threats faster; it’s about understanding them better. By automating the foundational task of asset identification and enrichment, the Asset Info Agent frees up human analysts to focus on high-level analysis and decision-making.
It is the first step in building a security program that can operate at the speed of modern business. When you can ask any question about any asset and get an immediate, intelligent answer, you are no longer reacting to your environment—you are in command of it. The Asset Info Agent is the beginning of that command.
