This is blog #4 in a series of 6 discussing AI Agents, the Query Security Data Mesh, and why normalized data is the differentiator in AI for Security Operations. As part of this blog series, we’re introducing the release of six mission-specific AI Agents now available in preview to Query customers. These agents are designed to assist with core SOC workflows, bringing targeted automation to key areas like triage, investigation, and response. 

Background: The “Why” – The Blinding Fog of Decentralized Network Data

In cybersecurity, network traffic is the lifeblood of an organization, but it’s also the primary medium for threats. Every connection, every packet, every flow log is a potential piece of a puzzle. For decades, Security Operations Centers (SOCs) have relied on network analysis to detect, investigate, and respond to incidents. However, the fundamental nature of network data has undergone a seismic shift. The neat, centralized, on-premises network is a relic of the past. Today, we operate in a world of radical decentralization.

Data is everywhere: flowing from VPCs, ephemeral containers, SaaS applications, remote user endpoints, and IoT devices. This distribution has created a crisis of context. A single IP address might appear in a dozen different logging systems—from firewall logs in AWS and endpoint EDR alerts on a laptop, to NetFlow data from a core router and application logs in a Kubernetes cluster. According to a 2024 study by industry analyst firm Enterprise Management Associates, 71% of security professionals report that the inability to correlate network data across these disparate environments is a primary obstacle to timely threat detection and response. Analysts are left navigating a blinding fog, armed with a flashlight instead of a map.

This is the “Why.” The traditional “collect-it-all” approach of SIEMs and data lakes, which requires moving and centralizing petabytes of data, is too slow, too expensive, and ultimately fails to provide the real-time context needed for modern network security. The solution isn’t to build a bigger data warehouse; it’s to build a smarter way to ask questions.

This is where the powerful combination of mission-specific AI agents and a security data mesh fundamentally alters the equation. The Query security data mesh creates a unified semantic layer that allows an analyst—or an AI agent—to ask a question and get an answer from all connected sources, in place and in real time. When you couple this architectural advantage with a purpose-built AI agent, you create a digital specialist capable of navigating the fog. The Network Activity Agent is one such specialist, designed not to find evil, but to find context—the critical ingredient for effective security analysis.

The “What”: Deconstructing the Network Activity Agent

The Network Activity Agent’s purpose is to provide unbiased, factual context about network activity. It is explicitly designed not to make security judgments. It won’t label an IP as “malicious” or a connection as “suspicious.” Instead, its mission is to perform the exhaustive, time-consuming data gathering and enrichment that a human analyst must undertake to understand the full story behind an IP address. It answers the fundamental questions: “What is this IP?”, “What did it talk to?”, “Who owns it?”, and “What is its role in my environment?”

Core Capabilities and Architecture

The agent is a sophisticated blend of a large language model (LLM), a curated set of tools for data interaction, and a focused knowledge base, all operating on the Query security data mesh.

  • LLM Engine: At its heart, an LLM provides the reasoning and language capabilities. This allows the agent to understand an analyst’s natural language query (e.g., “Tell me everything you know about 8.8.8.8”), orchestrate its tools in a logical sequence, and compile the findings into a structured, human-readable report.
  • Specialized Tools: The agent’s true power comes from its purpose-built tools. These are not generic search functions; they are precise instruments for network investigation:
    • Network Activity: (get_network_activity_by_ip) –  This is the agent’s primary investigative tool. It doesn’t just query one log source; it queries the entire data mesh for any network event associated with the given IP(s). It returns a rich payload containing not just the raw connection events (source/destination IPs and ports, protocols, byte counts) but also a summary of associated asset metadata (hostnames, MAC addresses) pulled from other systems like EDR or CMDBs.
    • Public IP: (is_public_ip) –  A simple but crucial tool that determines if an IP is public or part of a private, reserved range (RFC 1918). This is the gatekeeper step that decides whether external enrichment is necessary.
    • IP Enrichment: (retrieve_ip_geolocation_data) –  For public IPs, this tool performs external enrichment, fetching vital context like geolocation, ISP and ASN ownership, reverse DNS records, and full WHOIS data.
  • Federated Search Integration: The agent’s ability to use these tools across the data mesh is its defining feature. When an analyst asks about an IP, the agent isn’t searching a stale data lake. It’s executing a live, federated query. It can simultaneously see a firewall block in a cloud log, a DNS query from an endpoint agent, and a high-volume data transfer from a network flow sensor. This provides a complete, 360-degree view of the IP’s behavior within the organization’s specific context. The agent’s intelligence is grounded in the immediate reality of your environment, transforming abstract data points into a coherent narrative.
  • Curated Knowledge Base: The agent has access to the MITRE ATT&CK framework. This is not for labeling activity as malicious, but for providing descriptive context. For example, if it observes activity on a port commonly associated with a specific ATT&CK technique (like RDP on port 3389 for T1021.001), it can cite this fact, empowering the human analyst to make the final judgment call.

The agent’s workflow is methodical and transparent: receive an IP, query internal network logs, analyze the results, check if the IP is public, enrich it with external data if it is, and compile a structured report. It turns hours of manual “swivel-chair” analysis into a single, automated process.

The “So What”: Strategic, Operational, and Tactical Value

The strategic value of the Network Activity Info Agent is its ability to accelerate one of the most common and critical workflows in any SOC: contextualizing an indicator. It systematically dismantles the fog of war for the analyst.

Use Case 1: Triage of a Firewall Alert

Scenario:
A firewall generates an alert for an unusual outbound connection from an internal server (10.10.50.100) to a public IP address (203.0.113.45) on a non-standard port.

Traditional Workflow (30-60 minutes):

  1. The analyst sees the alert and copies the destination IP.
  2. They pivot to a threat intelligence portal to look up the IP. It might be clean.
  3. They run a WHOIS query to see who owns the IP.
  4. They log into the EDR console and search for the source server’s hostname to see what process made the connection.
  5. They check NetFlow or SIEM logs to see if this is a one-off connection or a pattern.
  6. After 45 minutes of manual correlation across 4-5 different tools, they can finally make a decision.

Workflow with the Network Activity Info Agent (2 minutes):

  1. The analyst asks the agent: “Give me the context for IP 203.0.113.45 and show its connections with 10.10.50.100.”
  2. The agent executes its workflow:
    • It calls get_network_activity_by_ip for both IPs, instantly correlating the firewall log with EDR process data and network flow records from the federated mesh.
    • It determines 203.0.113.45 is public and calls retrieve_ip_geolocation_data.
  3. The agent returns a single, consolidated report:
    • IP Context Summary: 203.0.113.45
    • Observed Log Activity: Shows the connection from 10.10.50.100, initiated by the process backup-agent.exe. Total data transferred: 5.2 GB.
    • IP Enrichment Data: Geolocation: Lithuania. ISP: “Hosting Services Inc.” ASN: AS65432. Reverse DNS: node-7b.backups.cloud.
  4. The analyst immediately understands this is likely a legitimate cloud backup service and can close the alert as a false positive, saving nearly an hour of manual work.

Use Case 2: Investigating Potential Lateral Movement

Scenario:
An EDR alert flags a suspicious PowerShell command on a user workstation (192.168.10.25). The analyst needs to know if this was an isolated event or if the machine attempted to contact other internal systems.

Traditional Workflow (Hours):
The analyst would have to manually search SIEM and network logs for all traffic originating from 192.168.10.25 over the last 24 hours, filtering out known-good traffic. This is a tedious and error-prone process.

Workflow with the Network Activity Info Agent (1 minute):

  • The analyst asks: “Summarize all network activity for 192.168.10.25 in the last 3 hours.”
  • The agent queries the federated mesh and returns a summary showing that the workstation initiated RDP connections to three other servers in the same subnet, a behavior highly indicative of lateral movement. This allows the analyst to immediately escalate the incident with clear evidence.

Use Case 3: Enriching Threat Intelligence

Scenario:
A CTI report mentions that the threat actor “Wizard Spider” often uses the IP range 198.51.100.0/24 for command and control.

Traditional Workflow (Days):
An analyst would need to create queries for multiple systems (firewalls, proxies, DNS logs) to search for any historical connections to that entire IP range, a potentially massive and slow undertaking.

Workflow with the Network Activity Info Agent (5 minutes):
The analyst can provide the IP range to the agent. The agent can then systematically query the federated data mesh for any connections to or from that range. It can quickly report back that while there were no direct connections, an internal server did perform a DNS lookup for a domain that resolves to an IP within that range, providing a critical lead for a proactive threat hunt.

The “Now What”: The Future is a Team of Specialists

The Network Activity Info Agent is a testament to a new philosophy in security AI: the future is not a single, all-knowing AI oracle. The future is a collaborative team of specialized agents, each an expert in its domain, working on a unified data foundation.

This agent doesn’t replace the security analyst. It empowers them. It automates the laborious task of data collection and contextualization, freeing the analyst to focus on the uniquely human skills of critical thinking, intuition, and strategic decision-making. It transforms their role from a data gatherer into a true investigator.

For cybersecurity leaders and engineers, the path forward is clear. Stop chasing the dream of a single pane of glass and start building a unified data access layer. Stop trying to hire your way out of the data overload problem and start augmenting your human talent with a team of specialized AI agents.

The Query Network Activity Info Agent, working alongside its peers like the Query Vulnerability Intelligence Agent, the Query Detection Finding Triage Agent, or the Query Threat Research Agent, represents the next evolution of the SOC—a place where automation handles the scale, AI provides the context, and human experts make the crucial decisions to keep the organization safe.