Learn how Agentic Response transitions automated SOC workflows from linear playbooks to dynamic, agentic automation by triggering AI agents directly from an automation rule.
Agentic Response (preview) allows you to trigger AI agents directly from your automation rules to handle non-linear security scenarios. While complex, highly deterministic workflows are still best suited for standard playbooks, Agentic Response is an ideal solution for less lengthy and less predictable workflows. By integrating AI intelligence directly into SOC workflows, agents can dynamically adapt to unpredictable scenarios without requiring you to program every condition. Agentic Response is effective for targeted, end-to-end flows where agents can efficiently reason through tasks, reducing the need to build and maintain highly extensive workflow configurations. This capability significantly reduces Mean Time to Resolution (MTTR) by autonomously delivering fully synthesized investigations ready for immediate analyst action, empowering analysts with expert-level XQL, hunting, and complex remediation guidance.
Note
The Agentic Response preview feature is not enabled by default. To request access, contact Customer Support.
Potential use cases include:
Phishing forensics (deep hunt & blast radius): Converting threat intel into XQL queries to autonomously map recipient and host connections to attacker infrastructure.
Data exfiltration (containment & L1 remediation):: Automatically pulling in relevant data points.
Cloud misconfiguration (dynamic playbook routing): Analyzing root causes, such as unauthorized access, and dynamically choosing which specialized, pre-approved security playbook to trigger based on the findings.
Agents and prompts
The foundation of Agentic Response is defining exactly what the agent should do when the automation rule is triggered. You initiate this workflow by selecting an appropriate agent and providing it with a dedicated prompt tailored to your specific use case. Designed for rapid, fully autonomous execution, the agent runs independently to complete its tasks without requiring interactive chat or user follow-up. All of the inputs the agent needs must be provided entirely within the prompt inputs or gathered directly from the issue.
When triggered, the agent automatically ingests relevant data points from the issue, eliminating the need to manually map context fields for every run. By default, the agent can view basic details such as the issue ID, name, description, severity, and category name. If you need the agent to evaluate additional data points, you can configure them as inputs to the prompt. This allows you to create dynamic, context-aware prompts by linking placeholders directly to your existing issue fields.
Testing your prompt
Since agent execution is completely autonomous, thoroughly testing the prompt is a critical step before deploying the automation rule. Testing allows you to verify that the agent's reasoning and execution plan align with your desired outcome.
Visibility, tracking, and oversight
After an agent is triggered, you can view its step-by-step reasoning, execution plan, and the full conversation directly from the Resolution tab on an issue, or from the side panel in the case Resolution Center. To ensure you maintain human-in-the-loop control over your environment, agents do not automatically execute any actions marked as sensitive. If an agent requires a sensitive action, it pauses execution and generates a pending task in the case Resolution Center, requiring an analyst to manually approve or deny the action before the agent continues.
The Issues table includes the name of the agent running on an issue, as well as the status (Running, Pending, Done, or Error). The Resolution Center for a case displays agent pending tasks, errors, and completed runs. Agent runs are logged in the War Room and also appear in audit logs.
Automation rules can trigger AI agents when issues are created that meet your specific criteria. To implement Agentic Response capabilities, Create an automation rule.