Skip to content
Kindo Kindo Docs

Security Workflow: Automated Alert Triage

This walkthrough shows you how to build a trigger agent that automatically enriches and triages security alerts from your ticketing system. By the end, you’ll have an agent that fires when new alerts arrive, analyzes them, and updates tickets with triage reports.

Overview

What this workflow does:

  • Monitors your ticketing system (Jira/ServiceNow) for new security alerts
  • Automatically extracts IOCs and enriches with threat intelligence
  • Classifies severity and recommends actions
  • Updates the ticket with a structured triage report

Who it’s for: SOC analysts, security engineers, incident responders

What it produces: Enriched tickets with triage reports that help prioritize response

Jira ticket created -> Trigger fires -> LLM enriches + classifies -> Comment added with triage report

What You’ll Need

  • Kindo account with Jira (or ServiceNow) integration configured
  • A Jira project where security alerts are filed
  • ~30 minutes

The Workflow

Step 1: Create a Triggered Agent

  1. Navigate to Agents tab — Click Agents in the left sidebar.

  2. Click Create an Agent — Select Triggered as the agent type.

  3. Connect Jira integration — Select your Jira connection from the dropdown.

  4. Set trigger condition — Configure the trigger to fire when:

    • Project = “SEC” (or your security project)
    • Type = “Alert”
    • Status = “New”

  5. Save the trigger — Click Save Trigger to activate monitoring.

Step 2: Add an LLM Step — Enrich and Classify

  1. Add a step — Click the + button under Agent Steps.

  2. Select LLM Step — Choose LLM Step from the dropdown.

  3. Write the prompt — Use a template that references the trigger event data:

    You are a SOC analyst performing alert triage. Analyze this security alert and produce a structured triage report.
    

    TICKET SUMMARY: {{trigger.summary}}
    TICKET DESCRIPTION: {{trigger.description}}
    

    Your task:
    1. Extract all IOCs (IPs, hashes, domains) from the ticket
    2. Classify alert type (malware, phishing, unauthorized access, etc.)
    3. Assess severity (Critical/High/Medium/Low) based on indicators
    4. Recommend next steps
    

    Output as structured JSON:
    {
      "iocs": { "ips": [], "hashes": [], "domains": [] },
      "classification": "...",
      "severity": "...",
      "recommendation": "..."
    }

  4. Select a model — Choose a reasoning-capable model.

  5. Save the step — The LLM will process trigger data when the agent fires.

Step 3: Add an API Action Step — Update the Ticket

  1. Add a step — Click the + button and select API Action Step.

  2. Configure Jira actions — Use the Jira integration’s MCP tools:

    Add Comment:

    • Action: jira.add_comment
    • Issue Key: {{trigger.issue_key}}
    • Comment: Include the LLM output (triage report)

    Update Priority:

    • Action: jira.update_issue
    • Issue Key: {{trigger.issue_key}}
    • Priority: Map from LLM severity classification

  3. Save the step — The agent will update the ticket after analysis.

Step 4: Test with a Sample Alert

  1. Create a test ticket — In Jira, create a ticket with:

    • Project: Your security project
    • Type: Alert
    • Summary: “Suspicious login activity detected”
    • Description: “Multiple failed SSH login attempts from 203.0.113.42 targeting admin accounts on server web-prod-03. Source IP associated with CVE-2024-3094 scanning activity.”

  2. Verify trigger fires — Check the Kindo Terminal for execution logs

  3. Review the comment — In Jira, verify the ticket has a new comment with the triage report

  4. Check priority — Verify the ticket priority matches the agent’s severity classification

Verification

Expected Results

CheckExpected Result
Trigger fires on new ticketAgent executes within seconds of ticket creation
LLM produces structured outputJSON with IOCs, classification, severity, recommendation
Ticket updatedNew comment with triage report visible in Jira
Priority set correctlyMatches severity classification (Critical/High/Medium/Low)

Verification Steps

  1. Check Kindo Terminal — Review the full execution trace for errors
  2. Check Jira ticket — Verify comment was added and priority was updated
  3. Review LLM output — Ensure structured JSON is well-formed and complete
  4. Test edge cases — Try tickets without CVEs, with multiple CVEs, with different alert types

Adapting This Workflow

Replace Jira with ServiceNow

  1. Change the integration from Jira to ServiceNow
  2. Update API Action steps to use ServiceNow MCP tools (servicenow.add_comment, etc.)
  3. Same pattern, different integration

Add a Second Agent for Automated Remediation

  1. Create Agent B (Remediate) as a trigger agent
  2. Set trigger condition: Jira ticket assigned to “auto-remediate” queue
  3. Agent B executes fixes and updates ticket
  4. See Multi-Agent Coordination for details

Add Slack Notification for Critical Alerts

  1. Add an API Action step after the LLM classification
  2. Use Slack integration to post to a channel
  3. Condition: Only post if severity is Critical or High

Use Different Classification Framework

  1. Update the LLM prompt to use MITRE ATT&CK tactics instead of generic categories
  2. Map MITRE techniques to your organization’s response procedures
  3. Include MITRE mapping in the structured output

Troubleshooting

Trigger Not Firing

Symptoms: Agent doesn’t execute when tickets are created

Check:

  • Integration connection status (green checkmark in Settings > Integrations)
  • Trigger conditions match ticket fields exactly (case-sensitive)
  • Ticket is created in the correct project with correct type
  • Webhook delivery in the integration’s admin panel (Jira/ServiceNow)

Fix:

  • Reconnect the integration if connection shows errors
  • Adjust trigger conditions to match actual ticket field values
  • Test with a manually created ticket matching all conditions

LLM Output Not Structured

Symptoms: Output is narrative text instead of JSON

Check:

  • Prompt explicitly requests JSON format
  • JSON schema is included in the prompt
  • Model is capable of structured output (GPT-4, Claude 3, etc.)

Fix:

  • Add explicit instruction: “Output ONLY valid JSON, no markdown, no explanation”
  • Include example JSON structure in the prompt
  • Switch to a more capable model if using a lightweight one

API Action Failing

Symptoms: Jira/ServiceNow actions return errors

Check:

  • MCP server is running (for self-hosted deployments)
  • Integration permissions allow the actions (create comment, update issue)
  • Issue key format is correct
  • API rate limits haven’t been exceeded

Fix:

  • Check MCP server status in deployment logs
  • Verify integration OAuth scopes include write permissions
  • Test actions manually in the integration first
  • Add retry logic for transient failures