Exercise B - Universal Security Triage Agent

Exercise Metadata

Field	Value
Duration	~35 minutes
Type	Workflow Agent with Integrations
Focus	Agentic tool calling across security stack

Tip

This is the star exercise for the session: one runbook prompt, one LLM step, five tools, autonomous investigation flow.

Scenario

SOC analysts often pivot across SIEM, EDR, identity, firewall, and threat-intel tools manually. That process can take 30-60 minutes per alert and delays incident response during alert volume spikes.

Objective

Build a single-step Kindo Workflow Agent that performs end-to-end triage across the security stack and synthesizes a justified disposition.

The agent should autonomously:

• Extract entities from an alert (users, hosts, IPs, domains, hashes, processes)
• Query SIEM for correlated events and timelines
• Query EDR for endpoint context and process activity
• Query IdP for sign-in and privilege anomalies
• Query firewall/NDR for network anomalies and beaconing
• Enrich IOCs with threat intelligence
• Produce a final disposition and ranked action plan

What Makes This Exercise Different

Exercise A	Exercise B
Multi-step prompts for fixed workflow stages	Single-step runbook prompt
Agent follows explicit sequence	Agent decides which tool to call and when
Demonstrates structured procedural automation	Demonstrates agentic reasoning
Primary tool: Knowledge Store	Primary tools: live integrations

Integrations Used (Demo Mode)

Integration	Role	What the Agent Queries
Splunk	SIEM	Alerts, correlated events, timeline
CrowdStrike	EDR	Endpoint detections, device context, process trees
Okta	IdP	Sign-in events, MFA status, privilege changes
Palo Alto	Firewall/NDR	Network traffic, beaconing, lateral movement
VirusTotal	Threat Intel	IOC reputation, file analysis, domain/IP enrichment

Note

Demo Mode uses synthetic but coherent cross-tool data so correlations are realistic while avoiding production credentials.

Prerequisites

• Kindo training account
• Five integrations pre-enabled by session facilitator
• Demo Mode enabled in training environment

Step 1 - Create Agent and Enable Integrations (5 min)

1. Go to Agents -> Create an Agent -> Workflow Agent.
2. Configure:
   • Name: Universal Security Triage Agent
   • Description: Performs end-to-end triage across SIEM, EDR, IdP, firewall, and threat intel using agentic tool calling.
3. Open Integrations and enable:
   • Splunk
   • CrowdStrike
   • Okta
   • Palo Alto
   • VirusTotal

Tip

This setup is the key differentiator from a standalone LLM: the model can actually call security tools instead of only analyzing pasted text.

Step 2 - Add the Triage Runbook Prompt (10 min)

Add one LLM step named Triage Runbook and use this prompt:

Run an end-to-end triage on the triggering alert/ticket if present. If no trigger exists, triage the highest-severity SIEM alerts from the last 4 hours.

1) Extract entities from the triggering object (users, hosts, IPs, domains, hashes, processes, email IDs, cloud resources).

2) SIEM: pull the rule details, raw events, correlations, first/last seen timestamps, and related alerts.

3) EDR/XDR: check device posture, detections, process tree, network connections, persistence mechanisms, and lateral movement signs.

4) IdP/IAM: review sign-in timeline, MFA outcomes, risk events, session/token anomalies, and privilege changes.

5) Firewall/NDR: check DNS + outbound anomalies, beaconing patterns, and east-west traffic spikes.

6) Threat Intel: enrich all IOCs (hashes, IPs, domains) and link to known campaigns or threat groups.

Conclude with:
- Disposition: TRUE POSITIVE / FALSE POSITIVE / NEEDS MORE DATA
- Severity: CRITICAL / HIGH / MEDIUM / LOW
- Confidence: HIGH / MEDIUM / LOW (with explanation)
- Scope: contained to single host | multiple hosts | org-wide | unknown
- Evidence summary: one line per data source showing what it found and whether it supports TP or FP
- Attack narrative (if TP): initial access -> current stage -> blast radius
- Ranked next steps: containment -> evidence preservation -> further investigation -> notification -> remediation

Note

Why one step: in this pattern, you define goal + tool access + output contract. The model determines call order dynamically from findings.

Step 3 - Run, Observe, and Review (15 min)

1. Click Run.
2. Observe live tool calls in the execution trace.
3. Review final disposition against the checklist below.

Typical execution path you may observe:

• Splunk queried for alert baseline and entities
• CrowdStrike queried for host/process context
• Okta queried for user authentication timeline
• Palo Alto queried for network behavior linked to entities
• VirusTotal queried for IOC enrichment
• Final synthesis into disposition and actions

Review Checklist

• Disposition quality: verdict is evidence-backed and coherent
• Tool sequence quality: calls are relevant and follow-up queries are logical
• Cross-correlation quality: findings are connected across identity, endpoint, and network data
• Action quality: next steps are prioritized and operationally useful

Caution

Flag low-quality output when confidence is high but evidence is missing, contradictory findings are ignored, or recommendations are generic.

Step 4 (Optional) - Add One Real Integration (5 min)

If credentials are available, connect one real integration and rerun. This demonstrates production connection flow while preserving demo data for the remaining tools.

Discussion Points

• Agentic versus procedural design: when should each be used?
• Did the agent make unnecessary calls or miss useful ones?
• How did multi-source correlation improve triage quality?
• If this saves 30-60 minutes per alert, where should that analyst time be reinvested?

Production Extensions

• Trigger triage automatically for high-severity SIEM alerts
• Auto-create Jira or ServiceNow tickets for true positives
• Notify Slack on CRITICAL findings
• Re-triage open incidents on a recurring schedule as new evidence arrives

Troubleshooting

Issue	Likely Cause	How To Fix
Agent does not call all integrations	Integration toggles are disabled or unavailable	Re-check integration enablement in agent settings
Output contains unsupported claims	Prompt missing evidence accountability	Keep required evidence summary lines per data source
Agent loops or over-queries one source	Runbook lacks prioritization guardrails	Add guidance: stop querying once confidence threshold is met
Disposition stays NEEDS MORE DATA	Entities not extracted or source data sparse	Add explicit entity extraction checks and broaden time window
Contradictory evidence not reconciled	Prompt lacks conflict-handling instruction	Add requirement to explain contradictions before verdict

Continue

• Return to Session Overview
• Open Prompt Engineering Quick Reference
• Open Agent Construction Best Practices