Build Your First Workflow

This tutorial walks you through building a realistic multi-step workflow that solves a real security problem. By the end, you’ll have a working agent that enriches security alerts with threat intelligence and produces structured triage reports.

What you’ll build: A manual workflow agent that takes a security alert description, enriches it with CVE data from the National Vulnerability Database (NVD), classifies severity, and outputs a triage report.

Expected time: ~45 minutes

Prerequisites

• Kindo account (SaaS or self-hosted)
• Completed Create Your First Agent quickstart
• No external accounts needed (uses public NVD API)

What You’ll Build

Input (alert) -> API Action (NVD lookup) -> LLM (classify + triage) -> Output (report)

Step 1: Create a Manual Workflow Agent

1. Navigate to the Agents tab — Click Agents in the left sidebar.

2. Click Create an Agent — Select Workflow as the agent type.

3. Name your agent — Enter “Alert Triage Workflow”.

4. Add a description — “Enriches security alerts with CVE data and produces triage reports.”

5. Select a model — Choose a general-purpose model like GPT-4 or Claude 3.

Step 2: Define a Workflow Input

Workflow inputs let you pass dynamic values into your agent when it runs. These become template variables you can reference in prompts.

1. Open the Agent Configuration panel — Click the configuration icon if it’s not already open.

2. Add a workflow input — Under Workflow Inputs, click Add Input.

3. Configure the input:

   • Name: alert_description
   • Type: Text
   • Label: “Security Alert Description”
   • Description: “Enter the security alert or event description to triage”

4. Save the input — This makes {{alert_description}} available in your LLM step prompts.

Tip

For trigger agents, the trigger event data (like ticket fields) automatically becomes available as template variables. You don’t need to define workflow inputs manually — the integration provides them.

Step 3: Add an API Action Step — Fetch CVE Data

Now add a step that enriches the alert with threat intelligence from the National Vulnerability Database (NVD).

1. Add a step — Click the + button under Agent Steps.

2. Select API Action Step — Choose API Action Step from the dropdown.

3. Configure the API request:

   • Method: GET
   • URL: https://services.nvd.nist.gov/rest/json/cves/2.0

4. Add query parameters — Click Add Parameter and add:

   • Key: cveId
   • Value: Use the Magic button (sparkles icon) to generate a parameter extraction from the alert description. Enter: “Extract CVE IDs from the alert description using regex pattern CVE-\d4-\d+”

5. Save the step — The API response will be available to subsequent steps.

Note

The NVD API is free, public, and requires no authentication. It’s rate-limited to 5 requests per 30 seconds. For production use with high volumes, consider caching or using a commercial threat intelligence feed.

Step 4: Add an LLM Step — Analyze and Classify

Now add an LLM step that analyzes the enriched alert and produces a triage report.

1. Add a step — Click the + button and select LLM Step.

2. Write the prompt — Enter the following prompt (adjust as needed):

   You are a security analyst performing alert triage. Analyze the following security alert and produce a structured triage report.
   
   ALERT DESCRIPTION:
   {{alert_description}}
   
   CVE ENRICHMENT DATA:
   [The previous step fetched CVE data from NVD. Reference it here.]
   
   Your task:
   1. Extract all IOCs (IPs, hashes, domains) from the alert
   2. Classify the alert type (malware, phishing, unauthorized access, etc.)
   3. Assess severity (Critical/High/Medium/Low) based on:
      - CVSS scores from CVE data
      - Exploit availability (check CISA KEV list)
      - Asset criticality indicators
   4. Recommend action:
      - ESCALATE: Immediate human attention required
      - INVESTIGATE: Gather more information
      - MONITOR: Track but no immediate action
      - CLOSE: False positive or resolved
   
   Output as a structured markdown report with sections for Summary, IOCs, Classification, Severity Assessment, and Recommended Action.

3. Select a model — Choose a reasoning-capable model (GPT-4, Claude 3 Opus, or similar).

4. Save the step — The LLM will process the alert and CVE data when the agent runs.

Tip

Template variables like {{alert_description}} are resolved at runtime from workflow inputs (for manual workflows) or trigger event data (for triggered workflows). You can also reference previous step outputs using {{step_name.output}} syntax.

Step 5: Run and Verify

Test your agent with a realistic security alert.

1. Click Run — Click the Run button to start the agent.

2. Enter test input — When prompted, enter this sample alert:

   Multiple failed SSH login attempts from 203.0.113.42 targeting admin accounts
   on server web-prod-03. Source IP associated with CVE-2024-3094 (xz backdoor)
   scanning activity.

3. Review the execution — Watch the agent execute in the Terminal:

   • Step 1 (API Action) should fetch CVE-2024-3094 data from NVD
   • Step 2 (LLM) should analyze and produce a triage report

4. Verify the output — Check that the triage report includes:

   • Extracted IOCs (IP: 203.0.113.42, server: web-prod-03)
   • Alert classification (unauthorized access / brute force)
   • Severity assessment (likely Critical or High given CVE-2024-3094)
   • Recommended action (ESCALATE or INVESTIGATE)

5. Check the sandbox — If the NVD response was large, click the sandbox icon to view the raw CVE data that was fetched.

Verification Checklist

Check	Expected Result
Agent runs without errors	No red error messages in Terminal
API step executes	NVD API call returns CVE data
LLM step produces output	Structured triage report generated
Output contains all sections	IOCs, Classification, Severity, Action
Severity makes sense	Critical/High for CVE-2024-3094

Step 6: Iterate and Improve

Now that you have a working agent, refine it based on the output quality.

1. Adjust the LLM prompt — If the classification seems off:

   • Add more specific criteria for severity assessment
   • Include examples of each alert type in the prompt
   • Specify the exact JSON schema you want for structured output

2. Add a second LLM step — Create a “plain English summary” for management:

   • Add a new LLM step after the classification step
   • Prompt: “Summarize the following technical triage report for a non-technical manager in 2-3 sentences…”
   • This demonstrates how step ordering affects data flow

3. Add error handling — Make the agent more robust:

   • Add a condition to check if the NVD API returned data before proceeding
   • Handle cases where no CVE ID is found in the alert description

4. Test with different alerts — Try these variations:

   • A phishing email alert with suspicious attachment hashes
   • A malware detection alert with file paths and signatures
   • An unauthorized access alert with multiple source IPs

What You Learned

In this tutorial, you built a realistic multi-step workflow and learned:

• Workflow inputs — How to define dynamic inputs that become template variables
• API Action steps — How to fetch external data (threat intelligence) via REST APIs
• LLM steps — How to analyze data and produce structured outputs
• Multi-step data flow — How output from one step becomes input to the next
• Testing and iteration — How to verify your agent works and refine it

Next Steps

• Add a Trigger — Convert this to a triggered agent that fires automatically when alerts arrive
• Configure Integrations — Connect Jira or ServiceNow to create tickets from triage results
• Explore Security Workflows — See advanced patterns for alert triage, vulnerability reporting, and threat hunting
• Learn Multi-Agent Coordination — Chain multiple agents together for investigate -> remediate pipelines