Explore common agentic use cases built on the Microsoft Sentinel platform, showing how developers can correlate identity, endpoint, network, and threat intelligence signals to create fast, repeatable investigation and response workflows with Security Copilot agents.
Interested in building an agent with Sentinel platform solutions but not sure where to start? This blog will help you understand some common use cases for agent development that we’ve seen across our partner ecosystem.
SOC teams don’t need more alerts - they need fast, repeatable investigation and response workflows. Security Copilot agents can help orchestrate the steps analysts perform by correlating across the Sentinel data lake, executing targeted KQL queries, fetching related entities, enriching with context, and producing an evidence-backed decision without forcing analysts to switch tools.
Microsoft Sentinel platform is a strong foundation for agentic experiences because it exposes a normalized security data layer, an investigation surface based on incidents and entities, and extensive automation capabilities. An agent can use these primitives to correlate identity, endpoint, cloud, and network telemetry; traverse entity relationships; and recommend remediation actions.
In this blog, I will break down common agentic use cases that developers can implement on Sentinel platform, framed in buildable and repeatable patterns:
- Identify the investigation scenario
- Understand the required Sentinel data connectors and KQL queries
- Build enrichment and correlation logic
- Summarize findings with supporting evidence and recommended remediation steps
Use Case 1: Identity & Access Intelligence
Investigation Scenario: Is this risky sign-in part of an attack path?
Signals Correlated:
- Identity access telemetry: Source user, IPs, target resources, MFA logs
- Authentication outcomes and diversity: Success vs. failure, Geographic spread
- Identity risk posture: User risk level/state
- Post-auth endpoint execution: Suspicious LOLBins
Correlation Logic:
An analyst receives a risky sign-in signal for a user and needs to determine whether the activity reflects expected behavior - such as travel, remote access, or MFA friction - or if it signals the early stage of an identity compromise that could escalate into privileged access and downstream workload impact.
Practical Example:
Silverfort Identity Threat Triage Agent, which is built on a similar framework, takes the user’s UPN as input and builds a bounded, last-24-hour investigation across authentication activity, MFA logs, user risk posture, and post-authentication endpoint behavior.
Outcome:
By correlating identity risk signals, MFA logs, sign-in success and failure patterns, and suspicious execution activity following authentication, the agent connects the initial risky sign-in to endpoint behavior, enabling the analyst to quickly assess compromise likelihood, identify escalation indicators, and determine appropriate remediation actions.
|
“Our collaboration with Microsoft Sentinel and Security Copilot underscores the central role identity plays across every stage of attack path triage. By integrating Silverfort’s identity risk signals with Microsoft Entra ID and Defender for Endpoint, and sharing rich telemetry across platforms, we enable Security Copilot Agent to distinguish isolated anomalies from true identity-driven intrusions - while dramatically reducing the manual effort traditionally required for incident response and threat hunting. AI-driven agents accelerate analysis, enrich investigative context, reduce dwell time, and speed detection. Instead of relying on complex queries or deep familiarity with underlying data structures, security teams can now perform seamless, identity-centric reasoning within a single interaction.” - Frank Gasparovic, Director of Solution Architecture, Technology Alliances, Silverfort |
Use Case 2: Cyber Resilience, Backup & Recovery
Investigation Scenario: Are the threats detected on a backup indicative of production impact and recovery risk?
Signals Correlated:
- Backup threat telemetry: Backup threat scan alerts, risk analysis events, affected host/workload, detection timestamps
- Cross-vendor security alerts: Endpoint, network, and cloud security alerts for the same host/workload in the same time window
Correlation Logic:
The agent correlates threat signals originating from the backup environment with security telemetry associated with same host/workload to validate whether there is corroborating evidence in the production environment and whether activity aligns in time.
Practical Example:
Commvault Security Investigation Agent, which is built on a similar framework, takes a hostname as input and builds an investigation across Commvault Threat Scan / Risk Analysis events and third-party security telemetry. By correlating backup-originating detections with production security activity for the same host, the agent determines whether the backup threat signal aligns with observable production impact.
Outcome:
By correlating backup threat detections with endpoint, network, and cloud security telemetry while validating timing alignment, event spikes, and data coverage, the agent connects a backup originating threat signal to production evidence, enabling the analyst to quickly assess impact likelihood and determine appropriate actions such as containment or recovery-point validation.
Use Case 3: Network, Exposure & Connectivity
Investigation Scenario: Is this activity indicative of legitimate remote access, or does it demonstrate suspicious connectivity and access attempts that increase risk to private applications and internal resources.
Signals Correlated:
- User access telemetry: Source user, source IPs/geo, device/context, destinations
- Auth and enforcement outcomes: Success vs. failure, MFA allow/block
- Behavior drift: new/rare IPs/locations, unusual destination/app diversity.
- Suspicious activity indicators: Risky URLs/categories, known-bad indicators, automated/bot-like patterns, repeated denied private app access attempts
Correlation Logic:
An analyst receives an alert for a specific user and needs to determine whether the activity reflects expected behavior such as travel, remote work, or VPN usage, or whether it signals the early stages of a compromise that could later extend into private application access.
Practical Example:
Zscaler ZIA ZPA Correlation Agent starts with a username and builds a bounded, last-24-hour investigation across Zscaler Internet Access and Zscaler Private Access activity. By correlating user internet behavior, access context, and private application interactions, the agent connects the initial Zscaler alert to any downstream access attempts or authentication anomalies, enabling the analyst to quickly assess risk, identify suspicious patterns, and determine whether Zscaler policy adjustments are required.
Outcome:
Provides a last‑24‑hour verdict on whether the activity reflects expected access patterns or escalation toward private application access, and recommends next actions—such as closing as benign drift, escalating for containment, or tuning access policy—based on correlated evidence.
Use Case 4: Endpoint & Runtime Intelligence
Investigation Scenario: Is this process malicious or a legitimate admin action?
Signals Correlated:
- Execution context: Process chain, full command line, signer, unusual path
- Account & logon: Initiating user, logon type (RDP/service), recent risky sign-ins
- Tooling & TTPs: LOLBins, credential access hints, lateral movement tooling
- Network behavior: Suspicious connections, repeated callbacks/beaconing
Correlation Logic:
A PowerShell alert triggers on a production server. The agent ties the process to its parent (e.g., spawned by a web worker vs. an admin shell), validates the command-line indicators, correlates outbound connections from the same PID to a first-seen destination, and checks for immediate follow-on persistence and any adjacent runtime alerts in the same time window.
Outcome:
Classifies the activity as malicious vs. admin and produces an evidence pack (process tree, key command indicators, destinations, persistence/tamper artifacts) as well as the recommended containment step (isolate host and revoke/reset initiating credentials).
Use Case 5: Exposure & Exploitability
Investigation Scenario: What is the likelihood of exploitation and blast radius?
Signals Correlated:
- Asset exposure: Internet-facing status, exposed services/ports, and identity or network paths required to reach the workload
- Exploit activity: Defender alerts on the resource, IDS/WAF hits, IOC matches, and first seen exploit or probing attempts
- Risk amplification signals: Internet communication, high privilege access paths, and indicators that the workload processes PII or sensitive data
- Blast radius: Downstream reachability to crown jewel systems (e.g., databases, key vaults) and trust relationships that could enable escalation
Correlation Logic:
An analyst receives a Medium/High Microsoft Defender for Cloud alert on a workload and needs to determine whether it’s a standalone detection or an exploitable exposure that can quickly progress into privilege abuse and data impact. The agent correlates exposure evidence signals such as internet reachability, high-privilege paths, and indicators that workload handles sensitive data by analyzing suspicious network connections in the same bounded time window.
Outcome:
Produces a resource-specific risk analysis that explains why the Defender for Cloud alert is likely to be exploited, based on asset attack surface and effective privileges, plus any supporting activity in the same 24-hour window.
Use Case 6: Threat Intelligence & Adversary Context
Investigation Scenario: Is this activity aligned with known attacker behavior?
Signals Correlated:
- Behavior sequence: ordered events identity → execution → network.
- Technique mapping: MITRE ATT&CK technique IDs, typical progression, and required prerequisites.
- Threat intel match: campaign/adversary, TTPs, IOCs
Correlation Logic:
A chain of identity compromise, PowerShell obfuscation, and periodic outbound HTTPS is observed. The agent maps the sequence to ATT&CK techniques and correlates it with threat intel that matches a known adversary campaign.
Outcome:
Surfaces adversary-aligned behavioral insights and TTP context to help analysts assess intrusion likelihood and guide the next investigation steps.
Summary
This blog is intended to help developers better understand the key use cases for building agents with Microsoft Sentinel platform along with practical patterns to apply when designing and implementing agent scenarios.
Need help? If you have any issues as you work to develop your agent, the App Assure team is available to assist via our Sentinel Advisory Service. Reach out via our intake form.
Resources
- Learn more: For a practical overview of how ISVs can move from Sentinel data lake onboarding to building agents, see the Accelerate Agent Development blog - https://aka.ms/AppAssure_AccelerateAgentDev.
- Get hands-on: Explore the end-to-end journey from Sentinel data lake onboarding to a working Security Copilot agent through the accompanying lab modules available on GitHub Repo: https://github.com/suchandanreddy/Microsoft-Sentinel-Labs.
Microsoft